s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT

when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

2 files changed, 10 insertions, 2 deletions

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 021db2a9c7..eeb6940029 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -51,6 +51,7 @@
 
 #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
 #define UF_NO_AUTH_DATA_REQUIRED		0x02000000
+#define UF_PARTIAL_SECRETS_ACCOUNT		0x04000000
 
 #define UF_MACHINE_ACCOUNT_MASK (\
 		UF_INTERDOMAIN_TRUST_ACCOUNT |\
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ac8dff938e..a12b189027 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 		el2 = ldb_msg_find_element(msg, "sAMAccountType");
 		el2->flags = LDB_FLAG_MOD_REPLACE;
 
-		if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+		if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
 			ret = samdb_msg_add_string(ldb, msg, msg,
 						   "isCriticalSystemObject", "TRUE");
 			if (ret != LDB_SUCCESS) {
@@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 			/* DCs have primaryGroupID of DOMAIN_RID_DCS */
 			if (!ldb_msg_find_element(msg, "primaryGroupID")) {
+				uint32_t rid;
+				if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+					rid = DOMAIN_RID_DCS;
+				} else {
+					/* read-only DC */
+					rid = DOMAIN_RID_READONLY_DCS;
+				}
 				ret = samdb_msg_add_uint(ldb, msg, msg,
-							 "primaryGroupID", DOMAIN_RID_DCS);
+							 "primaryGroupID", rid);
 				if (ret != LDB_SUCCESS) {
 					return ret;
 				}