From 57bcdf008fa44d4c550819cbceada968b11be63c Mon Sep 17 00:00:00 2001 From: Fernando J V da Silva Date: Thu, 15 Apr 2010 17:37:40 -0300 Subject: s4-drs: samdb_is_rodc() function and new samdb_rodc() function This patch creates the samdb_is_rodc() function, which looks for the NTDSDSA object for a DC that has a specific invocationId and if msDS-isRODC is present on such object and it is TRUE, then consider the DC as a RODC. The new samdb_rodc() function uses the samdb_is_rodc() function for the local server. Signed-off-by: Andrew Tridgell --- source4/rpc_server/drsuapi/getncchanges.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/drsuapi/getncchanges.c') diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index e70e863c36..56c061d2e8 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -684,6 +684,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ uint32_t options; uint32_t max_objects; struct ldb_dn *search_dn = NULL; + bool am_rodc; DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; @@ -699,7 +700,8 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ r->out.ctr->ctr6.uptodateness_vector = NULL; /* a RODC doesn't allow for any replication */ - if (samdb_rodc(b_state->sam_ctx)) { + ret = samdb_rodc(b_state->sam_ctx, &am_rodc); + if (ret == LDB_SUCCESS && am_rodc) { DEBUG(0,(__location__ ": DsGetNCChanges attempt on RODC\n")); return WERR_DS_DRA_SOURCE_DISABLED; } @@ -733,6 +735,16 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_SOURCE_DISABLED; } + if (req8->replica_flags & DRSUAPI_DRS_WRIT_REP) { + bool is_rodc; + ret = samdb_is_rodc(b_state->sam_ctx, &req8->source_dsa_invocation_id, &is_rodc); + if (ret != LDB_SUCCESS || is_rodc) { + DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n", + GUID_string(mem_ctx, &req8->source_dsa_invocation_id))); + return WERR_DS_DRA_INVALID_PARAMETER; + } + } + if (req8->replica_flags & DRSUAPI_DRS_FULL_SYNC_PACKET) { /* Ignore the _in_ uptpdateness vector*/ -- cgit