sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

s4-auth: Do not trigger RODC replication unless missing all passwords

Browse Source 
With the NT hash becoming optional we cannot make blind assumptions that
a missing value means we are on an RODC needing the password replicated.

Instead, check for supplementalCredentials as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2022-03-16 16:27:54 +13:00
parent 1884bc11f0
commit 360bb864e9
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
source4/auth/ntlm/auth_sam.c
View File

@ -220,6 +220,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
const char * const attrs[] = { "pwdHistoryLength", NULL }; const char * const attrs[] = { "pwdHistoryLength", NULL };
struct ldb_message *dom_msg; struct ldb_message *dom_msg;
struct samr_Password *nt_pwd; struct samr_Password *nt_pwd;
const struct ldb_val *sc_val;
bool am_rodc; bool am_rodc;
tmp_ctx = talloc_new(mem_ctx); tmp_ctx = talloc_new(mem_ctx);
@ -242,7 +243,9 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
return nt_status; return nt_status;
} }
if (nt_pwd == NULL) { sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
if (nt_pwd == NULL && sc_val == NULL) {
if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
/* /*
* we don't have passwords for this * we don't have passwords for this