summaryrefslogtreecommitdiff
path: root/source4/rpc_server/drsuapi
diff options
context:
space:
mode:
Diffstat (limited to 'source4/rpc_server/drsuapi')
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 871fc6867e..09406d6770 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -911,6 +911,30 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
return WERR_DS_DRA_SOURCE_DISABLED;
}
+ /*
+ * In MS-DRSR.pdf 5.99 IsGetNCChangesPermissionGranted
+ *
+ * The pseudo code indicate
+ * revealsecrets = true
+ * if IsRevealSecretRequest(msgIn) then
+ * if AccessCheckCAR(ncRoot, Ds-Replication-Get-Changes-All) = false
+ * then
+ * if (msgIn.ulExtendedOp = EXOP_REPL_SECRETS) then
+ * <... check if this account is ok to be replicated on this DC ...>
+ * <... and if not reveal secrets = no ...>
+ * else
+ * reveal secrets = false
+ * endif
+ * endif
+ * endif
+ *
+ * Which basically means that if you have GET_ALL_CHANGES rights (~== RWDC)
+ * then you can do EXOP_REPL_SECRETS
+ */
+ if (has_get_all_changes) {
+ goto allowed;
+ }
+
obj_dn = drs_ObjectIdentifier_to_dn(mem_ctx, b_state->sam_ctx_system, ncRoot);
if (!ldb_dn_validate(obj_dn)) goto failed;