[PATCH] s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges reply

tridge at samba.org tridge at samba.org
Wed Mar 24 22:18:17 MDT 2010


Hi Fernando,

 > >> BTW, should we also discard such attributes if we are a RODC that is
 > >> receiving an GetNCChanges reply?
 > >
 > >
 > > I am not sure about that, can you find a hint in the documentation about that?
 > >
 > 
 > Actually I took a look at the documentation but I couldn't find
 > anything related ...

I don't think we should discard DRS changes that come to us as a RODC,
even if we don't expect them. Administrators are allowed to mark some
RODCs as receiving some users security sensitive attributes (like
passwords). Generally when a RODC is receiving attributes from a real
DC, then if it gets the attribute over the wire then it should apply
it, without looking at whether it expected it to be filtered. That is
the job of the real DC.

 > Another question: Should we avoid RODCs to send DSReplicaSync messages
 > or should we avoid DCs to send GetNCChanges requests to RODCs?

yes, that sounds right.

 > Is there anything else related to RODC support that you aren't working
 > on, and that I could help? :-)

yes, testing! Have you tried testing Samba as either a RODC, or
serving a Windows RODC? Does it work?

Cheers, Tridge


More information about the samba-technical mailing list