From e3aa200a14e92f82c8233cad1b8062ffcc5a9a7e Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sat, 21 May 2011 11:56:45 +0400 Subject: s4:samldb LDB module - don't change the "primaryGroupId" on LDB modifications unless we are a computer/dc/rodc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matthias Dieter Wallnöfer --- source4/dsdb/samdb/ldb_modules/samldb.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 21341850d9..216e14dc4b 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1219,6 +1219,12 @@ static int samldb_prim_group_trigger(struct samldb_ctx *ac) return ret; } + +/** + * This function is called on a LDB modify. It performs some additions/changes + * on the current LDB message. Changes depend on the value of + * userAccountControl. + */ static int samldb_user_account_control_change(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); @@ -1278,7 +1284,16 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) el->flags = LDB_FLAG_MOD_REPLACE; } - if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { + /* + * If the account has UF_SERVER_TRUST_ACCOUNT or + * UF_WORKSTATION_TRUST_ACCOUNT then change the group + * as it's either a workstation, a RODC, or a DC. + * + * If not it might be just a user that we are enabling + * and in this case we don't want to change its default group. + */ + if (user_account_control & (UF_SERVER_TRUST_ACCOUNT| UF_WORKSTATION_TRUST_ACCOUNT) && + !ldb_msg_find_element(ac->msg, "primaryGroupID")) { uint32_t rid = ds_uf2prim_group_rid(user_account_control); ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "primaryGroupID", rid); -- cgit