From: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Date: Tue, 12 Aug 2025 01:56:16 +0000 (+1200)
Subject: s4:dsdb:acl: Fix LDB flags comparison
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=468563484963216e632ea0f8cbc71aede837215e;p=thirdparty%2Fsamba.git

s4:dsdb:acl: Fix LDB flags comparison

LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.

Commit 99b805e4cbeec232c65adb1a6f3fb326b55c4496 fixed a similar issue.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 93e580cdd02..cf33ee64d76 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -936,8 +936,8 @@ static int acl_check_dns_host_name(TALLOC_CTX *mem_ctx,
 		 * If not add or replace (eg delete),
 		 * return success
 		 */
-		if ((el->flags
-		     & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0)
+		if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD &&
+		    LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE)
 		{
 			talloc_free(tmp_ctx);
 			return LDB_SUCCESS;