s4: LSA objects handling in LDAP and "ldb_req_is_untrusted"

Matthias Dieter Wallnöfer mdw at samba.org
Tue Dec 21 05:00:37 MST 2010

Dochelp (Hongwei Sun) and I have finished the investigation about the 
protected LSA objects (e.g. trusted domains). As a conclusion they're 
protected on LDAP adds and LDAP modifies but not on LDAP deletes.

In order to achieve this, I would like to propose the following patch: 
But this alone doesn't work due to the call of "ldb_req_is_untrusted" on 
a child request and not the original LDAP one.

So what could we do to be able to know if also child requests from an 
untrusted request are untrusted as well?


More information about the samba-technical mailing list