diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-08-17 14:10:34 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-08-17 21:21:50 +1000 |
commit | 4e9daa0f032547787a1a1957a6f4f4002aa50371 (patch) | |
tree | 17316ed655ae0ca51144cbc32bafae4a191af9a5 /source4 | |
parent | df14f645b3c56ca7652463d53731437158d5c4bb (diff) | |
download | samba-4e9daa0f032547787a1a1957a6f4f4002aa50371.tar.gz samba-4e9daa0f032547787a1a1957a6f4f4002aa50371.tar.bz2 samba-4e9daa0f032547787a1a1957a6f4f4002aa50371.zip |
s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT
when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index ac8dff938e..a12b189027 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) el2 = ldb_msg_find_element(msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; - if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { + if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { ret = samdb_msg_add_string(ldb, msg, msg, "isCriticalSystemObject", "TRUE"); if (ret != LDB_SUCCESS) { @@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) /* DCs have primaryGroupID of DOMAIN_RID_DCS */ if (!ldb_msg_find_element(msg, "primaryGroupID")) { + uint32_t rid; + if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { + rid = DOMAIN_RID_DCS; + } else { + /* read-only DC */ + rid = DOMAIN_RID_READONLY_DCS; + } ret = samdb_msg_add_uint(ldb, msg, msg, - "primaryGroupID", DOMAIN_RID_DCS); + "primaryGroupID", rid); if (ret != LDB_SUCCESS) { return ret; } |