[PATCH] s4-drs: RODC related patches

tridge at samba.org tridge at samba.org
Wed Mar 24 22:14:45 MDT 2010


Hi Fernando,

 > Attached are some patches related to RODC support. Two of them are
 > intended to avoid the GetNCChanges messages to be sent to RODCs and
 > DSReplicaSync to be sent from RODCs (please, let me know if it is not
 > the correct approach! :-) ).

The patches look close, but I am a bit concered about this bit:

+       /* we do not send a DsGetNCChanges to a RODC */
+       if ((rf1->replica_flags & DRSUAPI_DRS_WRIT_REP) == 0) {
+               return;
+       }

it looks like you are checking the clients replica_flags? I would have
thought we should be fetching the DCs flags from the directory, and
using those. Otherwise a malicious client could say it is not a RODC
when it is, and it would get access to the passwords.

Maybe what we need is a dsdb_validate_client_flags() function that
checks the flags when the call comes in, and ensures that the client
is not lying about its flags.

 > In the third patch, It doesn't allow to add system-critical attributes
 > to RODC filtered attribute set, according to MS documentation at
 > http://technet.microsoft.com/en-us/library/cc753223(WS.10).aspx#bkmk_ropas
 > 
 > Those patches are also available at my repository in repo.or.cz at rodc branch.

ok, that looks sensible, although there are a few things that need
tidying up:

  1) please don't use atoi() directly in the code, instead call
  ldb_msg_find_attr_as_uint() 

  2) I think the two checks for valid flags should be put into a
  common static function in the same file, then called from the two
  places. 

  3) it would be nice to have a test for this, in lib/ldb/tests/python
  in the same place we do the existing schema tests

Thanks!

Cheers, Tridge


More information about the samba-technical mailing list