From 4e9daa0f032547787a1a1957a6f4f4002aa50371 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 17 Aug 2010 14:10:34 +1000 Subject: s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT when this is in user_account_control the account is a RODC, and we need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS Pair-Programmed-With: Andrew Bartlett --- source4/dsdb/samdb/ldb_modules/samldb.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index ac8dff938e..a12b189027 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) el2 = ldb_msg_find_element(msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; - if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { + if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { ret = samdb_msg_add_string(ldb, msg, msg, "isCriticalSystemObject", "TRUE"); if (ret != LDB_SUCCESS) { @@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) /* DCs have primaryGroupID of DOMAIN_RID_DCS */ if (!ldb_msg_find_element(msg, "primaryGroupID")) { + uint32_t rid; + if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { + rid = DOMAIN_RID_DCS; + } else { + /* read-only DC */ + rid = DOMAIN_RID_READONLY_DCS; + } ret = samdb_msg_add_uint(ldb, msg, msg, - "primaryGroupID", DOMAIN_RID_DCS); + "primaryGroupID", rid); if (ret != LDB_SUCCESS) { return ret; } -- cgit