We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
This asserts that this is the case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx,
const DATA_BLOB *gensec_skey,
uint32_t rid,
+ uint32_t dsdb_repl_flags,
struct drsuapi_DsReplicaAttribute *attr);
#include "../lib/crypto/crypto.h"
#include "../libcli/drsuapi/drsuapi.h"
#include "libcli/auth/libcli_auth.h"
+#include "dsdb/samdb/samdb.h"
WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
const DATA_BLOB *gensec_skey,
WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx,
const DATA_BLOB *gensec_skey,
uint32_t rid,
+ uint32_t dsdb_repl_flags,
struct drsuapi_DsReplicaAttribute *attr)
{
WERROR status;
return WERR_OK;
}
+ if (dsdb_repl_flags & DSDB_REPL_FLAG_EXPECT_NO_SECRETS) {
+ return WERR_TOO_MANY_SECRETS;
+ }
+
if (attr->value_ctr.num_values > 1) {
return WERR_DS_DRA_INVALID_PARAMETER;
}
drsuapi_decrypt_attribute(mem_ctx,
session_key,
rid,
+ 0,
attr);
}
}
if (state->op->options & DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS) {
dsdb_repl_flags |= DSDB_REPL_FLAG_PRIORITISE_INCOMING;
}
+ if (state->op->options & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
+ dsdb_repl_flags |= DSDB_REPL_FLAG_EXPECT_NO_SECRETS;
+ }
status = dsdb_replicated_objects_convert(service->samdb,
working_schema ? working_schema : schema,
struct dsdb_extended_replicated_object *out)
{
NTSTATUS nt_status;
- WERROR status;
+ WERROR status = WERR_OK;
uint32_t i;
struct ldb_message *msg;
struct replPropertyMetaDataBlob *md;
}
for (j=0; j<a->value_ctr.num_values; j++) {
- status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, gensec_skey, rid, a);
- W_ERROR_NOT_OK_RETURN(status);
+ status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob,
+ gensec_skey, rid,
+ dsdb_repl_flags, a);
+ if (!W_ERROR_IS_OK(status)) {
+ break;
+ }
+ }
+ if (W_ERROR_EQUAL(status, WERR_TOO_MANY_SECRETS)) {
+ WERROR get_name_status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote,
+ a, msg->elements, e);
+ if (W_ERROR_IS_OK(get_name_status)) {
+ DEBUG(0, ("Unxpectedly got secret value %s on %s from DRS server\n",
+ e->name, ldb_dn_get_linearized(msg->dn)));
+ } else {
+ DEBUG(0, ("Unxpectedly got secret value on %s from DRS server",
+ ldb_dn_get_linearized(msg->dn)));
+ }
+ } else if (!W_ERROR_IS_OK(status)) {
+ return status;
}
status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote,
#define DSDB_REPL_FLAG_PRIORITISE_INCOMING 1
#define DSDB_REPL_FLAG_PARTIAL_REPLICA 2
#define DSDB_REPL_FLAG_ADD_NCNAME 4
+#define DSDB_REPL_FLAG_EXPECT_NO_SECRETS 8
#define DSDB_CONTROL_REPLICATED_UPDATE_OID "1.3.6.1.4.1.7165.4.3.3"
const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector;
struct dsdb_extended_replicated_objects *objs;
uint32_t req_replica_flags;
+ uint32_t dsdb_repl_flags = 0;
struct repsFromTo1 *s_dsa;
char *tmp_dns_name;
uint32_t i;
return NT_STATUS_INTERNAL_ERROR;
}
+ if (req_replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
+ dsdb_repl_flags |= DSDB_REPL_FLAG_EXPECT_NO_SECRETS;
+ }
+
status = dsdb_replicated_objects_convert(s->ldb,
schema,
c->partition->nc.dn,
s_dsa,
uptodateness_vector,
c->gensec_skey,
- 0,
+ dsdb_repl_flags,
s, &objs);
if (!W_ERROR_IS_OK(status)) {
DEBUG(0,("Failed to convert objects: %s\n", win_errstr(status)));