s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attribute

If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.

If there's a list of only explicit attribute names, we should ignore
the sd_flags control.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 6bc2caed8b3f153f92af013275f39c803f886a22)

1 files changed, 12 insertions, 2 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 4ce8b8fddaf..c642ad8c928 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -721,10 +721,20 @@ static int operational_search_post_process(struct ldb_module *module,
 				continue;
 			}
 		case OPERATIONAL_SD_FLAGS:
-			if (controls_flags->sd ||
-			    ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
+			if (ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
 				continue;
 			}
+			if (controls_flags->sd) {
+				if (attrs_from_user == NULL) {
+					continue;
+				}
+				if (attrs_from_user[0] == NULL) {
+					continue;
+				}
+				if (ldb_attr_in_list(attrs_from_user, "*")) {
+					continue;
+				}
+			}
 			ldb_msg_remove_attr(msg, operational_remove[i].attr);
 			break;
 		}