[PATCH] s4-drs: Delete RODC filtered attributes from objects

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Wed Mar 24 09:47:18 MDT 2010 

Hi Team,

I am working on the check for read-only database when we are RODC. I pushed the change here: http://git.samba.org/?p=anatoliy/anatoliy.git;a=commit;h=7004efe1a84f3f289f037f282005fd89ab4b5fe0
Can somebody review it? I added a check in replmd_update_rpmd. The goal is to return a referral if RODC database is being modified. The result here is that ldb_module_send_referral doesn't work as I expected and what we return is Operational Error.

Thanks,
Anatoliy

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Saturday, March 13, 2010 02:29
> To: Anatoliy Atanasov
> Cc: fernandojvsilva at yahoo.com.br; tridge at samba.org; samba-
> technical at lists.samba.org
> Subject: RE: [PATCH] s4-drs: Delete RODC filtered attributes from objects
> 
> On Fri, 2010-03-12 at 15:42 +0200, Anatoliy Atanasov wrote:
> > > Hi Fernando,
> > >
> > >  > In this patch, if there is an update on an attributeSchema object
> such
> > >  > that it become part of the RODC filtered set, then we delete the
> > >  > values of that attribute from any object which contains it.
> > >
> > > I think this isn't the right approach.
> > >
> > > When a DC is a RODC, then when it replicates from another DC, it gets
> > > a subset of the attributes. So there is no need for it to delete
> > > attributes. The reason it gets a subset is that a RODC is not trusted
> > > to hold all attributes, so they will never be sent by the other DC.
> > >
> > > I think these are the logical changes we need to support RODC
> > > operation:
> > >
> > >  1) when we are a RODC we should refuse changes to the directory. This
> > >  would happen in repl_meta_data.c module. I think the logical place
> > >  for this check is in replmd_update_rpmd_element()
> > I am on it, I was wondering where this check should happen, I though
> about ldap_server/ldap_backend.c because as far as I know the LDAP request
> goes thru there first.
> 
> No, we should deny the updates at the point tridge indicated.  It is
> important to deny all updates - imagine if we accepted writes over SAMR,
> but not LDAP?
> 
> Denying writes on the RODC is however only a courtesy.  Clients should
> know not to write to an RODC in the first place.  (The few writes that
> clients are permitted to do are forwarded directly to a writeable DC).
> 
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list