samba-tool drs: Ensure we do not replicate all secrets to an RODC, even with --local

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

diff --git a/python/samba/netcmd/drs.py b/python/samba/netcmd/drs.py
index 36dc48e2c234ed5301457172e216e125624f2d21..e8e9ec879aac1f6c016a7809fa48d42fd3ac856d 100644 (file)
--- a/python/samba/netcmd/drs.py
+++ b/python/samba/netcmd/drs.py
@@ -265,8 +265,11 @@ def drs_local_replicate(self, SOURCE_DC, NC):
     repl = drs_utils.drs_Replicate("ncacn_ip_tcp:%s[seal]" % self.server, self.lp,
                                    self.creds, self.local_samdb, dest_dsa_invocation_id)
 
+    # Work out if we are an RODC, so that a forced local replicate
+    # with the admin pw does not sync passwords
+    rodc = self.local_samdb.am_rodc()
     try:
-        repl.replicate(NC, source_dsa_invocation_id, destination_dsa_guid)
+        repl.replicate(NC, source_dsa_invocation_id, destination_dsa_guid, rodc=rodc)
     except Exception, e:
         raise CommandError("Error replicating DN %s" % NC, e)
     self.samdb.transaction_commit()