From: Garming Sam <garming@catalyst.net.nz>
Date: Wed, 8 Mar 2017 04:12:27 +0000 (+1300)
Subject: getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
X-Git-Tag: tdb-1.3.13~496
X-Git-Url: http://git.samba.org/samba.git/?p=nivanova%2Fsamba-autobuild%2F.git;a=commitdiff_plain;h=c91c237963a8410732fe5dfb829dd14a0bb2f3c3

getncchanges: Let security of RWDC+ manually replicate secrets to RODCs

This correctly passes has_get_all_changes through to repl_secrets.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
---

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 6fbebd51fc4..efad0c9aa5e 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1962,14 +1962,17 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 	if (!W_ERROR_IS_OK(werr)) {
 		return werr;
 	}
-	if (is_secret_request && req10->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
+	if (is_secret_request) {
 		werr = drs_security_access_check_nc_root(b_state->sam_ctx,
 							 mem_ctx,
 							 dce_call->conn->auth_state.session_info->security_token,
 							 req10->naming_context,
 							 GUID_DRS_GET_ALL_CHANGES);
 		if (!W_ERROR_IS_OK(werr)) {
-			return werr;
+			/* Only bail if this is not a EXOP_REPL_SECRET */
+			if (req10->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
+				return werr;
+			}
 		} else {
 			has_get_all_changes = true;
 		}