s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT

when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 021db2a9c7299344e31c94387f19433db0b8247d..eeb69400299bdefa91013ffd5b08a3e2169d8cc2 100644 (file)
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -51,6 +51,7 @@
 
 #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
 #define UF_NO_AUTH_DATA_REQUIRED               0x02000000
 
 #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
 #define UF_NO_AUTH_DATA_REQUIRED               0x02000000

+#define UF_PARTIAL_SECRETS_ACCOUNT             0x04000000

 
 #define UF_MACHINE_ACCOUNT_MASK (\
                UF_INTERDOMAIN_TRUST_ACCOUNT |\
 
 #define UF_MACHINE_ACCOUNT_MASK (\
                UF_INTERDOMAIN_TRUST_ACCOUNT |\

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ac8dff938e838b46f0b062956bbd5167b67d6a2a..a12b189027a97654c211674a686b1da5256a1e06 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
                el2 = ldb_msg_find_element(msg, "sAMAccountType");
                el2->flags = LDB_FLAG_MOD_REPLACE;
 
                el2 = ldb_msg_find_element(msg, "sAMAccountType");
                el2->flags = LDB_FLAG_MOD_REPLACE;
 

-               if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+               if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {

                        ret = samdb_msg_add_string(ldb, msg, msg,
                                                   "isCriticalSystemObject", "TRUE");
                        if (ret != LDB_SUCCESS) {
                        ret = samdb_msg_add_string(ldb, msg, msg,
                                                   "isCriticalSystemObject", "TRUE");
                        if (ret != LDB_SUCCESS) {


@@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
                        /* DCs have primaryGroupID of DOMAIN_RID_DCS */
                        if (!ldb_msg_find_element(msg, "primaryGroupID")) {
 
                        /* DCs have primaryGroupID of DOMAIN_RID_DCS */
                        if (!ldb_msg_find_element(msg, "primaryGroupID")) {

+                               uint32_t rid;
+                               if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+                                       rid = DOMAIN_RID_DCS;
+                               } else {
+                                       /* read-only DC */
+                                       rid = DOMAIN_RID_READONLY_DCS;
+                               }

                                ret = samdb_msg_add_uint(ldb, msg, msg,
                                ret = samdb_msg_add_uint(ldb, msg, msg,

-                                                        "primaryGroupID", DOMAIN_RID_DCS);
+                                                        "primaryGroupID", rid);

                                if (ret != LDB_SUCCESS) {
                                        return ret;
                                }
                                if (ret != LDB_SUCCESS) {
                                        return ret;
                                }