diff options
-rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 3 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/drsutil.c | 32 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 15 |
3 files changed, 46 insertions, 4 deletions
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h index 40978629fa..b8765cb178 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h @@ -59,3 +59,6 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call); + +void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, + struct drsuapi_DsReplicaMetaData *meta_data); diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index c78ebdd5fe..9aef3172b9 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -52,7 +52,6 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, const char *sort_attrib, const char *filter) { - va_list ap; int ret; struct ldb_request *req; TALLOC_CTX *tmp_ctx; @@ -134,3 +133,34 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* return WERR_OK; } + +void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, + struct drsuapi_DsReplicaMetaData *meta_data) +{ + if (attr->value_ctr.num_values == 0) { + return; + } + + switch (attr->attid) { + case DRSUAPI_ATTRIBUTE_dBCSPwd: + case DRSUAPI_ATTRIBUTE_unicodePwd: + case DRSUAPI_ATTRIBUTE_ntPwdHistory: + case DRSUAPI_ATTRIBUTE_lmPwdHistory: + case DRSUAPI_ATTRIBUTE_supplementalCredentials: + case DRSUAPI_ATTRIBUTE_priorValue: + case DRSUAPI_ATTRIBUTE_currentValue: + case DRSUAPI_ATTRIBUTE_trustAuthOutgoing: + case DRSUAPI_ATTRIBUTE_trustAuthIncoming: + case DRSUAPI_ATTRIBUTE_initialAuthOutgoing: + case DRSUAPI_ATTRIBUTE_initialAuthIncoming: + /*set value to null*/ + attr->value_ctr.num_values = 0; + talloc_free(attr->value_ctr.values); + attr->value_ctr.values = NULL; + meta_data->originating_change_time = 0; + return; + default: + return; + } + return; +} diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 75f6213963..a9c4b451c2 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -41,7 +41,8 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem struct ldb_dn *ncRoot_dn, struct dsdb_schema *schema, DATA_BLOB *session_key, - uint64_t highest_usn) + uint64_t highest_usn, + uint32_t replica_flags) { const struct ldb_val *md_value; int i, n; @@ -182,7 +183,15 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem sa->lDAPDisplayName, win_errstr(werr))); return werr; } - + /* if DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING is set + * check if attribute is secret and send a null value + * TODO: check if we can make this in the database layer + */ + if ((replica_flags & DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING) + == DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING) { + drsuapi_process_secret_attribute(&obj->object.attribute_ctr.attributes[i], + &obj->meta_data_ctr->meta_data[i]); + } /* some attributes needs to be encrypted before being sent */ werr = drsuapi_encrypt_attribute(obj, session_key, rid, @@ -436,7 +445,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ } werr = get_nc_changes_build_object(obj, site_res->msgs[i], sam_ctx, ncRoot_dn, - schema, &session_key, r->in.req->req8.highwatermark.highest_usn); + schema, &session_key, r->in.req->req8.highwatermark.highest_usn, r->in.req->req8.replica_flags); if (!W_ERROR_IS_OK(werr)) { return werr; } |