From 12c7373e943dde864383455858d151d6e5f3c85d Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Thu, 23 Mar 2017 16:04:04 +1300 Subject: [PATCH] auth/sam: Remove lastLogonTimestamp from RODC success accounting This is because it cannot be updated here (only SendToSAM) and prevents RODC from resetting the badPwdCount (as well as lockoutTime, which needs to be fixed to allow RODC local modification). Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett --- source4/auth/sam.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 759585ef49c..7df23d55d80 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -831,6 +831,7 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx, struct timeval tv_now; NTTIME now; NTTIME lastLogonTimestamp; + bool am_rodc = false; mem_ctx = talloc_new(msg); if (mem_ctx == NULL) { @@ -902,11 +903,20 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx, } } - status = authsam_update_lastlogon_timestamp(sam_ctx, msg_mod, domain_dn, - lastLogonTimestamp, now); - if (!NT_STATUS_IS_OK(status)) { + ret = samdb_rodc(sam_ctx, &am_rodc); + if (ret != LDB_SUCCESS) { TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; + return NT_STATUS_INTERNAL_ERROR; + } + + if (!am_rodc) { + /* TODO Perform the (async) SendToSAM calls for MS-SAMS */ + status = authsam_update_lastlogon_timestamp(sam_ctx, msg_mod, domain_dn, + lastLogonTimestamp, now); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } } if (msg_mod->num_elements > 0) { -- 2.34.1