summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/common/util.c28
-rw-r--r--source4/dsdb/samdb/ldb_modules/extended_dn_out.c13
-rw-r--r--source4/dsdb/samdb/ldb_modules/util.c12
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c21
4 files changed, 51 insertions, 23 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 42619b9692..e4e55fc530 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -41,6 +41,7 @@
#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "lib/socket/socket.h"
+#include "dsdb/samdb/ldb_modules/util.h"
/*
search the sam for the specified attributes in a specific domain, filter on
@@ -3752,3 +3753,30 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb,
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
+
+const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
+ "ms-PKI-AccountCredentials",
+ "ms-PKI-RoamingTimeStamp",
+ "ms-FVE-KeyPackage",
+ "ms-FVE-RecoveryGuid",
+ "ms-FVE-RecoveryInformation",
+ "ms-FVE-RecoveryPassword",
+ "ms-FVE-VolumeGuid",
+ "ms-TPM-OwnerInformation",
+ NULL};
+/*
+ check if the attribute belongs to the RODC filtered attribute set
+*/
+bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
+{
+ int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
+ bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
+
+ if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
+ return true;
+ }
+ if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {
+ return true;
+ }
+ return false;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index f28ad8e12f..39af87091c 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -40,6 +40,7 @@
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/ndr/libndr.h"
#include "dsdb/samdb/samdb.h"
+#include "util.h"
struct extended_dn_out_private {
bool dereference;
@@ -47,18 +48,6 @@ struct extended_dn_out_private {
struct dsdb_openldap_dereference_control *dereference_control;
};
-static bool is_attr_in_list(const char * const * attrs, const char *attr)
-{
- unsigned int i;
-
- for (i = 0; attrs[i]; i++) {
- if (ldb_attr_cmp(attrs[i], attr) == 0)
- return true;
- }
-
- return false;
-}
-
static char **copy_attrs(void *mem_ctx, const char * const * attrs)
{
char **nattrs;
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 7913ac8049..18631c4350 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -826,3 +826,15 @@ int dsdb_recyclebin_enabled(struct ldb_module *module, bool *enabled)
talloc_free(partitions_dn);
return LDB_SUCCESS;
}
+
+bool is_attr_in_list(const char * const * attrs, const char *attr)
+{
+ unsigned int i;
+
+ for (i = 0; attrs[i]; i++) {
+ if (ldb_attr_cmp(attrs[i], attr) == 0)
+ return true;
+ }
+
+ return false;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index df8305e155..354ebf0f85 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -105,7 +105,6 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
const char *rdn;
const struct dsdb_attribute *rdn_sa;
unsigned int instanceType;
- int rodc_filtered_flags;
instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
@@ -206,19 +205,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
continue;
}
- /* if the recipient is a RODC, then we should not add any
- * RODC filtered attribute */
- /* TODO: This is not strictly correct, as it doesn't allow for administrators
- to setup some users to transfer passwords to specific RODCs. To support that
- we would instead remove this check and rely on extended ACL checking in the dsdb
- acl module. */
- rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
- if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 &&
- (sa->searchFlags & rodc_filtered_flags)) {
+ /*
+ * If the recipient is a RODC, then we should not add any
+ * RODC filtered attribute
+ *
+ * TODO: This is not strictly correct, as it doesn't allow for administrators
+ * to setup some users to transfer passwords to specific RODCs. To support that
+ * we would instead remove this check and rely on extended ACL checking in the dsdb
+ * acl module.
+ */
+ if (dsdb_attr_in_rodc_fas(replica_flags, sa)) {
continue;
}
-
obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;