s4-samdb: when UF_SERVER_TRUST_ACCOUNT is set mark object as critical

We may also need to remove the isCriticalSystemObject when the machine
is demoted

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 8f51dc7699c2fe73460bb01b74be33171cd571c9..e59b5dd1ce737bd7310e9e94dfcc40059aec2529 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2005,6 +2005,16 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
                }
                el2 = ldb_msg_find_element(msg, "sAMAccountType");
                el2->flags = LDB_FLAG_MOD_REPLACE;
+
+               if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+                       ret = samdb_msg_add_string(ldb, msg, msg,
+                                                  "isCriticalSystemObject", "TRUE");
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
+                       el2 = ldb_msg_find_element(msg, "isCriticalSystemObject");
+                       el2->flags = LDB_FLAG_MOD_REPLACE;
+               }
        }
 
        el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");