The Samba-Bugzilla – Attachment 8057 Details for
Bug 9256
getncchanges with exop for repl_obj_with_secrets should always be allowed for RWDC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch to fix part 2
0008-s4-drs-fix-the-logic-to-allow-REPL_SECRET-if-the-acc.patch (text/plain), 1.53 KB, created by
Matthieu Patou
on 2012-10-13 07:24:19 UTC
(
hide
)
Description:
Proposed patch to fix part 2
Filename:
MIME Type:
Creator:
Matthieu Patou
Created:
2012-10-13 07:24:19 UTC
Size:
1.53 KB
patch
obsolete
>From 5374334d685bd680828aed00f502e6e671e615d7 Mon Sep 17 00:00:00 2001 >From: Matthieu Patou <mat@matws.net> >Date: Wed, 26 Sep 2012 11:49:07 -0700 >Subject: [PATCH 08/20] s4-drs: fix the logic to allow REPL_SECRET if the > account has GET_ALL_CHANGES > >--- > source4/rpc_server/drsuapi/getncchanges.c | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > >diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c >index 871fc68..09406d6 100644 >--- a/source4/rpc_server/drsuapi/getncchanges.c >+++ b/source4/rpc_server/drsuapi/getncchanges.c >@@ -911,6 +911,30 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state, > return WERR_DS_DRA_SOURCE_DISABLED; > } > >+ /* >+ * In MS-DRSR.pdf 5.99 IsGetNCChangesPermissionGranted >+ * >+ * The pseudo code indicate >+ * revealsecrets = true >+ * if IsRevealSecretRequest(msgIn) then >+ * if AccessCheckCAR(ncRoot, Ds-Replication-Get-Changes-All) = false >+ * then >+ * if (msgIn.ulExtendedOp = EXOP_REPL_SECRETS) then >+ * <... check if this account is ok to be replicated on this DC ...> >+ * <... and if not reveal secrets = no ...> >+ * else >+ * reveal secrets = false >+ * endif >+ * endif >+ * endif >+ * >+ * Which basically means that if you have GET_ALL_CHANGES rights (~== RWDC) >+ * then you can do EXOP_REPL_SECRETS >+ */ >+ if (has_get_all_changes) { >+ goto allowed; >+ } >+ > obj_dn = drs_ObjectIdentifier_to_dn(mem_ctx, b_state->sam_ctx_system, ncRoot); > if (!ldb_dn_validate(obj_dn)) goto failed; > >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8057">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 9256
:
8056
| 8057