summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFernando J V da Silva <fernandojvsilva@yahoo.com.br>2010-04-15 17:38:47 -0300
committerAndrew Tridgell <tridge@samba.org>2010-04-22 19:36:15 +1000
commitfbdbd67c7640757f80a2ffd70a17c6ab50491844 (patch)
treecfb6963fe51b007ca6b1b7a1353aa57c3acc46c9
parent57bcdf008fa44d4c550819cbceada968b11be63c (diff)
downloadsamba-fbdbd67c7640757f80a2ffd70a17c6ab50491844.tar.gz
samba-fbdbd67c7640757f80a2ffd70a17c6ab50491844.tar.bz2
samba-fbdbd67c7640757f80a2ffd70a17c6ab50491844.zip
s4-drs: dsdb_validate_client_flags() function
This function is intended to check if some client is not lying about his flags. At this moment, it only checks for RODC flags. Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source4/dsdb/common/util.c28
1 files changed, 28 insertions, 0 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 842f56b3ed..9e2e358b3b 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2413,6 +2413,34 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb,
}
+int dsdb_validate_client_flags(struct ldb_context *ldb,
+ const struct repsFromTo1 *client_rf)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+
+ if (client_rf->replica_flags & DRSUAPI_DRS_WRIT_REP) {
+ bool is_rodc;
+ ret = samdb_is_rodc(ldb, &client_rf->source_dsa_invocation_id, &is_rodc);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ if (is_rodc) {
+ DEBUG(0,("Client %s claimed to be WRIT_REP, but is RODC\n",
+ GUID_string(tmp_ctx, &client_rf->source_dsa_invocation_id)));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ /* TODO: we may need to validate more client flags here, if they
+ are security sensitive */
+
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
/*
load a repsFromTo blob list for a given partition GUID