From 1352a9406f3e3067a8e751ac157eab67796bc0c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= Date: Tue, 23 Nov 2010 15:15:09 +0100 Subject: [PATCH] s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fits better than the RELAX one. Autobuild-User: Matthias Dieter Wallnöfer Autobuild-Date: Wed Nov 24 18:23:01 CET 2010 on sn-devel-104 --- source4/dsdb/samdb/ldb_modules/objectclass.c | 10 +++++++--- source4/rpc_server/lsa/dcesrv_lsa.c | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 0bb33aaf355..d69c3f4d05e 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -463,10 +463,12 @@ static bool check_rodc_ntdsdsa_add(struct oc_context *ac, static int objectclass_do_add(struct oc_context *ac) { - struct ldb_context *ldb; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct ldb_request *add_req; struct ldb_message_element *objectclass_element, *el; struct ldb_message *msg; + struct ldb_control *as_system = ldb_request_get_control(ac->req, + LDB_CONTROL_AS_SYSTEM_OID); TALLOC_CTX *mem_ctx; struct class_list *sorted, *current; const char *rdn_name = NULL; @@ -478,7 +480,9 @@ static int objectclass_do_add(struct oc_context *ac) bool found; int ret; - ldb = ldb_module_get_ctx(ac->module); + if (as_system != NULL) { + as_system->critical = 0; + } msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message); if (msg == NULL) { @@ -577,7 +581,7 @@ static int objectclass_do_add(struct oc_context *ac) /* LSA-specific objectclasses per default not allowed */ if (((strcmp(value, "secret") == 0) || (strcmp(value, "trustedDomain") == 0)) && - !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + !(dsdb_module_am_system(ac->module) || as_system)) { ldb_asprintf_errstring(ldb, "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!", value, diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 4014ae0742b..1b55824bb12 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1056,7 +1056,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn); /* create the trusted_domain */ - ret = dsdb_add(sam_ldb, msg, DSDB_MODIFY_RELAX); + ret = dsdb_add(sam_ldb, msg, DSDB_FLAG_AS_SYSTEM); switch (ret) { case LDB_SUCCESS: break; @@ -2949,7 +2949,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL secret_state->secret_dn = talloc_reference(secret_state, msg->dn); /* create the secret */ - ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_MODIFY_RELAX); + ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_FLAG_AS_SYSTEM); if (ret != LDB_SUCCESS) { DEBUG(0,("Failed to create secret record %s: %s\n", ldb_dn_get_linearized(msg->dn),