[PATCH] s4-drs: RODC related patches
Fernando J V da Silva
fernandojvsilva at yahoo.com.br
Sat Mar 27 08:43:24 MDT 2010
Hi Tridge!
Thanks for your comments! :-)
> The patches look close, but I am a bit concered about this bit:
>
> + /* we do not send a DsGetNCChanges to a RODC */
> + if ((rf1->replica_flags & DRSUAPI_DRS_WRIT_REP) == 0) {
> + return;
> + }
>
> it looks like you are checking the clients replica_flags? I would have
> thought we should be fetching the DCs flags from the directory, and
> using those. Otherwise a malicious client could say it is not a RODC
> when it is, and it would get access to the passwords.
>
> Maybe what we need is a dsdb_validate_client_flags() function that
> checks the flags when the call comes in, and ensures that the client
> is not lying about its flags.
Ok! Now I tried to write dsdb_validate_client_flags() looking at
repsFrom (please, let me know if it is not correct...).
> 1) please don't use atoi() directly in the code, instead call
> ldb_msg_find_attr_as_uint()
>
> 2) I think the two checks for valid flags should be put into a
> common static function in the same file, then called from the two
> places.
Ok! I changed it as well! :-)
> 3) it would be nice to have a test for this, in lib/ldb/tests/python
> in the same place we do the existing schema tests
Ok! I've been work in this test! I hope to send it soon!
As usual, these patches are also available at my repository in
repo.or.cz at rodc branch (please ignore the test patch ... I wrote it
but I just realized that it is not working correctly ... I have to
check it out ...).
Cheers,
--
Fernando J V da Silva
M Sc Computer Science Student
Institute of Computing, State University of Campinas
+55 15 8801-2165
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drs-Do-not-allow-system-critical-attributes-to-b.patch
Type: application/octet-stream
Size: 2916 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100327/503279f8/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drs-Do-not-send-GetNCChanges-messages-to-RODCs.patch
Type: application/octet-stream
Size: 2588 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100327/503279f8/attachment-0001.obj>
More information about the samba-technical
mailing list