allow RWDC to do exop_repl_secrets call in all cases
Matthieu Patou
mat at samba.org
Thu Sep 27 02:38:56 MDT 2012
Hello Metze,
Following the test reports it turns out that RWDC can call
exop_repl_secrets and that they don't need to comply with rules in
paragraph 4.1.10.5.13 as the check for permission granted 5.99 use the
function is paragraph 4.1.10.5.13 only if the DC account didn't have the
right get-changes-all.
So I'm proposing those two patches to first remove the firm link between
exop_repl_secrets and RODC (both in comments and in debug) and then add
a test to bypass the security check for can reveal/can not reveal secure
attributes.
Matthieu
--
Matthieu Patou
Samba Team
http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drs-EXOP_REPL_SECRETS-can-be-called-by-RW-DC-as-w.patch
Type: text/x-patch
Size: 3753 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120927/7cb708ad/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-drs-fix-the-logic-to-allow-REPL_SECRET-if-the-acc.patch
Type: text/x-patch
Size: 1569 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120927/7cb708ad/attachment-0001.bin>
More information about the samba-technical
mailing list