summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libds/common/flags.h1
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c11
2 files changed, 10 insertions, 2 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h
index 021db2a9c7..eeb6940029 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -51,6 +51,7 @@
#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
#define UF_NO_AUTH_DATA_REQUIRED 0x02000000
+#define UF_PARTIAL_SECRETS_ACCOUNT 0x04000000
#define UF_MACHINE_ACCOUNT_MASK (\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ac8dff938e..a12b189027 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
el2 = ldb_msg_find_element(msg, "sAMAccountType");
el2->flags = LDB_FLAG_MOD_REPLACE;
- if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
ret = samdb_msg_add_string(ldb, msg, msg,
"isCriticalSystemObject", "TRUE");
if (ret != LDB_SUCCESS) {
@@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
/* DCs have primaryGroupID of DOMAIN_RID_DCS */
if (!ldb_msg_find_element(msg, "primaryGroupID")) {
+ uint32_t rid;
+ if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+ rid = DOMAIN_RID_DCS;
+ } else {
+ /* read-only DC */
+ rid = DOMAIN_RID_READONLY_DCS;
+ }
ret = samdb_msg_add_uint(ldb, msg, msg,
- "primaryGroupID", DOMAIN_RID_DCS);
+ "primaryGroupID", rid);
if (ret != LDB_SUCCESS) {
return ret;
}