when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
#define UF_NO_AUTH_DATA_REQUIRED 0x02000000
#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
#define UF_NO_AUTH_DATA_REQUIRED 0x02000000
+#define UF_PARTIAL_SECRETS_ACCOUNT 0x04000000
#define UF_MACHINE_ACCOUNT_MASK (\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
#define UF_MACHINE_ACCOUNT_MASK (\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
el2 = ldb_msg_find_element(msg, "sAMAccountType");
el2->flags = LDB_FLAG_MOD_REPLACE;
el2 = ldb_msg_find_element(msg, "sAMAccountType");
el2->flags = LDB_FLAG_MOD_REPLACE;
- if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
ret = samdb_msg_add_string(ldb, msg, msg,
"isCriticalSystemObject", "TRUE");
if (ret != LDB_SUCCESS) {
ret = samdb_msg_add_string(ldb, msg, msg,
"isCriticalSystemObject", "TRUE");
if (ret != LDB_SUCCESS) {
/* DCs have primaryGroupID of DOMAIN_RID_DCS */
if (!ldb_msg_find_element(msg, "primaryGroupID")) {
/* DCs have primaryGroupID of DOMAIN_RID_DCS */
if (!ldb_msg_find_element(msg, "primaryGroupID")) {
+ uint32_t rid;
+ if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+ rid = DOMAIN_RID_DCS;
+ } else {
+ /* read-only DC */
+ rid = DOMAIN_RID_READONLY_DCS;
+ }
ret = samdb_msg_add_uint(ldb, msg, msg,
ret = samdb_msg_add_uint(ldb, msg, msg,
- "primaryGroupID", DOMAIN_RID_DCS);
+ "primaryGroupID", rid);
if (ret != LDB_SUCCESS) {
return ret;
}
if (ret != LDB_SUCCESS) {
return ret;
}