From ae61408e2f198ada294a826e375f0f4a1e7da3d6 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Thu, 25 Nov 2010 09:33:47 +0100 Subject: s4:lsa RPC server / objectclass LDB module - fix the creation of trusted domain objects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tridge pointed out that it is to dangerous to allow them to be created with SYSTEM permissions. The solution using the "untrusted" flag should be much more viable. Autobuild-User: Matthias Dieter Wallnöfer Autobuild-Date: Thu Nov 25 13:05:56 CET 2010 on sn-devel-104 --- source4/dsdb/samdb/ldb_modules/objectclass.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'source4/dsdb/samdb/ldb_modules') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index d69c3f4d05..21f316400a 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -467,8 +467,6 @@ static int objectclass_do_add(struct oc_context *ac) struct ldb_request *add_req; struct ldb_message_element *objectclass_element, *el; struct ldb_message *msg; - struct ldb_control *as_system = ldb_request_get_control(ac->req, - LDB_CONTROL_AS_SYSTEM_OID); TALLOC_CTX *mem_ctx; struct class_list *sorted, *current; const char *rdn_name = NULL; @@ -480,10 +478,6 @@ static int objectclass_do_add(struct oc_context *ac) bool found; int ret; - if (as_system != NULL) { - as_system->critical = 0; - } - msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message); if (msg == NULL) { return ldb_module_oom(ac->module); @@ -581,7 +575,7 @@ static int objectclass_do_add(struct oc_context *ac) /* LSA-specific objectclasses per default not allowed */ if (((strcmp(value, "secret") == 0) || (strcmp(value, "trustedDomain") == 0)) && - !(dsdb_module_am_system(ac->module) || as_system)) { + ldb_req_is_untrusted(ac->req)) { ldb_asprintf_errstring(ldb, "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!", value, -- cgit