summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-09-15 15:19:38 +0200
committerAndrew Bartlett <abartlet@samba.org>2010-09-24 09:25:42 +1000
commit679eb33e798efbfdaebb9cf0cd3977bb945e8075 (patch)
treeda1f7d447012a57b0f0c84c5a687c892c9794ab8 /source4
parent2e913994f2455019a3b99cb19df2f319b7218e17 (diff)
downloadsamba-679eb33e798efbfdaebb9cf0cd3977bb945e8075.tar.gz
samba-679eb33e798efbfdaebb9cf0cd3977bb945e8075.tar.bz2
samba-679eb33e798efbfdaebb9cf0cd3977bb945e8075.zip
s4:samldb LDB module - it isn't allowed to create user/computer accounts with a primary group specified
It can only be changed afterwards. We allow a "relax"ed exception for the provision state since we need this for the guest account. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c4
-rwxr-xr-xsource4/dsdb/tests/python/ldap.py19
2 files changed, 13 insertions, 10 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d23031522d..e7e84b2e3b 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -269,6 +269,10 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
if (ret != LDB_SUCCESS) {
return ret;
}
+ } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+ ldb_set_errstring(ldb,
+ "The primary group isn't settable on add operations!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
}
sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index d2aeeb1a12..82b5de2147 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1240,16 +1240,15 @@ objectClass: container
self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
# Try to Create a user with a valid primary group
-# TODO Some more investigation needed here
-# try:
-# ldb.add({
-# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
-# "objectclass": ["user", "person"],
-# "primaryGroupID": str(group_rid_1)})
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ try:
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"],
+ "primaryGroupID": str(group_rid_1)})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
# Test to see how we should behave when the user account doesn't
# exist