From f45147b2d9c6b43913d10871564d03307833fbae Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 23 Sep 2011 17:28:25 +1000 Subject: s4-dsdb: disallow changes based on instanceType if instanceType does not include INSTANCE_TYPE_WRITE, then disallow changes to any replicated attributes. This ensures partial replicates are not alterered --- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 3b4e2804a3..32b8ab25c9 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -1162,7 +1162,7 @@ static int replmd_update_rpmd(struct ldb_module *module, int ret; const char * const *attrs = NULL; const char * const attrs1[] = { "replPropertyMetaData", "*", NULL }; - const char * const attrs2[] = { "uSNChanged", "objectClass", NULL }; + const char * const attrs2[] = { "uSNChanged", "objectClass", "instanceType", NULL }; struct ldb_result *res; struct ldb_context *ldb; struct ldb_message_element *objectclass_el; @@ -1333,6 +1333,8 @@ static int replmd_update_rpmd(struct ldb_module *module, /*if we are RODC and this is a DRSR update then its ok*/ if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + unsigned instanceType; + ret = samdb_rodc(ldb, &rodc); if (ret != LDB_SUCCESS) { DEBUG(4, (__location__ ": unable to tell if we are an RODC\n")); @@ -1340,6 +1342,12 @@ static int replmd_update_rpmd(struct ldb_module *module, ldb_asprintf_errstring(ldb, "RODC modify is forbidden\n"); return LDB_ERR_REFERRAL; } + + instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], "instanceType", INSTANCE_TYPE_WRITE); + if (!(instanceType & INSTANCE_TYPE_WRITE)) { + return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, + "cannot change replicated attribute on partial replica"); + } } md_value = talloc(msg, struct ldb_val); @@ -2420,7 +2428,7 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are const struct dsdb_attribute *rdn_attr; const char *rdn_name; const struct ldb_val *rdn_val; - const char *attrs[4] = { NULL, }; + const char *attrs[5] = { NULL, }; time_t t = time(NULL); int ret; bool is_urgent = false; @@ -2533,8 +2541,9 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are */ attrs[0] = "replPropertyMetaData"; attrs[1] = "objectClass"; - attrs[2] = rdn_name; - attrs[3] = NULL; + attrs[2] = "instanceType"; + attrs[3] = rdn_name; + attrs[4] = NULL; ret = replmd_update_rpmd(ac->module, ac->schema, req, attrs, msg, &ac->seq_num, t, &is_urgent); -- cgit