diff options
author | Matthieu Patou <mat@matws.net> | 2011-11-15 11:32:33 +0100 |
---|---|---|
committer | Matthieu Patou <mat@samba.org> | 2011-12-19 14:32:18 +0100 |
commit | f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96 (patch) | |
tree | c18b14aadc959f4c410917f0721051e4514d0333 /source4/dsdb | |
parent | b2bace63d38690a32abcf2f82059dba6c1148d44 (diff) | |
download | samba-f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96.tar.gz samba-f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96.tar.bz2 samba-f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96.zip |
s4-dsdb: Relax the conditions where we can't do a subtree delete
If the parent object is a SAM object (as defined in 3.1.1.5.2.3
Special Classes and Attributes of MS-ADTS) then we can use the subtree
delete control even if the object is a critical one.
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Mon Dec 19 14:32:19 CET 2011 on sn-devel-104
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 89dd6efd8a..6f239d25e1 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -1549,10 +1549,28 @@ static int objectclass_do_delete(struct oc_context *ac) isCriticalSystemObject = ldb_msg_find_attr_as_bool(ac->search_res->message, "isCriticalSystemObject", false); if (isCriticalSystemObject) { - ldb_asprintf_errstring(ldb, + /* + * Following the explaination from Microsoft + * https://lists.samba.org/archive/cifs-protocol/2011-August/002046.html + * "I finished the investigation on this behavior. + * As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed , + * every object in the tree will be checked to see if it has isCriticalSystemObject + * set to TRUE, including the root node on which the delete operation is performed + * But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS) + * Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked + * The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net + * which is a SAM object with user class. Therefore the tree deletion is performed without any error + */ + + if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "group") == NULL && + samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "samDomain") == NULL && + samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "samServer") == NULL && + samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "user") == NULL) { + ldb_asprintf_errstring(ldb, "objectclass: Cannot tree-delete %s, it's a critical system object!", ldb_dn_get_linearized(ac->req->op.del.dn)); return LDB_ERR_UNWILLING_TO_PERFORM; + } } } |