git.samba.org / kai / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2e91399)
s4:samldb LDB module - it isn't allowed to create user/computer accounts with a prima...
authorMatthias Dieter Wallnöfer <mdw@samba.org>
Wed, 15 Sep 2010 13:19:38 +0000 (15:19 +0200)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 23 Sep 2010 23:25:42 +0000 (09:25 +1000)
It can only be changed afterwards. We allow a "relax"ed exception for the
provision state since we need this for the guest account.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
source4/dsdb/samdb/ldb_modules/samldb.c patch | blob | history
source4/dsdb/tests/python/ldap.py patch | blob | history

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d23031522db65ffe9fc19492484439430f21b3c6..e7e84b2e3b82151d9f869936fbb97f40eadc4c5b 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -269,6 +269,10 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
+       } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+               ldb_set_errstring(ldb,
+                                 "The primary group isn't settable on add operations!");
+               return LDB_ERR_UNWILLING_TO_PERFORM;
        }
 
        sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index d2aeeb1a12ec12b6c996acb7b4a784457de8da85..82b5de2147538f35dcb03c25fe427a4b204e6bfc 100755 (executable)
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1240,16 +1240,15 @@ objectClass: container
         self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
         # Try to Create a user with a valid primary group
-# TODO Some more investigation needed here
-#        try:
-#            ldb.add({
-#                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
-#                "objectclass": ["user", "person"],
-#                "primaryGroupID": str(group_rid_1)})
-#            self.fail()
-#        except LdbError, (num, _):
-#            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-#        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+                "objectclass": ["user", "person"],
+                "primaryGroupID": str(group_rid_1)})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
         # Test to see how we should behave when the user account doesn't
         # exist
Kai's WIP code