diff options
-rw-r--r-- | source4/dsdb/common/util.c | 28 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 13 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/util.c | 12 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 21 |
4 files changed, 51 insertions, 23 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 42619b9692..e4e55fc530 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -41,6 +41,7 @@ #include "lib/util/tsort.h" #include "dsdb/common/util.h" #include "lib/socket/socket.h" +#include "dsdb/samdb/ldb_modules/util.h" /* search the sam for the specified attributes in a specific domain, filter on @@ -3752,3 +3753,30 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb, talloc_free(tmp_ctx); return LDB_SUCCESS; } + +const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys", + "ms-PKI-AccountCredentials", + "ms-PKI-RoamingTimeStamp", + "ms-FVE-KeyPackage", + "ms-FVE-RecoveryGuid", + "ms-FVE-RecoveryInformation", + "ms-FVE-RecoveryPassword", + "ms-FVE-VolumeGuid", + "ms-TPM-OwnerInformation", + NULL}; +/* + check if the attribute belongs to the RODC filtered attribute set +*/ +bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa) +{ + int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL; + bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0); + + if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) { + return true; + } + if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) { + return true; + } + return false; +} diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c index f28ad8e12f..39af87091c 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c @@ -40,6 +40,7 @@ #include "librpc/gen_ndr/ndr_security.h" #include "librpc/ndr/libndr.h" #include "dsdb/samdb/samdb.h" +#include "util.h" struct extended_dn_out_private { bool dereference; @@ -47,18 +48,6 @@ struct extended_dn_out_private { struct dsdb_openldap_dereference_control *dereference_control; }; -static bool is_attr_in_list(const char * const * attrs, const char *attr) -{ - unsigned int i; - - for (i = 0; attrs[i]; i++) { - if (ldb_attr_cmp(attrs[i], attr) == 0) - return true; - } - - return false; -} - static char **copy_attrs(void *mem_ctx, const char * const * attrs) { char **nattrs; diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 7913ac8049..18631c4350 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -826,3 +826,15 @@ int dsdb_recyclebin_enabled(struct ldb_module *module, bool *enabled) talloc_free(partitions_dn); return LDB_SUCCESS; } + +bool is_attr_in_list(const char * const * attrs, const char *attr) +{ + unsigned int i; + + for (i = 0; attrs[i]; i++) { + if (ldb_attr_cmp(attrs[i], attr) == 0) + return true; + } + + return false; +} diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index df8305e155..354ebf0f85 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -105,7 +105,6 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem const char *rdn; const struct dsdb_attribute *rdn_sa; unsigned int instanceType; - int rodc_filtered_flags; instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0); if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) { @@ -206,19 +205,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem continue; } - /* if the recipient is a RODC, then we should not add any - * RODC filtered attribute */ - /* TODO: This is not strictly correct, as it doesn't allow for administrators - to setup some users to transfer passwords to specific RODCs. To support that - we would instead remove this check and rely on extended ACL checking in the dsdb - acl module. */ - rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL; - if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 && - (sa->searchFlags & rodc_filtered_flags)) { + /* + * If the recipient is a RODC, then we should not add any + * RODC filtered attribute + * + * TODO: This is not strictly correct, as it doesn't allow for administrators + * to setup some users to transfer passwords to specific RODCs. To support that + * we would instead remove this check and rely on extended ACL checking in the dsdb + * acl module. + */ + if (dsdb_attr_in_rodc_fas(replica_flags, sa)) { continue; } - obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time; obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version; obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id; |