diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-08-18 14:31:05 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-08-20 20:34:11 +1000 |
| commit | c12293991988bda16ff85135e83c21d23d08abca (patch) | |
| tree | 674ac9323cc77f0cdb9a0ca638ce51d34a9660ba /source4/dsdb/common | |
| parent | dc7cf47371e15a1bfe8c97341773076f00c67aa1 (diff) | |
| download | samba-c12293991988bda16ff85135e83c21d23d08abca.tar.gz samba-c12293991988bda16ff85135e83c21d23d08abca.tar.bz2 samba-c12293991988bda16ff85135e83c21d23d08abca.zip | |
s4-drs: implement RODC attribute filtering override
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/common')
| -rw-r--r-- | source4/dsdb/common/util.c | 44 |
1 files changed, 29 insertions, 15 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index cf13b64e07..7c2414a23f 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3940,29 +3940,43 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb, return LDB_SUCCESS; } -const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys", - "ms-PKI-AccountCredentials", - "ms-PKI-RoamingTimeStamp", - "ms-FVE-KeyPackage", - "ms-FVE-RecoveryGuid", - "ms-FVE-RecoveryInformation", - "ms-FVE-RecoveryPassword", - "ms-FVE-VolumeGuid", - "ms-TPM-OwnerInformation", - NULL}; +static const char *secret_attributes[] = { + "currentValue", + "dBCSPwd", + "initialAuthIncoming", + "initialAuthOutgoing", + "lmPwdHistory", + "ntPwdHistory", + "priorValue", + "supplementalCredentials", + "trustAuthIncoming", + "trustAuthOutgoing", + "unicodePwd", + NULL +}; + /* check if the attribute belongs to the RODC filtered attribute set + Note that attributes that are in the filtered attribute set are the + ones that _are_ always sent to a RODC */ -bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa) +bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute *sa) { - int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL; - bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0); + /* they never get secret attributes */ + if (is_attr_in_list(secret_attributes, sa->lDAPDisplayName)) { + return false; + } - if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) { + /* they do get non-secret critical attributes */ + if (sa->schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) { return true; } - if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) { + + /* they do get non-secret attributes marked as being in the FAS */ + if (sa->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) { return true; } + + /* other attributes are denied */ return false; } |