dsdb-repl: Always set DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING when we are an RODC
authorAndrew Bartlett <abartlet@samba.org>
Fri, 20 Feb 2015 04:55:49 +0000 (17:55 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Mon, 16 Mar 2015 02:00:07 +0000 (03:00 +0100)
Unless we are using DRSUAPI_EXOP_REPL_SECRET, always remove
DRSUAPI_DRS_WRIT_REP and always set
DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING

Otherwise, we will not work as an RODC, because replication will fail
with access denied errors.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
source4/dsdb/repl/drepl_out_helpers.c

index c8a28ac998ca89eaf7b91b3ccb4c4b8322347074..a0478813681744891464c9c5745068ae194f249a 100644 (file)
@@ -476,8 +476,11 @@ static void dreplsrv_op_pull_source_get_changes_trigger(struct tevent_req *req)
                        DEBUG(0,(__location__ ": Failed to construct RODC partial attribute set : %s\n", nt_errstr(status)));
                        return;
                }
+               replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
                if (state->op->extended_op == DRSUAPI_EXOP_REPL_SECRET) {
                        replica_flags &= ~DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING;
+               } else {
+                       replica_flags |= DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING;
                }
        }
        if (state->op->extended_op != DRSUAPI_EXOP_NONE) {