[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Wed Sep 29 18:20:01 MDT 2010
The branch, master has been updated
via 1f3f75f s4-samldb: also set a password on the krbtgt_NNNN account
via 768df75 s4-devel: added new options to getncchanges script
via 1ec5f5c s4-drs: implement PAS checks and access checks for getncchanges
via eebe5e1 s4-drs: added drs_security_access_check_nc_root()
via 3b52b62 util: added BINARY_ARRAY_SEARCH_V()
from 44c891a s4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PAC
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1f3f75f747cc6388013360bff06574f3299090d3
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 29 16:35:52 2010 -0700
s4-samldb: also set a password on the krbtgt_NNNN account
when we setup the krbtgt_NNNN account using the DCPROMO_OID control,
we also need to set an initial password for this account
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 768df75ed915bf588426316857885abddaaf5701
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 29 15:50:04 2010 -0700
s4-devel: added new options to getncchanges script
added --pas, --dest-dsa and --replica-flags options
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
commit 1ec5f5c09cc0e61fc41de720820ccddf6f6259e6
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 29 15:49:15 2010 -0700
s4-drs: implement PAS checks and access checks for getncchanges
This implements partial attribute set checking on getncchanges. If the
client sends a partial_attribute_set then we only return the specified
attributes.
This also implements access checking on the NC root for the access
right GUIDs for requests with and without reveal secrets
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
commit eebe5e1251cb99c1ca2ae4280d72a4c3baea8607
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 29 15:46:23 2010 -0700
s4-drs: added drs_security_access_check_nc_root()
this checks securiity on the NC root of the specified naming context
commit 3b52b6249b94e104077ead134c35402fa1439493
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 29 15:45:27 2010 -0700
util: added BINARY_ARRAY_SEARCH_V()
this is used to search an array of values
-----------------------------------------------------------------------
Summary of changes:
lib/util/binsearch.h | 16 +++
source4/dsdb/samdb/ldb_modules/samldb.c | 11 ++
source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 6 +
source4/rpc_server/drsuapi/drsutil.c | 69 ++++++++++--
source4/rpc_server/drsuapi/getncchanges.c | 156 ++++++++++++++++++++++-----
source4/scripting/devel/getncchanges | 74 +++++++++++--
6 files changed, 285 insertions(+), 47 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/util/binsearch.h b/lib/util/binsearch.h
index ac83990..f85d116 100644
--- a/lib/util/binsearch.h
+++ b/lib/util/binsearch.h
@@ -65,4 +65,20 @@
if (_r < 0) _e = _i - 1; else _b = _i + 1; \
}} } while (0)
+/*
+ like BINARY_ARRAY_SEARCH_P, but assumes that the array is an array
+ of elements, rather than pointers to structures
+
+ result points to the found structure, or NULL
+ */
+#define BINARY_ARRAY_SEARCH_V(array, array_size, target, comparison_fn, result) do { \
+ int32_t _b, _e; \
+ (result) = NULL; \
+ if (array_size) { for (_b = 0, _e = (array_size)-1; _b <= _e; ) { \
+ int32_t _i = (_b+_e)/2; \
+ int _r = comparison_fn(target, array[_i]); \
+ if (_r == 0) { (result) = &array[_i]; break; } \
+ if (_r < 0) _e = _i - 1; else _b = _i + 1; \
+ }} } while (0)
+
#endif
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 269952a..06f70a5 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -361,6 +361,7 @@ static int samldb_rodc_add(struct samldb_ctx *ac)
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
unsigned krbtgt_number, i_start, i;
int ret;
+ char *newpass;
/* find a unused msDC-SecondaryKrbTgtNumber */
i_start = generate_random() & 0xFFFF;
@@ -402,6 +403,16 @@ found:
return ldb_operr(ldb);
}
+ newpass = generate_random_password(ac, 128, 255);
+ if (newpass == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ ret = ldb_msg_add_steal_string(ac->msg, "clearTextPassword", newpass);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
+
return samldb_next_step(ac);
}
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 1de347f..1a9d867 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -75,3 +75,9 @@ WERROR drs_security_access_check(struct ldb_context *sam_ctx,
struct security_token *token,
struct drsuapi_DsReplicaObjectIdentifier *nc,
const char *ext_right);
+
+WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index f88af93..c65d434 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -140,16 +140,20 @@ void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
}
}
-WERROR drs_security_access_check(struct ldb_context *sam_ctx,
- TALLOC_CTX *mem_ctx,
- struct security_token *token,
- struct drsuapi_DsReplicaObjectIdentifier *nc,
- const char *ext_right)
+
+/*
+ check security on a DN, with logging of errors
+ */
+static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct ldb_dn *dn,
+ const char *ext_right)
{
- struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
int ret;
if (!dn) {
- DEBUG(3,("drs_security_access_check: Null dn provided, access is denied\n"));
+ DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
+ ext_right));
return WERR_DS_DRA_ACCESS_DENIED;
}
ret = dsdb_check_access_on_dn(sam_ctx,
@@ -159,13 +163,54 @@ WERROR drs_security_access_check(struct ldb_context *sam_ctx,
SEC_ADS_CONTROL_ACCESS,
ext_right);
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- DEBUG(3,("%s refused for security token\n", ext_right));
- security_token_debug(2, token);
- return WERR_DS_DRA_ACCESS_DENIED;
+ DEBUG(3,("%s refused for security token on %s\n",
+ ext_right, ldb_dn_get_linearized(dn)));
+ security_token_debug(2, token);
+ return WERR_DS_DRA_ACCESS_DENIED;
} else if (ret != LDB_SUCCESS) {
- DEBUG(1,("Failed to perform access check on %s \n", ldb_dn_get_linearized(dn)));
- return WERR_DS_DRA_ACCESS_DENIED;
+ DEBUG(1,("Failed to perform access check on %s\n", ldb_dn_get_linearized(dn)));
return WERR_DS_DRA_INTERNAL_ERROR;
}
return WERR_OK;
}
+
+
+/*
+ check security on a object identifier
+ */
+WERROR drs_security_access_check(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right)
+{
+ struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
+ WERROR werr;
+ werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
+ talloc_free(dn);
+ return werr;
+}
+
+/*
+ check security on the NC root of a object identifier
+ */
+WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right)
+{
+ struct ldb_dn *dn, *nc_root;
+ WERROR werr;
+ int ret;
+
+ dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
+ W_ERROR_HAVE_NO_MEMORY(dn);
+ ret = dsdb_find_nc_root(sam_ctx, dn, dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_CANT_FIND_EXPECTED_NC;
+ }
+ werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
+ talloc_free(dn);
+ return werr;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 408aee1..3245e01 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -85,6 +85,25 @@ static bool udv_filter(const struct drsuapi_DsReplicaCursorCtrEx *udv,
}
+static int attid_cmp(enum drsuapi_DsAttributeId a1, enum drsuapi_DsAttributeId a2)
+{
+ if (a1 == a2) return 0;
+ return ((uint32_t)a1) > ((uint32_t)a2) ? 1 : -1;
+}
+
+/*
+ check if an attribute is in a partial_attribute_set
+ */
+static bool check_partial_attribute_set(const struct dsdb_attribute *sa,
+ struct drsuapi_DsPartialAttributeSet *pas)
+{
+ enum drsuapi_DsAttributeId *result;
+ BINARY_ARRAY_SEARCH_V(pas->attids, pas->num_attids, (enum drsuapi_DsAttributeId)sa->attributeID_id,
+ attid_cmp, result);
+ return result != NULL;
+}
+
+
/*
drsuapi_DsGetNCChanges for one object
*/
@@ -97,6 +116,7 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
DATA_BLOB *session_key,
uint64_t highest_usn,
uint32_t replica_flags,
+ struct drsuapi_DsPartialAttributeSet *partial_attribute_set,
struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector,
enum drsuapi_DsExtendedOperation extended_op)
{
@@ -224,21 +244,8 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
continue;
}
- /*
- * If the recipient is a RODC, then we should only give
- * attributes from the RODC filtered attribute set
- *
- * TODO: This is not strictly correct, as it doesn't allow for administrators
- * to setup some users to transfer passwords to specific RODCs. To support that
- * we would instead remove this check and rely on extended ACL checking in the dsdb
- * acl module.
- */
- if (!(replica_flags & DRSUAPI_DRS_WRIT_REP) &&
- !force_attribute &&
- !dsdb_attr_in_rodc_fas(sa)) {
- DEBUG(4,("Skipping non-FAS attr %s in %s\n",
- sa->lDAPDisplayName,
- ldb_dn_get_linearized(msg->dn)));
+ /* filter by partial_attribute_set */
+ if (partial_attribute_set && !check_partial_attribute_set(sa, partial_attribute_set)) {
continue;
}
@@ -1047,6 +1054,82 @@ struct drsuapi_getncchanges_state {
struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector;
};
+/*
+ see if this getncchanges request includes a request to reveal secret information
+ */
+static WERROR dcesrv_drsuapi_is_reveal_secrets_request(struct drsuapi_bind_state *b_state,
+ struct drsuapi_DsGetNCChangesRequest8 *req8,
+ bool *is_secret_request)
+{
+ enum drsuapi_DsExtendedOperation exop;
+ int i;
+ struct dsdb_schema *schema;
+
+ *is_secret_request = true;
+
+ exop = req8->extended_op;
+
+ switch (exop) {
+ case DRSUAPI_EXOP_FSMO_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_REQ_PDC:
+ case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
+ /* FSMO exops can reveal secrets */
+ *is_secret_request = true;
+ return WERR_OK;
+ case DRSUAPI_EXOP_REPL_SECRET:
+ case DRSUAPI_EXOP_REPL_OBJ:
+ case DRSUAPI_EXOP_NONE:
+ break;
+ }
+
+ if (req8->replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
+ *is_secret_request = false;
+ return WERR_OK;
+ }
+
+ if (exop == DRSUAPI_EXOP_REPL_SECRET ||
+ req8->partial_attribute_set == NULL) {
+ /* they want secrets */
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+
+ schema = dsdb_get_schema(b_state->sam_ctx, NULL);
+
+ /* check the attributes they asked for */
+ for (i=0; i<req8->partial_attribute_set->num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ sa = dsdb_attribute_by_attributeID_id(schema, req8->partial_attribute_set->attids[i]);
+ if (sa == NULL) {
+ return WERR_DS_DRA_SCHEMA_MISMATCH;
+ }
+ if (!dsdb_attr_in_rodc_fas(sa)) {
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+ }
+
+ /* check the attributes they asked for */
+ for (i=0; i<req8->partial_attribute_set_ex->num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ sa = dsdb_attribute_by_attributeID_id(schema, req8->partial_attribute_set_ex->attids[i]);
+ if (sa == NULL) {
+ return WERR_DS_DRA_SCHEMA_MISMATCH;
+ }
+ if (!dsdb_attr_in_rodc_fas(sa)) {
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+ }
+
+ *is_secret_request = false;
+ return WERR_OK;
+}
+
+
+
/*
drsuapi_DsGetNCChanges
@@ -1089,6 +1172,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
enum security_user_level security_level;
struct ldb_context *sam_ctx;
struct dom_sid *user_sid;
+ bool is_secret_request;
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
@@ -1141,26 +1225,43 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_SOURCE_DISABLED;
}
- werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER,
- samdb_domain_sid(sam_ctx));
+ user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+
+ werr = drs_security_access_check_nc_root(b_state->sam_ctx,
+ mem_ctx,
+ dce_call->conn->auth_state.session_info->security_token,
+ req8->naming_context,
+ GUID_DRS_GET_CHANGES);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
- user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
-
+ werr = dcesrv_drsuapi_is_reveal_secrets_request(b_state, req8, &is_secret_request);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ if (is_secret_request && req8->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
+ werr = drs_security_access_check_nc_root(b_state->sam_ctx,
+ mem_ctx,
+ dce_call->conn->auth_state.session_info->security_token,
+ req8->naming_context,
+ GUID_DRS_GET_ALL_CHANGES);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
/* for non-administrator replications, check that they have
given the correct source_dsa_invocation_id */
security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
samdb_domain_sid(sam_ctx));
- if (security_level == SECURITY_RO_DOMAIN_CONTROLLER &&
- req8->replica_flags & DRSUAPI_DRS_WRIT_REP) {
- /* we rely on this flag being unset for RODC requests */
- req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
+ if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
+ if (req8->replica_flags & DRSUAPI_DRS_WRIT_REP) {
+ /* we rely on this flag being unset for RODC requests */
+ req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
+ }
}
-
if (req8->replica_flags & DRSUAPI_DRS_FULL_SYNC_PACKET) {
/* Ignore the _in_ uptpdateness vector*/
req8->uptodateness_vector = NULL;
@@ -1262,7 +1363,8 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
enum ldb_scope scope = LDB_SCOPE_SUBTREE;
const char *extra_filter;
- if (req8->extended_op == DRSUAPI_EXOP_REPL_OBJ) {
+ if (req8->extended_op == DRSUAPI_EXOP_REPL_OBJ ||
+ req8->extended_op == DRSUAPI_EXOP_REPL_SECRET) {
scope = LDB_SCOPE_BASE;
}
@@ -1380,7 +1482,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
sam_ctx, getnc_state->ncRoot_dn,
getnc_state->is_schema_nc,
schema, &session_key, getnc_state->min_usn,
- req8->replica_flags, getnc_state->uptodateness_vector,
+ req8->replica_flags,
+ req8->partial_attribute_set,
+ getnc_state->uptodateness_vector,
req8->extended_op);
if (!W_ERROR_IS_OK(werr)) {
return werr;
diff --git a/source4/scripting/devel/getncchanges b/source4/scripting/devel/getncchanges
index 99f14ea..e5b7f8e 100755
--- a/source4/scripting/devel/getncchanges
+++ b/source4/scripting/devel/getncchanges
@@ -8,7 +8,7 @@ from optparse import OptionParser
sys.path.insert(0, "bin/python")
-import samba
+import samba, ldb
import samba.getopt as options
from samba.dcerpc import drsuapi, misc
from samba.samdb import SamDB
@@ -50,6 +50,45 @@ def do_DsBind(drs):
(info, handle) = drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info)
return handle
+
+def drs_get_rodc_partial_attribute_set(samdb):
+ '''get a list of attributes for RODC replication'''
+ partial_attribute_set = drsuapi.DsPartialAttributeSet()
+ partial_attribute_set.version = 1
+
+ attids = []
+
+ # the exact list of attids we send is quite critical. Note that
+ # we do ask for the secret attributes, but set set SPECIAL_SECRET_PROCESSING
+ # to zero them out
+ schema_dn = samdb.get_schema_basedn()
+ res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
+ expression="objectClass=attributeSchema",
+ attrs=["lDAPDisplayName", "systemFlags",
+ "searchFlags"])
+
+ for r in res:
+ ldap_display_name = r["lDAPDisplayName"][0]
+ if "systemFlags" in r:
+ system_flags = r["systemFlags"][0]
+ if (int(system_flags) & (samba.dsdb.DS_FLAG_ATTR_NOT_REPLICATED |
+ samba.dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED)):
+ continue
+ if "searchFlags" in r:
+ search_flags = r["searchFlags"][0]
+ if (int(search_flags) & samba.dsdb.SEARCH_FLAG_RODC_ATTRIBUTE):
+ continue
+ attid = samdb.get_attid_from_lDAPDisplayName(ldap_display_name)
+ attids.append(int(attid))
+
+ # the attids do need to be sorted, or windows doesn't return
+ # all the attributes we need
+ attids.sort()
+ partial_attribute_set.attids = attids
+ partial_attribute_set.num_attids = len(attids)
+ return partial_attribute_set
+
+
########### main code ###########
if __name__ == "__main__":
parser = OptionParser("getncchanges [options] server")
@@ -60,6 +99,16 @@ if __name__ == "__main__":
parser.add_option("", "--dn", dest="dn", help="DN to replicate",)
parser.add_option("", "--exop", dest="exop", help="extended operation",)
+ parser.add_option("", "--pas", dest="use_pas", action='store_true', default=False,
+ help="send partial attribute set",)
+ parser.add_option("", "--dest-dsa", type='str',
+ default='"9c637462-5b8c-4467-aef2-bdb1f57bc4ef"', help="destination DSA GUID")
+ parser.add_option("", "--replica-flags", type='int',
+ default=drsuapi.DRSUAPI_DRS_INIT_SYNC |
+ drsuapi.DRSUAPI_DRS_PER_SYNC |
+ drsuapi.DRSUAPI_DRS_GET_ANC |
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED,
+ help='replica flags')
(opts, args) = parser.parse_args()
@@ -86,6 +135,10 @@ if __name__ == "__main__":
session_info=system_session(),
credentials=creds, lp=lp)
+ if opts.use_pas:
+ local_samdb = SamDB(url=None, session_info=system_session(),
+ credentials=creds, lp=lp)
+
if opts.dn is None:
opts.dn = str(samdb.get_default_basedn())
@@ -95,7 +148,7 @@ if __name__ == "__main__":
exop = int(opts.exop)
null_guid = misc.GUID()
- req8.destination_dsa_guid = misc.GUID("9c637462-5b8c-4467-aef2-bdb1f57bc4ef")
+ req8.destination_dsa_guid = misc.GUID(opts.dest_dsa)
req8.source_dsa_invocation_id = misc.GUID(samdb.get_invocation_id())
req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
req8.naming_context.dn = opts.dn.decode("utf-8")
@@ -104,18 +157,21 @@ if __name__ == "__main__":
req8.highwatermark.reserved_usn = 0
req8.highwatermark.highest_usn = 0
req8.uptodateness_vector = None
- req8.replica_flags = 0
- req8.replica_flags |= (drsuapi.DRSUAPI_DRS_INIT_SYNC |
- drsuapi.DRSUAPI_DRS_PER_SYNC |
- drsuapi.DRSUAPI_DRS_GET_ANC |
- drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
+ req8.replica_flags = opts.replica_flags
req8.max_object_count = 402
req8.max_ndr_size = 402116
req8.extended_op = exop
req8.fsmo_info = 0
- req8.partial_attribute_set = None
+ if opts.use_pas:
+ req8.partial_attribute_set = drs_get_rodc_partial_attribute_set(local_samdb)
--
Samba Shared Repository
More information about the samba-cvs
mailing list