summaryrefslogtreecommitdiff
path: root/source4/dsdb/common
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb/common')
-rw-r--r--source4/dsdb/common/util.c28
1 files changed, 28 insertions, 0 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 842f56b3ed..9e2e358b3b 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2413,6 +2413,34 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb,
}
+int dsdb_validate_client_flags(struct ldb_context *ldb,
+ const struct repsFromTo1 *client_rf)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+
+ if (client_rf->replica_flags & DRSUAPI_DRS_WRIT_REP) {
+ bool is_rodc;
+ ret = samdb_is_rodc(ldb, &client_rf->source_dsa_invocation_id, &is_rodc);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ if (is_rodc) {
+ DEBUG(0,("Client %s claimed to be WRIT_REP, but is RODC\n",
+ GUID_string(tmp_ctx, &client_rf->source_dsa_invocation_id)));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ /* TODO: we may need to validate more client flags here, if they
+ are security sensitive */
+
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
/*
load a repsFromTo blob list for a given partition GUID