diff options
author | Fernando J V da Silva <fernandojvsilva@yahoo.com.br> | 2010-04-15 17:38:47 -0300 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-04-22 19:36:15 +1000 |
commit | fbdbd67c7640757f80a2ffd70a17c6ab50491844 (patch) | |
tree | cfb6963fe51b007ca6b1b7a1353aa57c3acc46c9 | |
parent | 57bcdf008fa44d4c550819cbceada968b11be63c (diff) | |
download | samba-fbdbd67c7640757f80a2ffd70a17c6ab50491844.tar.gz samba-fbdbd67c7640757f80a2ffd70a17c6ab50491844.tar.bz2 samba-fbdbd67c7640757f80a2ffd70a17c6ab50491844.zip |
s4-drs: dsdb_validate_client_flags() function
This function is intended to check if some client is not lying about
his flags. At this moment, it only checks for RODC flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r-- | source4/dsdb/common/util.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 842f56b3ed..9e2e358b3b 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2413,6 +2413,34 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb, } +int dsdb_validate_client_flags(struct ldb_context *ldb, + const struct repsFromTo1 *client_rf) +{ + int ret; + TALLOC_CTX *tmp_ctx = talloc_new(ldb); + + if (client_rf->replica_flags & DRSUAPI_DRS_WRIT_REP) { + bool is_rodc; + ret = samdb_is_rodc(ldb, &client_rf->source_dsa_invocation_id, &is_rodc); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ret; + } + if (is_rodc) { + DEBUG(0,("Client %s claimed to be WRIT_REP, but is RODC\n", + GUID_string(tmp_ctx, &client_rf->source_dsa_invocation_id))); + talloc_free(tmp_ctx); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } + + /* TODO: we may need to validate more client flags here, if they + are security sensitive */ + + talloc_free(tmp_ctx); + return LDB_SUCCESS; +} + /* load a repsFromTo blob list for a given partition GUID |