repl_secret: Error condition should sound harmless
authorGarming Sam <garming@catalyst.net.nz>
Mon, 27 Mar 2017 01:30:19 +0000 (14:30 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Mon, 27 Mar 2017 18:08:19 +0000 (20:08 +0200)
In the case it is not in the replication group, it it correct to deny
the replication to succeed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4/dsdb/repl/drepl_secret.c

index 7c8f8b752d26b7e10117a6280534614a6b546f12..b7f36805a598ef08d52a49930430fa43bdcf8089 100644 (file)
@@ -42,8 +42,14 @@ static void drepl_repl_secret_callback(struct dreplsrv_service *service,
 {
        struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
        if (!W_ERROR_IS_OK(werr)) {
 {
        struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
        if (!W_ERROR_IS_OK(werr)) {
-               DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
-                        state->user_dn, win_errstr(werr), ext_err));
+               if (W_ERROR_EQUAL(werr, WERR_DS_DRA_SECRETS_DENIED)) {
+                       DEBUG(3,(__location__ ": repl secret disallowed for user "
+                                "%s - not in allowed replication group\n",
+                                state->user_dn));
+               } else {
+                       DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
+                                state->user_dn, win_errstr(werr), ext_err));
+               }
        } else {
                DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
        }
        } else {
                DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
        }