repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server

Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144

diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index ad322a5c54258b48eb76de5b4275d6e3599784d7..f775a11b264d30ea8cb42a30f0eb600179e9c6bc 100644 (file)
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -909,7 +909,6 @@ class KCC(object):
                                      drsuapi.DRSUAPI_DRS_PER_SYNC |
                                      drsuapi.DRSUAPI_DRS_ADD_REF |
                                      drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
-                                     drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP |
                                      drsuapi.DRSUAPI_DRS_NONGC_RO_REP)
                     if t_repsFrom.replica_flags != replica_flags:
                         t_repsFrom.replica_flags = replica_flags

diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index 8c4b70a1c94fe1a846c80dc2447aef25bb355ca4..fa19ba7efc5699e396c27cceff815a9ba2e33dfd 100644 (file)
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -178,7 +178,6 @@ uint32_t kccsrv_replica_flags(struct kccsrv_service *s)
                        DRSUAPI_DRS_PER_SYNC |
                        DRSUAPI_DRS_ADD_REF |
                        DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
-                       DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP |
                        DRSUAPI_DRS_NONGC_RO_REP;
        }
        return DRSUAPI_DRS_INIT_SYNC |

diff --git a/source4/dsdb/repl/drepl_out_helpers.c b/source4/dsdb/repl/drepl_out_helpers.c
index d526f4558a522c92ef7e96ae920f0597ed6f46c5..079edc8ba46bb1dea83483011926d336d47901e1 100644 (file)
--- a/source4/dsdb/repl/drepl_out_helpers.c
+++ b/source4/dsdb/repl/drepl_out_helpers.c
@@ -518,7 +518,21 @@ static void dreplsrv_op_pull_source_get_changes_trigger(struct tevent_req *req)
                } else {
                        replica_flags |= DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING;
                }
+
+               /*
+                * As per MS-DRSR:
+                *
+                * 4.1.10.4
+                * Client Behavior When Sending the IDL_DRSGetNCChanges Request
+                *
+                * 4.1.10.4.1
+                * ReplicateNCRequestMsg
+                */
+               replica_flags |= DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP;
+       } else {
+               replica_flags |= DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP;
        }
+
        if (state->op->extended_op != DRSUAPI_EXOP_NONE) {
                /*
                 * If it's an exop never set the ADD_REF even if it's in