From d940a44496f184073fe036fc1977796c901ec96d Mon Sep 17 00:00:00 2001 From: Fernando J V da Silva Date: Thu, 15 Apr 2010 17:42:08 -0300 Subject: s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges reply During building an object to send it on a GetNCChanges reply, it checks the attributes and if any of them is a RODC filtered and the recipient is a RODC, then such attribute is not sent. Signed-off-by: Andrew Tridgell --- source4/rpc_server/drsuapi/getncchanges.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'source4/rpc_server/drsuapi/getncchanges.c') diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 56c061d2e8..5c378e50de 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -104,6 +104,7 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem const char *rdn; const struct dsdb_attribute *rdn_sa; unsigned int instanceType; + int rodc_filtered_flags; instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0); if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) { @@ -199,6 +200,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem continue; } + /* if the recipient is a RODC, then we should not add any + * RODC filtered attribute */ + /* TODO: This is not strictly correct, as it doesn't allow for administrators + to setup some users to transfer passwords to specific RODCs. To support that + we would instead remove this check and rely on extended ACL checking in the dsdb + acl module. */ + rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL; + if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 && + (sa->searchFlags & rodc_filtered_flags)) { + continue; + } + + obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time; obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version; obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id; -- cgit