From 96db13405bce8fa6d08b8b802439a606643e6db4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 17 Jul 2012 15:48:15 +1000 Subject: s4-dsdb: Ensure we never write read-only objects onto a read-write replica We should prevent this much further up the stack, but at least add a choke at this point for now. Additionally, this avoids administrator-forced replications causing considerable damange to the directory. Andrew Bartlett --- source4/dsdb/repl/replicated_objects.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/dsdb/repl/replicated_objects.c b/source4/dsdb/repl/replicated_objects.c index ec4dffe0be..67999df573 100644 --- a/source4/dsdb/repl/replicated_objects.c +++ b/source4/dsdb/repl/replicated_objects.c @@ -202,6 +202,7 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, uint32_t i; struct ldb_message *msg; struct replPropertyMetaDataBlob *md; + int instanceType; struct ldb_val guid_value; struct ldb_val parent_guid_value; NTTIME whenChanged = 0; @@ -352,12 +353,12 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, } + instanceType = ldb_msg_find_attr_as_int(msg, "instanceType", 0); if (dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) { /* the instanceType type for partial_replica replication is sent via DRS with TYPE_WRITE set, but must be used on the client with TYPE_WRITE removed */ - int instanceType = ldb_msg_find_attr_as_int(msg, "instanceType", 0); if (instanceType & INSTANCE_TYPE_WRITE) { instanceType &= ~INSTANCE_TYPE_WRITE; ldb_msg_remove_attr(msg, "instanceType"); @@ -365,6 +366,12 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, return WERR_INTERNAL_ERROR; } } + } else { + if (!(instanceType & INSTANCE_TYPE_WRITE)) { + DEBUG(0, ("Refusing to replicate %s from a read-only repilca into a read-write replica!\n", + ldb_dn_get_linearized(msg->dn))); + return WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA; + } } whenChanged_t = nt_time_to_unix(whenChanged); -- cgit