diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 89dd6efd8a..6f239d25e1 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -1549,10 +1549,28 @@ static int objectclass_do_delete(struct oc_context *ac) isCriticalSystemObject = ldb_msg_find_attr_as_bool(ac->search_res->message, "isCriticalSystemObject", false); if (isCriticalSystemObject) { - ldb_asprintf_errstring(ldb, + /* + * Following the explaination from Microsoft + * https://lists.samba.org/archive/cifs-protocol/2011-August/002046.html + * "I finished the investigation on this behavior. + * As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed , + * every object in the tree will be checked to see if it has isCriticalSystemObject + * set to TRUE, including the root node on which the delete operation is performed + * But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS) + * Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked + * The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net + * which is a SAM object with user class. Therefore the tree deletion is performed without any error + */ + + if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "group") == NULL && + samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "samDomain") == NULL && + samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "samServer") == NULL && + samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "user") == NULL) { + ldb_asprintf_errstring(ldb, "objectclass: Cannot tree-delete %s, it's a critical system object!", ldb_dn_get_linearized(ac->req->op.del.dn)); return LDB_ERR_UNWILLING_TO_PERFORM; + } } } |