summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorMatthieu Patou <mat@matws.net>2011-11-15 11:32:33 +0100
committerMatthieu Patou <mat@samba.org>2011-12-19 14:32:18 +0100
commitf39426c8ae6dc6a64acbdbe6087f0f0c359a4a96 (patch)
treec18b14aadc959f4c410917f0721051e4514d0333 /source4/dsdb
parentb2bace63d38690a32abcf2f82059dba6c1148d44 (diff)
downloadsamba-f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96.tar.gz
samba-f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96.tar.bz2
samba-f39426c8ae6dc6a64acbdbe6087f0f0c359a4a96.zip
s4-dsdb: Relax the conditions where we can't do a subtree delete
If the parent object is a SAM object (as defined in 3.1.1.5.2.3 Special Classes and Attributes of MS-ADTS) then we can use the subtree delete control even if the object is a critical one. Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Mon Dec 19 14:32:19 CET 2011 on sn-devel-104
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 89dd6efd8a..6f239d25e1 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -1549,10 +1549,28 @@ static int objectclass_do_delete(struct oc_context *ac)
isCriticalSystemObject = ldb_msg_find_attr_as_bool(ac->search_res->message,
"isCriticalSystemObject", false);
if (isCriticalSystemObject) {
- ldb_asprintf_errstring(ldb,
+ /*
+ * Following the explaination from Microsoft
+ * https://lists.samba.org/archive/cifs-protocol/2011-August/002046.html
+ * "I finished the investigation on this behavior.
+ * As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed ,
+ * every object in the tree will be checked to see if it has isCriticalSystemObject
+ * set to TRUE, including the root node on which the delete operation is performed
+ * But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS)
+ * Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked
+ * The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net
+ * which is a SAM object with user class. Therefore the tree deletion is performed without any error
+ */
+
+ if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "group") == NULL &&
+ samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "samDomain") == NULL &&
+ samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "samServer") == NULL &&
+ samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "user") == NULL) {
+ ldb_asprintf_errstring(ldb,
"objectclass: Cannot tree-delete %s, it's a critical system object!",
ldb_dn_get_linearized(ac->req->op.del.dn));
return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
}
}