diff options
author | Matthieu Patou <mat@matws.net> | 2010-11-12 19:58:09 +0300 |
---|---|---|
committer | Matthieu Patou <mat@samba.org> | 2010-11-12 19:40:21 +0000 |
commit | 2990b4fbb1acf74e98b55ce63fea3e2fe280d60e (patch) | |
tree | 545cbfa84f1b7aa6e04a981b2ab71053e7b106ba | |
parent | 35c9c2dc8aaea1019a8d611b52957c84db1feec5 (diff) | |
download | samba-2990b4fbb1acf74e98b55ce63fea3e2fe280d60e.tar.gz samba-2990b4fbb1acf74e98b55ce63fea3e2fe280d60e.tar.bz2 samba-2990b4fbb1acf74e98b55ce63fea3e2fe280d60e.zip |
samldb: relax groupType modification checks
Allow programs with the PROVISION control to bypass groupType checks.
This is needed by upgradeprovision for older alpha (11, 10 ...)
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 59 |
1 files changed, 32 insertions, 27 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 4b8a303753..338b13110f 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1281,35 +1281,40 @@ static int samldb_group_type_change(struct samldb_ctx *ac) * On each step also the group type itself * (security/distribution) is variable. */ - switch (group_type) { - case GTYPE_SECURITY_GLOBAL_GROUP: - case GTYPE_DISTRIBUTION_GLOBAL_GROUP: - /* change to "universal" allowed */ - if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || - (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - break; - - case GTYPE_SECURITY_UNIVERSAL_GROUP: - case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: - /* each change allowed */ - break; - - case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: - case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: - /* change to "universal" allowed */ - if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || - (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { + if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID) == NULL) { + switch (group_type) { + case GTYPE_SECURITY_GLOBAL_GROUP: + case GTYPE_DISTRIBUTION_GLOBAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { + ldb_set_errstring(ldb, + "samldb: Change from security/distribution local group forbidden!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_UNIVERSAL_GROUP: + case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: + /* each change allowed */ + break; + case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: + case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { + ldb_set_errstring(ldb, + "samldb: Change from security/distribution global group forbidden!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: + default: + /* we don't allow this "groupType" values */ return LDB_ERR_UNWILLING_TO_PERFORM; + break; } - break; - - case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: - default: - /* we don't allow this "groupType" values */ - return LDB_ERR_UNWILLING_TO_PERFORM; - break; } account_type = ds_gtype2atype(group_type); |