diff options
author | Anatoliy Atanasov <anatoliy.atanasov@postpath.com> | 2010-04-26 09:56:59 +0300 |
---|---|---|
committer | Anatoliy Atanasov <anatoliy.atanasov@postpath.com> | 2010-04-29 10:18:06 +0300 |
commit | dbbbc7d1f8a86bd0535c46f50fae8223c26afd9a (patch) | |
tree | a3ae306ff09e4329aebd06f5f17db1b2f4ed6776 /source4/rpc_server | |
parent | 5a4ee75289e8394ea2f2de0b0415ed7f7ee54575 (diff) | |
download | samba-dbbbc7d1f8a86bd0535c46f50fae8223c26afd9a.tar.gz samba-dbbbc7d1f8a86bd0535c46f50fae8223c26afd9a.tar.xz samba-dbbbc7d1f8a86bd0535c46f50fae8223c26afd9a.zip |
s4/rodc: RODC FAS initial implementation
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index df8305e155..354ebf0f85 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -105,7 +105,6 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem const char *rdn; const struct dsdb_attribute *rdn_sa; unsigned int instanceType; - int rodc_filtered_flags; instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0); if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) { @@ -206,19 +205,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem continue; } - /* if the recipient is a RODC, then we should not add any - * RODC filtered attribute */ - /* TODO: This is not strictly correct, as it doesn't allow for administrators - to setup some users to transfer passwords to specific RODCs. To support that - we would instead remove this check and rely on extended ACL checking in the dsdb - acl module. */ - rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL; - if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 && - (sa->searchFlags & rodc_filtered_flags)) { + /* + * If the recipient is a RODC, then we should not add any + * RODC filtered attribute + * + * TODO: This is not strictly correct, as it doesn't allow for administrators + * to setup some users to transfer passwords to specific RODCs. To support that + * we would instead remove this check and rely on extended ACL checking in the dsdb + * acl module. + */ + if (dsdb_attr_in_rodc_fas(replica_flags, sa)) { continue; } - obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time; obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version; obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id; |