sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges reply

Browse Source 
During building an object to send it on a GetNCChanges reply, it checks
the attributes and if any of them is a RODC filtered and the recipient
is a RODC, then such attribute is not sent.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
This commit is contained in:
Fernando J V da Silva 2010-04-15 17:42:08 -03:00 committed by Andrew Tridgell
parent 59aa0a07d2
commit d940a44496
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
source4/rpc_server/drsuapi/getncchanges.c
View File

@ -104,6 +104,7 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
const char *rdn;
const struct dsdb_attribute *rdn_sa;
unsigned int instanceType;
int rodc_filtered_flags;
instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
@ -199,6 +200,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
continue;
}
/* if the recipient is a RODC, then we should not add any
* RODC filtered attribute */
/* TODO: This is not strictly correct, as it doesn't allow for administrators
to setup some users to transfer passwords to specific RODCs. To support that
we would instead remove this check and rely on extended ACL checking in the dsdb
acl module. */
rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 &&
(sa->searchFlags & rodc_filtered_flags)) {
continue;
}
obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;