[PATCH] s4-drs: RODC related patches

Fernando J V da Silva fernandojvsilva at yahoo.com.br
Thu Apr 15 16:33:03 MDT 2010 

Hi Tridge!

Attached are a few patches related to my code that you fixed on our
last meeting last month, and also all of the patches that were
affected (I apologize to have took so long to send them ...).

As usual, they are also available in
git://repo.or.cz/Samba/fernandojvsilva.git at rodc branch.

Cheers,

-- 
Fernando J V da Silva
M Sc Computer Science Student
Institute of Computing, State University of Campinas
+55 15 8801-2165



2010/3/27 Fernando J V da Silva <fernandojvsilva at yahoo.com.br>:
> Hi Tridge!
>
> Thanks for your comments! :-)
>
>> The patches look close, but I am a bit concered about this bit:
>>
>> +       /* we do not send a DsGetNCChanges to a RODC */
>> +       if ((rf1->replica_flags & DRSUAPI_DRS_WRIT_REP) == 0) {
>> +               return;
>> +       }
>>
>> it looks like you are checking the clients replica_flags? I would have
>> thought we should be fetching the DCs flags from the directory, and
>> using those. Otherwise a malicious client could say it is not a RODC
>> when it is, and it would get access to the passwords.
>>
>> Maybe what we need is a dsdb_validate_client_flags() function that
>> checks the flags when the call comes in, and ensures that the client
>> is not lying about its flags.
>
> Ok! Now I tried to write dsdb_validate_client_flags() looking at
> repsFrom (please, let me know if it is not correct...).
>
>
>>  1) please don't use atoi() directly in the code, instead call
>>  ldb_msg_find_attr_as_uint()
>>
>>  2) I think the two checks for valid flags should be put into a
>>  common static function in the same file, then called from the two
>>  places.
>
> Ok! I changed it as well! :-)
>
>
>>  3) it would be nice to have a test for this, in lib/ldb/tests/python
>>  in the same place we do the existing schema tests
>
> Ok! I've been work in this test! I hope to send it soon!
>
>
> As usual, these patches are also available at my repository in
> repo.or.cz at rodc branch (please ignore the test patch ... I wrote it
> but I just realized that it is not working correctly ... I have to
> check it out ...).
>
>
> Cheers,
>
>
> --
> Fernando J V da Silva
> M Sc Computer Science Student
> Institute of Computing, State University of Campinas
> +55 15 8801-2165
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drs-samdb_is_rodc-function-and-new-samdb_rodc.patch
Type: text/x-patch
Size: 9674 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100415/beec8c24/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drs-Use-new-samdb_rodc-function-in-s4-code.patch
Type: text/x-patch
Size: 1785 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100415/beec8c24/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-drs-dsdb_validate_client_flags-function.patch
Type: text/x-patch
Size: 1567 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100415/beec8c24/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s40-drs-Do-not-send-GetNCChanges-messages-to-RODCs.patch
Type: text/x-patch
Size: 1136 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100415/beec8c24/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-s4-drs-Do-not-send-RODC-filtered-attributes-to-RODC.patch
Type: text/x-patch
Size: 2132 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100415/beec8c24/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s4-drs-Do-not-allow-system-critical-attributes-to-b.patch
Type: text/x-patch
Size: 2916 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100415/beec8c24/attachment-0005.bin>

More information about the samba-technical mailing list