From d3d365daab18245ee5f6c2a2de54b9ba00c47f6e Mon Sep 17 00:00:00 2001 From: Amitay Isaacs Date: Wed, 30 Nov 2011 10:37:14 +1100 Subject: dlz_bind9: For creating a child entry, use only SEC_ADS_CREATE_CHILD The member servers in AD do not have access to modify the parent, but do have access to create child DNS records. --- source4/dns_server/dlz_bind9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 87476d3444..cb4144d598 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -1133,7 +1133,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const attrs, "objectClass=dnsNode"); if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT) { ldb_dn_remove_child_components(dn, 1); - access_mask = SEC_STD_REQUIRED | SEC_ADS_CREATE_CHILD; + access_mask = SEC_ADS_CREATE_CHILD; talloc_free(res); } else if (ldb_ret == LDB_SUCCESS) { access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE; -- cgit