From 679eb33e798efbfdaebb9cf0cd3977bb945e8075 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Wed, 15 Sep 2010 15:19:38 +0200
Subject: s4:samldb LDB module - it isn't allowed to create user/computer
 accounts with a primary group specified

It can only be changed afterwards. We allow a "relax"ed exception for the
provision state since we need this for the guest account.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d23031522d..e7e84b2e3b 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -269,6 +269,10 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
 		if (ret != LDB_SUCCESS) {
 			return ret;
 		}
+	} else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+		ldb_set_errstring(ldb,
+				  "The primary group isn't settable on add operations!");
+		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
 
 	sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
-- 
cgit