s4-dsdb/samldb: Skip 'sAMAccountType' and 'primaryGroupID' during Tombstone reanimate

tombstone_reanimate.c module is going to restore those attributes
and it needs a way to propagate them to DB

Change-Id: I36f30b33fa204fd28329eab01044a125f7a3f08e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d744ca8616dc40c772b89cc5b194d164fe4033cc..24124c948b788510dabb66236c464d8e712d25cb 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2781,6 +2781,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
        struct ldb_context *ldb;
        struct samldb_ctx *ac;
        struct ldb_message_element *el, *el2;
+       struct ldb_control *is_undelete;
        bool modified = false;
        int ret;
 
@@ -2791,6 +2792,13 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
        ldb = ldb_module_get_ctx(module);
 
+       /*
+        * we are going to need some special handling if in Undelete call.
+        * Since tombstone_reanimate module will restore certain attributes,
+        * we need to relax checks for: sAMAccountType, primaryGroupID
+        */
+       is_undelete = ldb_request_get_control(req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
+
        /* make sure that "objectSid" is not specified */
        el = ldb_msg_find_element(req->op.mod.message, "objectSid");
        if (el != NULL) {
@@ -2800,12 +2808,14 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
                        return LDB_ERR_UNWILLING_TO_PERFORM;
                }
        }
-       /* make sure that "sAMAccountType" is not specified */
-       el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
-       if (el != NULL) {
-               ldb_set_errstring(ldb,
-                                 "samldb: sAMAccountType must not be specified!");
-               return LDB_ERR_UNWILLING_TO_PERFORM;
+       if (is_undelete == NULL) {
+               /* make sure that "sAMAccountType" is not specified */
+               el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
+               if (el != NULL) {
+                       ldb_set_errstring(ldb,
+                                         "samldb: sAMAccountType must not be specified!");
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
        }
        /* make sure that "isCriticalSystemObject" is not specified */
        el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject");
@@ -2849,11 +2859,13 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
                return ldb_operr(ldb);
        }
 
-       el = ldb_msg_find_element(ac->msg, "primaryGroupID");
-       if (el != NULL) {
-               ret = samldb_prim_group_trigger(ac);
-               if (ret != LDB_SUCCESS) {
-                       return ret;
+       if (is_undelete == NULL) {
+               el = ldb_msg_find_element(ac->msg, "primaryGroupID");
+               if (el != NULL) {
+                       ret = samldb_prim_group_trigger(ac);
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
                }
        }