summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Patou <mat@matws.net>2010-11-12 19:58:09 +0300
committerMatthieu Patou <mat@samba.org>2010-11-12 19:40:21 +0000
commit2990b4fbb1acf74e98b55ce63fea3e2fe280d60e (patch)
tree545cbfa84f1b7aa6e04a981b2ab71053e7b106ba
parent35c9c2dc8aaea1019a8d611b52957c84db1feec5 (diff)
downloadsamba-2990b4fbb1acf74e98b55ce63fea3e2fe280d60e.tar.gz
samba-2990b4fbb1acf74e98b55ce63fea3e2fe280d60e.tar.bz2
samba-2990b4fbb1acf74e98b55ce63fea3e2fe280d60e.zip
samldb: relax groupType modification checks
Allow programs with the PROVISION control to bypass groupType checks. This is needed by upgradeprovision for older alpha (11, 10 ...)
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c59
1 files changed, 32 insertions, 27 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 4b8a303753..338b13110f 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1281,35 +1281,40 @@ static int samldb_group_type_change(struct samldb_ctx *ac)
* On each step also the group type itself
* (security/distribution) is variable. */
- switch (group_type) {
- case GTYPE_SECURITY_GLOBAL_GROUP:
- case GTYPE_DISTRIBUTION_GLOBAL_GROUP:
- /* change to "universal" allowed */
- if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) ||
- (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) {
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
- break;
-
- case GTYPE_SECURITY_UNIVERSAL_GROUP:
- case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP:
- /* each change allowed */
- break;
-
- case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
- case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP:
- /* change to "universal" allowed */
- if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) ||
- (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) {
+ if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID) == NULL) {
+ switch (group_type) {
+ case GTYPE_SECURITY_GLOBAL_GROUP:
+ case GTYPE_DISTRIBUTION_GLOBAL_GROUP:
+ /* change to "universal" allowed */
+ if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) ||
+ (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) {
+ ldb_set_errstring(ldb,
+ "samldb: Change from security/distribution local group forbidden!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ break;
+
+ case GTYPE_SECURITY_UNIVERSAL_GROUP:
+ case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP:
+ /* each change allowed */
+ break;
+ case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
+ case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP:
+ /* change to "universal" allowed */
+ if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) ||
+ (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) {
+ ldb_set_errstring(ldb,
+ "samldb: Change from security/distribution global group forbidden!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ break;
+
+ case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
+ default:
+ /* we don't allow this "groupType" values */
return LDB_ERR_UNWILLING_TO_PERFORM;
+ break;
}
- break;
-
- case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
- default:
- /* we don't allow this "groupType" values */
- return LDB_ERR_UNWILLING_TO_PERFORM;
- break;
}
account_type = ds_gtype2atype(group_type);