From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Jan 2013 21:59:26 +0000 (+0100)
Subject: dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)
X-Git-Tag: tevent-0.9.18~399
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=38655a89cf902d0ea6657415e2f546c7622e279d;p=thirdparty%2Fsamba.git

dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index fb100f76283..d9bc89fe62e 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -153,11 +153,16 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
 					 struct ldb_context *ldb,
 					 struct dom_sid *dag)
 {
-	if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
-		return dag;
-	}
-
-	return NULL;
+	/*
+	 * This depends on the function level of the DC
+	 * which is 2008R2 in our case. Which means it is
+	 * higher than 2003 and we should use the
+	 * "default administrator group" also as owning group.
+	 *
+	 * This matches dcpromo for a 2003 domain
+	 * on a Windows 2008R2 DC.
+	 */
+	return dag;
 }
 
 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,