aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-08-17 14:10:34 +1000
committerAndrew Tridgell <tridge@samba.org>2010-08-17 21:21:50 +1000
commit4e9daa0f032547787a1a1957a6f4f4002aa50371 (patch)
tree17316ed655ae0ca51144cbc32bafae4a191af9a5
parentdf14f645b3c56ca7652463d53731437158d5c4bb (diff)
downloadsamba-4e9daa0f032547787a1a1957a6f4f4002aa50371.tar.gz
samba-4e9daa0f032547787a1a1957a6f4f4002aa50371.tar.xz
samba-4e9daa0f032547787a1a1957a6f4f4002aa50371.zip
s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT
when this is in user_account_control the account is a RODC, and we need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--libds/common/flags.h1
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c11
2 files changed, 10 insertions, 2 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h
index 021db2a9c72..eeb69400299 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -51,6 +51,7 @@
#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
#define UF_NO_AUTH_DATA_REQUIRED 0x02000000
+#define UF_PARTIAL_SECRETS_ACCOUNT 0x04000000
#define UF_MACHINE_ACCOUNT_MASK (\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ac8dff938e8..a12b189027a 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
el2 = ldb_msg_find_element(msg, "sAMAccountType");
el2->flags = LDB_FLAG_MOD_REPLACE;
- if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
ret = samdb_msg_add_string(ldb, msg, msg,
"isCriticalSystemObject", "TRUE");
if (ret != LDB_SUCCESS) {
@@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
/* DCs have primaryGroupID of DOMAIN_RID_DCS */
if (!ldb_msg_find_element(msg, "primaryGroupID")) {
+ uint32_t rid;
+ if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+ rid = DOMAIN_RID_DCS;
+ } else {
+ /* read-only DC */
+ rid = DOMAIN_RID_READONLY_DCS;
+ }
ret = samdb_msg_add_uint(ldb, msg, msg,
- "primaryGroupID", DOMAIN_RID_DCS);
+ "primaryGroupID", rid);
if (ret != LDB_SUCCESS) {
return ret;
}