s4-repl: use the GC principal name for DRS replication connection

this is required when talking to RODCs (for notify calls), and is good
practice for all DCs

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

source4/dsdb/repl/drepl_notify.c

@@ -292,7 +292,8 @@ static WERROR dreplsrv_schedule_notify_sync(struct dreplsrv_service *service,
 					    struct repsFromToBlob *reps,
 					    TALLOC_CTX *mem_ctx,
 					    uint64_t uSN,
-					    bool is_urgent)
+					    bool is_urgent,
+					    uint32_t replica_flags)
 {
 	struct dreplsrv_notify_operation *op;
 	struct dreplsrv_partition_source_dsa *s;
@@ -311,6 +312,7 @@ static WERROR dreplsrv_schedule_notify_sync(struct dreplsrv_service *service,
 	op->source_dsa	  = s;
 	op->uSN           = uSN;
 	op->is_urgent	  = is_urgent;
+	op->replica_flags = replica_flags;
 
 	DLIST_ADD_END(service->ops.notifies, op, struct dreplsrv_notify_operation *);
 	talloc_steal(service, op);
@@ -350,7 +352,9 @@ static WERROR dreplsrv_notify_check(struct dreplsrv_service *s,
 	/* see if any of our partners need some of our objects */
 	for (i=0; i<count; i++) {
 		struct dreplsrv_partition_source_dsa *sdsa;
+		uint32_t replica_flags;
 		sdsa = dreplsrv_find_source_dsa(p, &reps[i].ctr.ctr1.source_dsa_obj_guid);
+		replica_flags = reps[i].ctr.ctr1.replica_flags;
 		if (sdsa == NULL) continue;
 		if (sdsa->notify_uSN < uSNHighest) {
 			/* we need to tell this partner to replicate
@@ -359,7 +363,7 @@ static WERROR dreplsrv_notify_check(struct dreplsrv_service *s,
 
 			/* check if urgent replication is needed */
 			werr = dreplsrv_schedule_notify_sync(s, p, &reps[i], mem_ctx,
-							     uSNHighest, is_urgent);
+							     uSNHighest, is_urgent, replica_flags);
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(0,(__location__ ": Failed to setup notify to %s for %s\n",
 					 reps[i].ctr.ctr1.other_info->dns_name,

source4/dsdb/repl/drepl_partitions.c

@@ -94,6 +94,61 @@ WERROR dreplsrv_load_partitions(struct dreplsrv_service *s)
 	return WERR_OK;
 }
 
+/*
+  work out the principal to use for DRS replication connections
+ */
+NTSTATUS dreplsrv_get_target_principal(struct dreplsrv_service *s,
+				       TALLOC_CTX *mem_ctx,
+				       const struct repsFromTo1 *rft,
+				       const char **target_principal)
+{
+	TALLOC_CTX *tmp_ctx;
+	struct ldb_result *res;
+	const char *attrs[] = { "dNSHostName", NULL };
+	int ret;
+	const char *hostname;
+	struct ldb_dn *dn;
+
+	*target_principal = NULL;
+
+	tmp_ctx = talloc_new(mem_ctx);
+
+	/* we need to find their hostname */
+	ret = dsdb_find_dn_by_guid(s->samdb, tmp_ctx, &rft->source_dsa_obj_guid, &dn);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(tmp_ctx);
+		/* its OK for their NTDSDSA DN not to be in our database */
+		return NT_STATUS_OK;
+	}
+
+	/* strip off the NTDS Settings */
+	if (!ldb_dn_remove_child_components(dn, 1)) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_OK;
+	}
+
+	ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, dn, attrs, 0);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(tmp_ctx);
+		/* its OK for their account DN not to be in our database */
+		return NT_STATUS_OK;
+	}
+
+	hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
+	if (hostname == NULL) {
+		talloc_free(tmp_ctx);
+		/* its OK to not have a dnshostname */
+		return NT_STATUS_OK;
+	}
+
+	*target_principal = talloc_asprintf(mem_ctx, "GC/%s/%s",
+					    hostname,
+					    lpcfg_dnsdomain(s->task->lp_ctx));
+	talloc_free(tmp_ctx);
+	return NT_STATUS_OK;
+}
+
+
 WERROR dreplsrv_out_connection_attach(struct dreplsrv_service *s,
 				      const struct repsFromTo1 *rft,
 				      struct dreplsrv_out_connection **_conn)
@@ -136,6 +191,13 @@ WERROR dreplsrv_out_connection_attach(struct dreplsrv_service *s,
 			return ntstatus_to_werror(nt_status);
 		}
 
+		/* use the GC principal for DRS replication */
+		nt_status = dreplsrv_get_target_principal(s, conn->binding,
+							  rft, &conn->binding->target_principal);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			return ntstatus_to_werror(nt_status);
+		}
+
 		DLIST_ADD_END(s->connections, conn, struct dreplsrv_out_connection *);
 
 		DEBUG(2,("dreplsrv_out_connection_attach(%s): create\n", conn->binding->host));

source4/dsdb/repl/drepl_service.h

@@ -52,6 +52,9 @@ struct dreplsrv_out_connection {
 
 	/* the out going connection to the source dsa */
 	struct dreplsrv_drsuapi_connection *drsuapi;
+
+	/* used to force the GC principal name */
+	const char *principal_name;
 };
 
 struct dreplsrv_partition_source_dsa {
@@ -130,6 +133,7 @@ struct dreplsrv_notify_operation {
 
 	struct dreplsrv_partition_source_dsa *source_dsa;
 	bool is_urgent;
+	uint32_t replica_flags;
 };
 
 struct dreplsrv_service {