getncchanges: Let security of RWDC+ manually replicate secrets to RODCs

This correctly passes has_get_all_changes through to repl_secrets.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 6fbebd51fc4f502c6fadf32a4578390e331d5b99..efad0c9aa5e6b5cfaa290cc59f5af8693a55bead 100644 (file)
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1962,14 +1962,17 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
        if (!W_ERROR_IS_OK(werr)) {
                return werr;
        }
-       if (is_secret_request && req10->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
+       if (is_secret_request) {
                werr = drs_security_access_check_nc_root(b_state->sam_ctx,
                                                         mem_ctx,
                                                         dce_call->conn->auth_state.session_info->security_token,
                                                         req10->naming_context,
                                                         GUID_DRS_GET_ALL_CHANGES);
                if (!W_ERROR_IS_OK(werr)) {
-                       return werr;
+                       /* Only bail if this is not a EXOP_REPL_SECRET */
+                       if (req10->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
+                               return werr;
+                       }
                } else {
                        has_get_all_changes = true;
                }