From 59aa0a07d24bfb9ff9795ffe90801577043058a5 Mon Sep 17 00:00:00 2001
From: Fernando J V da Silva <fernandojvsilva@yahoo.com.br>
Date: Thu, 15 Apr 2010 17:39:54 -0300
Subject: s40-drs: Do not send GetNCChanges messages to RODCs

Signed-off-by: Andrew Tridgell <tridge@samba.org>
---
 source4/dsdb/repl/drepl_out_helpers.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'source4/dsdb/repl')

diff --git a/source4/dsdb/repl/drepl_out_helpers.c b/source4/dsdb/repl/drepl_out_helpers.c
index 07fb0b3d62..55357509f0 100644
--- a/source4/dsdb/repl/drepl_out_helpers.c
+++ b/source4/dsdb/repl/drepl_out_helpers.c
@@ -271,6 +271,17 @@ static void dreplsrv_op_pull_source_get_changes_trigger(struct tevent_req *req)
 	struct drsuapi_DsGetNCChanges *r;
 	struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector;
 	struct tevent_req *subreq;
+	int ret;
+
+	/* check that the client isn't lying about being a RODC */
+	ret = dsdb_validate_client_flags(service->samdb, rf1);
+	if (ret != LDB_SUCCESS) {
+		return;
+	}
+
+	if ((rf1->replica_flags & DRSUAPI_DRS_WRIT_REP) == 0) {
+		return;
+	}
 
 	r = talloc(state, struct drsuapi_DsGetNCChanges);
 	if (tevent_req_nomem(r, req)) {
-- 
cgit