diff options
-rw-r--r-- | libds/common/flags.h | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 11 |
2 files changed, 10 insertions, 2 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h index 021db2a9c7..eeb6940029 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -51,6 +51,7 @@ #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000 #define UF_NO_AUTH_DATA_REQUIRED 0x02000000 +#define UF_PARTIAL_SECRETS_ACCOUNT 0x04000000 #define UF_MACHINE_ACCOUNT_MASK (\ UF_INTERDOMAIN_TRUST_ACCOUNT |\ diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index ac8dff938e..a12b189027 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) el2 = ldb_msg_find_element(msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; - if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { + if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { ret = samdb_msg_add_string(ldb, msg, msg, "isCriticalSystemObject", "TRUE"); if (ret != LDB_SUCCESS) { @@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) /* DCs have primaryGroupID of DOMAIN_RID_DCS */ if (!ldb_msg_find_element(msg, "primaryGroupID")) { + uint32_t rid; + if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { + rid = DOMAIN_RID_DCS; + } else { + /* read-only DC */ + rid = DOMAIN_RID_READONLY_DCS; + } ret = samdb_msg_add_uint(ldb, msg, msg, - "primaryGroupID", DOMAIN_RID_DCS); + "primaryGroupID", rid); if (ret != LDB_SUCCESS) { return ret; } |