allow RWDC to do exop_repl_secrets call in all cases

Matthieu Patou mat at samba.org
Thu Sep 27 02:38:56 MDT 2012


Hello Metze,

Following the test reports it turns out that RWDC can call 
exop_repl_secrets and that they don't need to comply with rules in 
paragraph 4.1.10.5.13 as the check for permission granted 5.99 use the 
function is paragraph 4.1.10.5.13 only if the DC account didn't have the 
right get-changes-all.

So I'm proposing those two patches to first remove the firm link between 
exop_repl_secrets and RODC (both in comments and in debug) and then add 
a test to bypass the security check for can reveal/can not reveal secure 
attributes.

Matthieu

-- 
Matthieu Patou
Samba Team
http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drs-EXOP_REPL_SECRETS-can-be-called-by-RW-DC-as-w.patch
Type: text/x-patch
Size: 3753 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120927/7cb708ad/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-drs-fix-the-logic-to-allow-REPL_SECRET-if-the-acc.patch
Type: text/x-patch
Size: 1569 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120927/7cb708ad/attachment-0001.bin>


More information about the samba-technical mailing list