summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Patou <mat@matws.net>2012-09-26 11:49:07 -0700
committerMatthieu Patou <mat@matws.net>2012-10-07 21:51:02 -0700
commit5374334d685bd680828aed00f502e6e671e615d7 (patch)
tree9b6efc8bd595469a98aaa3c25bb79848ab4697e9
parent8dbba524bfc2bbf8117f51f3dffd2a08835d485d (diff)
downloadsamba-5374334d685bd680828aed00f502e6e671e615d7.tar.gz
samba-5374334d685bd680828aed00f502e6e671e615d7.tar.bz2
samba-5374334d685bd680828aed00f502e6e671e615d7.zip
s4-drs: fix the logic to allow REPL_SECRET if the account has GET_ALL_CHANGES
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 871fc6867e..09406d6770 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -911,6 +911,30 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
return WERR_DS_DRA_SOURCE_DISABLED;
}
+ /*
+ * In MS-DRSR.pdf 5.99 IsGetNCChangesPermissionGranted
+ *
+ * The pseudo code indicate
+ * revealsecrets = true
+ * if IsRevealSecretRequest(msgIn) then
+ * if AccessCheckCAR(ncRoot, Ds-Replication-Get-Changes-All) = false
+ * then
+ * if (msgIn.ulExtendedOp = EXOP_REPL_SECRETS) then
+ * <... check if this account is ok to be replicated on this DC ...>
+ * <... and if not reveal secrets = no ...>
+ * else
+ * reveal secrets = false
+ * endif
+ * endif
+ * endif
+ *
+ * Which basically means that if you have GET_ALL_CHANGES rights (~== RWDC)
+ * then you can do EXOP_REPL_SECRETS
+ */
+ if (has_get_all_changes) {
+ goto allowed;
+ }
+
obj_dn = drs_ObjectIdentifier_to_dn(mem_ctx, b_state->sam_ctx_system, ncRoot);
if (!ldb_dn_validate(obj_dn)) goto failed;