s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges reply

During building an object to send it on a GetNCChanges reply, it checks
the attributes and if any of them is a RODC filtered and the recipient
is a RODC, then such attribute is not sent.

Signed-off-by: Andrew Tridgell <tridge@samba.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 56c061d2e8..5c378e50de 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -104,6 +104,7 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
 	const char *rdn;
 	const struct dsdb_attribute *rdn_sa;
 	unsigned int instanceType;
+	int rodc_filtered_flags;
 
 	instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
 	if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
@@ -199,6 +200,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
 			continue;
 		}
 
+		/* if the recipient is a RODC, then we should not add any
+		* RODC filtered attribute */
+		/* TODO: This is not strictly correct, as it doesn't allow for administrators
+		   to setup some users to transfer passwords to specific RODCs. To support that
+		   we would instead remove this check and rely on extended ACL checking in the dsdb
+		   acl module. */
+		rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
+		if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 &&
+		    (sa->searchFlags & rodc_filtered_flags)) {
+			continue;
+		}
+
+
 		obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
 		obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
 		obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;