From 3b0d6fda38749b01d2f8c4ff0ccbfc6ffc7bde49 Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Tue, 28 Sep 2010 19:35:56 -0700 Subject: s4-rodc: RODC should not accept requests for role transfer A RODC cannot assume a role, and unwillingToPerform must be returned if such request is sent via LDAP --- source4/dsdb/samdb/ldb_modules/rootdse.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source4/dsdb/samdb/ldb_modules/rootdse.c') diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 4f0b11b0ab..6c2a1e630d 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -1059,7 +1059,19 @@ static int rootdse_become_master(struct ldb_module *module, struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm"); NTSTATUS status_call; WERROR status_fn; + bool am_rodc; struct dcerpc_binding_handle *irpc_handle; + int ret; + + ret = samdb_rodc(ldb, &am_rodc); + if (ret != LDB_SUCCESS) { + return ldb_error(ldb, ret, "Could not determine if server is RODC."); + } + + if (am_rodc) { + return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, + "RODC cannot become a role master."); + } msg = messaging_client_init(tmp_ctx, lpcfg_messaging_path(tmp_ctx, lp_ctx), ldb_get_event_context(ldb)); -- cgit