s4:samldb LDB module - deny "objectSid" modifications

The same as with Windows

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 2b3129cd998d530bbe87f05513b1c04edbed9902..89fa6b23e187250713c8ddb29e1aa9849ff0ef2e 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1768,6 +1768,13 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
        ldb = ldb_module_get_ctx(module);
 
+       /* make sure that "objectSid" is not specified */
+       el = ldb_msg_find_element(req->op.mod.message, "objectSid");
+       if (el != NULL) {
+               ldb_set_errstring(ldb,
+                                 "samldb: objectSid must not be specified!");
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
        /* make sure that "sAMAccountType" is not specified */
        el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
        if (el != NULL) {