From: Andrew Tridgell <tridge@samba.org>
Date: Tue, 17 Aug 2010 04:10:34 +0000 (+1000)
Subject: s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT
X-Git-Tag: samba-4.0.0alpha13~995
X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=commitdiff_plain;h=4e9daa0f032547787a1a1957a6f4f4002aa50371

s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT

when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 021db2a9c72..eeb69400299 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -51,6 +51,7 @@
 
 #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
 #define UF_NO_AUTH_DATA_REQUIRED		0x02000000
+#define UF_PARTIAL_SECRETS_ACCOUNT		0x04000000
 
 #define UF_MACHINE_ACCOUNT_MASK (\
 		UF_INTERDOMAIN_TRUST_ACCOUNT |\
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ac8dff938e8..a12b189027a 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1482,7 +1482,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 		el2 = ldb_msg_find_element(msg, "sAMAccountType");
 		el2->flags = LDB_FLAG_MOD_REPLACE;
 
-		if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+		if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
 			ret = samdb_msg_add_string(ldb, msg, msg,
 						   "isCriticalSystemObject", "TRUE");
 			if (ret != LDB_SUCCESS) {
@@ -1493,8 +1493,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 			/* DCs have primaryGroupID of DOMAIN_RID_DCS */
 			if (!ldb_msg_find_element(msg, "primaryGroupID")) {
+				uint32_t rid;
+				if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+					rid = DOMAIN_RID_DCS;
+				} else {
+					/* read-only DC */
+					rid = DOMAIN_RID_READONLY_DCS;
+				}
 				ret = samdb_msg_add_uint(ldb, msg, msg,
-							 "primaryGroupID", DOMAIN_RID_DCS);
+							 "primaryGroupID", rid);
 				if (ret != LDB_SUCCESS) {
 					return ret;
 				}