s4/dsdb/samldb: Disallow setting a domain-local group as a primary group

Windows also disallows this. Note that changing a primary group to a
domain-local group is allowed by both Windows and Samba.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/domain-local-primary-group b/selftest/knownfail.d/domain-local-primary-group
deleted file mode 100644 (file)
index 9a92b56..0000000
--- a/selftest/knownfail.d/domain-local-primary-group
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.group.py.user\ setprimarygroup\ domain-local.none

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 9f1a81e883eb12a76b08046915091d49a288eb66..99f687e32126abe1b466176fc7925a1d386ee5b6 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -142,7 +142,3 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
-#
-# Group tests
-#
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_set_domain_local_primary_group.ad_dc

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index c372e32149ee397462b18dc31b097f5757ba5296..4832e83150808c751577b885a21e6252d78d1e74 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -612,7 +612,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_universal_as_req_to_service.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_removal_tgs_req_to_krbtgt.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_removal_tgs_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_set_domain_local_primary_group.ad_dc
 #
 # Encryption type tests
 #

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 3ecbd00e68e26fab1a6b82157b71a20578cf35bb..1b4921a6f2e9ef5d2d4c88bb3183f22bce8192ba 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2113,6 +2113,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
        const char *user_dn_ext_str = NULL;
        int ret;
        const char * const noattrs[] = { NULL };
+       const char * const group_type_attrs[] = { "groupType", NULL };
+       unsigned group_type;
 
        ret = dsdb_get_expected_new_values(ac,
                                           ac->msg,
@@ -2223,7 +2225,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
        ret = dsdb_module_search(ac->module, ac, &group_res,
                                 ldb_get_default_basedn(ldb),
                                 LDB_SCOPE_SUBTREE,
-                                noattrs, search_flags,
+                                group_type_attrs, search_flags,
                                 ac->req,
                                 "(objectSid=%s)",
                                 ldap_encode_ndr_dom_sid(ac, new_sid));
@@ -2236,6 +2238,16 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
        new_prim_group_dn = group_res->msgs[0]->dn;
+
+       /* The new primary group must not be domain-local. */
+       group_type = ldb_msg_find_attr_as_uint(group_res->msgs[0], "groupType", 0);
+       if (group_type & GROUP_TYPE_RESOURCE_GROUP) {
+               return dsdb_module_werror(ac->module,
+                                         LDB_ERR_UNWILLING_TO_PERFORM,
+                                         WERR_MEMBER_NOT_IN_GROUP,
+                                         "may not set resource group as primary group!");
+       }
+
        new_prim_group_dn_ext_str = ldb_dn_get_extended_linearized(ac,
                                                        new_prim_group_dn, 1);
        if (new_prim_group_dn_ext_str == NULL) {