From 5aa7dbe546ff18e521e72c0af713a2509201e00d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 23 Nov 2012 09:55:17 +0100
Subject: s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on
 nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/descriptor.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'source4/dsdb/samdb')

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index b41c0aafba..4b4704b664 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -642,6 +642,17 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
+	/*
+	 * nTSecurityDescriptor with DELETE is not supported yet.
+	 * TODO: handle this correctly.
+	 */
+	if (LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE) {
+		return ldb_module_error(module,
+					LDB_ERR_UNWILLING_TO_PERFORM,
+					"MOD_DELETE for nTSecurityDescriptor "
+					"not supported yet");
+	}
+
 	user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
 	/* nTSecurityDescriptor without a value is an error, letting through so it is handled */
 	if (user_sd == NULL) {
-- 
cgit