}
-int dsdb_validate_client_flags(struct ldb_context *ldb,
- const struct repsFromTo1 *client_rf)
-{
- int ret;
- TALLOC_CTX *tmp_ctx = talloc_new(ldb);
-
- if (client_rf->replica_flags & DRSUAPI_DRS_WRIT_REP) {
- bool is_rodc;
- ret = samdb_is_rodc(ldb, &client_rf->source_dsa_invocation_id, &is_rodc);
- if (ret != LDB_SUCCESS) {
- talloc_free(tmp_ctx);
- return ret;
- }
- if (is_rodc) {
- DEBUG(0,("Client %s claimed to be WRIT_REP, but is RODC\n",
- GUID_string(tmp_ctx, &client_rf->source_dsa_invocation_id)));
- talloc_free(tmp_ctx);
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
- }
-
- /* TODO: we may need to validate more client flags here, if they
- are security sensitive */
-
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
-}
-
-
/*
load a repsFromTo blob list for a given partition GUID
attr must be "repsFrom" or "repsTo"
return forest_name;
}
-
/*
validate that an invocationID belongs to the specified user sid.
The user SID must be a domain controller account (either RODC or
struct drsuapi_DsGetNCChanges *r;
struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector;
struct tevent_req *subreq;
- int ret;
-
- /* check that the client isn't lying about being a RODC */
- ret = dsdb_validate_client_flags(service->samdb, rf1);
- if (ret != LDB_SUCCESS) {
- return;
- }
if ((rf1->replica_flags & DRSUAPI_DRS_WRIT_REP) == 0) {
return;