summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2011-09-23 17:28:25 +1000
committerAndrew Tridgell <tridge@samba.org>2011-10-04 15:08:56 +1100
commitf45147b2d9c6b43913d10871564d03307833fbae (patch)
treedadea2a4a9b93a72830c84090429309b3d5326ce
parentd3fa49663f37de4c2c35f43a9cf6844a60531db0 (diff)
downloadsamba-f45147b2d9c6b43913d10871564d03307833fbae.tar.gz
samba-f45147b2d9c6b43913d10871564d03307833fbae.tar.bz2
samba-f45147b2d9c6b43913d10871564d03307833fbae.zip
s4-dsdb: disallow changes based on instanceType
if instanceType does not include INSTANCE_TYPE_WRITE, then disallow changes to any replicated attributes. This ensures partial replicates are not alterered
-rw-r--r--source4/dsdb/samdb/ldb_modules/repl_meta_data.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 3b4e2804a3..32b8ab25c9 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -1162,7 +1162,7 @@ static int replmd_update_rpmd(struct ldb_module *module,
int ret;
const char * const *attrs = NULL;
const char * const attrs1[] = { "replPropertyMetaData", "*", NULL };
- const char * const attrs2[] = { "uSNChanged", "objectClass", NULL };
+ const char * const attrs2[] = { "uSNChanged", "objectClass", "instanceType", NULL };
struct ldb_result *res;
struct ldb_context *ldb;
struct ldb_message_element *objectclass_el;
@@ -1333,6 +1333,8 @@ static int replmd_update_rpmd(struct ldb_module *module,
/*if we are RODC and this is a DRSR update then its ok*/
if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
+ unsigned instanceType;
+
ret = samdb_rodc(ldb, &rodc);
if (ret != LDB_SUCCESS) {
DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
@@ -1340,6 +1342,12 @@ static int replmd_update_rpmd(struct ldb_module *module,
ldb_asprintf_errstring(ldb, "RODC modify is forbidden\n");
return LDB_ERR_REFERRAL;
}
+
+ instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], "instanceType", INSTANCE_TYPE_WRITE);
+ if (!(instanceType & INSTANCE_TYPE_WRITE)) {
+ return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
+ "cannot change replicated attribute on partial replica");
+ }
}
md_value = talloc(msg, struct ldb_val);
@@ -2420,7 +2428,7 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are
const struct dsdb_attribute *rdn_attr;
const char *rdn_name;
const struct ldb_val *rdn_val;
- const char *attrs[4] = { NULL, };
+ const char *attrs[5] = { NULL, };
time_t t = time(NULL);
int ret;
bool is_urgent = false;
@@ -2533,8 +2541,9 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are
*/
attrs[0] = "replPropertyMetaData";
attrs[1] = "objectClass";
- attrs[2] = rdn_name;
- attrs[3] = NULL;
+ attrs[2] = "instanceType";
+ attrs[3] = rdn_name;
+ attrs[4] = NULL;
ret = replmd_update_rpmd(ac->module, ac->schema, req, attrs,
msg, &ac->seq_num, t, &is_urgent);