summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.h3
-rw-r--r--source4/rpc_server/drsuapi/drsutil.c32
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c15
3 files changed, 46 insertions, 4 deletions
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 40978629fa..b8765cb178 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -59,3 +59,6 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
const char* call);
+
+void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
+ struct drsuapi_DsReplicaMetaData *meta_data);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index c78ebdd5fe..9aef3172b9 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -52,7 +52,6 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
const char *sort_attrib,
const char *filter)
{
- va_list ap;
int ret;
struct ldb_request *req;
TALLOC_CTX *tmp_ctx;
@@ -134,3 +133,34 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char*
return WERR_OK;
}
+
+void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
+ struct drsuapi_DsReplicaMetaData *meta_data)
+{
+ if (attr->value_ctr.num_values == 0) {
+ return;
+ }
+
+ switch (attr->attid) {
+ case DRSUAPI_ATTRIBUTE_dBCSPwd:
+ case DRSUAPI_ATTRIBUTE_unicodePwd:
+ case DRSUAPI_ATTRIBUTE_ntPwdHistory:
+ case DRSUAPI_ATTRIBUTE_lmPwdHistory:
+ case DRSUAPI_ATTRIBUTE_supplementalCredentials:
+ case DRSUAPI_ATTRIBUTE_priorValue:
+ case DRSUAPI_ATTRIBUTE_currentValue:
+ case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
+ case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
+ case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
+ case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
+ /*set value to null*/
+ attr->value_ctr.num_values = 0;
+ talloc_free(attr->value_ctr.values);
+ attr->value_ctr.values = NULL;
+ meta_data->originating_change_time = 0;
+ return;
+ default:
+ return;
+ }
+ return;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 75f6213963..a9c4b451c2 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -41,7 +41,8 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
struct ldb_dn *ncRoot_dn,
struct dsdb_schema *schema,
DATA_BLOB *session_key,
- uint64_t highest_usn)
+ uint64_t highest_usn,
+ uint32_t replica_flags)
{
const struct ldb_val *md_value;
int i, n;
@@ -182,7 +183,15 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
sa->lDAPDisplayName, win_errstr(werr)));
return werr;
}
-
+ /* if DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING is set
+ * check if attribute is secret and send a null value
+ * TODO: check if we can make this in the database layer
+ */
+ if ((replica_flags & DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING)
+ == DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING) {
+ drsuapi_process_secret_attribute(&obj->object.attribute_ctr.attributes[i],
+ &obj->meta_data_ctr->meta_data[i]);
+ }
/* some attributes needs to be encrypted
before being sent */
werr = drsuapi_encrypt_attribute(obj, session_key, rid,
@@ -436,7 +445,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
}
werr = get_nc_changes_build_object(obj, site_res->msgs[i], sam_ctx, ncRoot_dn,
- schema, &session_key, r->in.req->req8.highwatermark.highest_usn);
+ schema, &session_key, r->in.req->req8.highwatermark.highest_usn, r->in.req->req8.replica_flags);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}