[PATCH] s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges reply
Andrew Bartlett
abartlet at samba.org
Fri Mar 19 15:09:34 MDT 2010
On Thu, 2010-03-18 at 16:11 -0300, Fernando J V da Silva wrote:
> Hi Anatoliy!
>
> 2010/3/18 Anatoliy Atanasov <anatoliy.atanasov at postpath.com>:
>
> >> BTW, should we also discard such attributes if we are a RODC that is
> >> receiving an GetNCChanges reply?
> >
> >
> > I am not sure about that, can you find a hint in the documentation about that?
> >
>
> Actually I took a look at the documentation but I couldn't find
> anything related ...
>
> Another question: Should we avoid RODCs to send DSReplicaSync messages
> or should we avoid DCs to send GetNCChanges requests to RODCs? (I also
> didn't find anything related to that on documentation ... I only saw
> that it should return WERR_DS_DRA_SOURCE_DISABLED if we are a RODC
> receiving a GetNCChanges request (which I think is already implemented
> on Samba and is enough to ensure only inbound replication on RODC,
> right?)).
>
> Is there anything else related to RODC support that you aren't working
> on, and that I could help? :-)
Yes, my understanding is that RODCs should never send a DSReplicaSync
message, and be ignored if they send one. We should also never attempt
a GetNCChanges call against an RODC - if we did, we could risk allowing
it to effectively write into the main LDAP database, violating
security.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100320/ae1972ef/attachment.pgp>
More information about the samba-technical
mailing list