From eadd28233d8df31cddc5c8dd888b768f3ac19730 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 1 Oct 2010 19:07:01 -0700
Subject: [PATCH] s4-repl: use the GC principal name for DRS replication
 connection

this is required when talking to RODCs (for notify calls), and is good
practice for all DCs

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/repl/drepl_notify.c     | 16 ++++---
 source4/dsdb/repl/drepl_partitions.c | 62 ++++++++++++++++++++++++++++
 source4/dsdb/repl/drepl_service.h    |  4 ++
 3 files changed, 76 insertions(+), 6 deletions(-)

diff --git a/source4/dsdb/repl/drepl_notify.c b/source4/dsdb/repl/drepl_notify.c
index 6b8190173e..5d4ed6a59b 100644
--- a/source4/dsdb/repl/drepl_notify.c
+++ b/source4/dsdb/repl/drepl_notify.c
@@ -292,7 +292,8 @@ static WERROR dreplsrv_schedule_notify_sync(struct dreplsrv_service *service,
 					    struct repsFromToBlob *reps,
 					    TALLOC_CTX *mem_ctx,
 					    uint64_t uSN,
-					    bool is_urgent)
+					    bool is_urgent,
+					    uint32_t replica_flags)
 {
 	struct dreplsrv_notify_operation *op;
 	struct dreplsrv_partition_source_dsa *s;
@@ -307,10 +308,11 @@ static WERROR dreplsrv_schedule_notify_sync(struct dreplsrv_service *service,
 	op = talloc_zero(mem_ctx, struct dreplsrv_notify_operation);
 	W_ERROR_HAVE_NO_MEMORY(op);
 
-	op->service	= service;
-	op->source_dsa	= s;
-	op->uSN         = uSN;
-	op->is_urgent	= is_urgent;
+	op->service	  = service;
+	op->source_dsa	  = s;
+	op->uSN           = uSN;
+	op->is_urgent	  = is_urgent;
+	op->replica_flags = replica_flags;
 
 	DLIST_ADD_END(service->ops.notifies, op, struct dreplsrv_notify_operation *);
 	talloc_steal(service, op);
@@ -350,7 +352,9 @@ static WERROR dreplsrv_notify_check(struct dreplsrv_service *s,
 	/* see if any of our partners need some of our objects */
 	for (i=0; i<count; i++) {
 		struct dreplsrv_partition_source_dsa *sdsa;
+		uint32_t replica_flags;
 		sdsa = dreplsrv_find_source_dsa(p, &reps[i].ctr.ctr1.source_dsa_obj_guid);
+		replica_flags = reps[i].ctr.ctr1.replica_flags;
 		if (sdsa == NULL) continue;
 		if (sdsa->notify_uSN < uSNHighest) {
 			/* we need to tell this partner to replicate
@@ -359,7 +363,7 @@ static WERROR dreplsrv_notify_check(struct dreplsrv_service *s,
 
 			/* check if urgent replication is needed */
 			werr = dreplsrv_schedule_notify_sync(s, p, &reps[i], mem_ctx,
-							     uSNHighest, is_urgent);
+							     uSNHighest, is_urgent, replica_flags);
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(0,(__location__ ": Failed to setup notify to %s for %s\n",
 					 reps[i].ctr.ctr1.other_info->dns_name,
diff --git a/source4/dsdb/repl/drepl_partitions.c b/source4/dsdb/repl/drepl_partitions.c
index 1e787c122a..fd0ffd954a 100644
--- a/source4/dsdb/repl/drepl_partitions.c
+++ b/source4/dsdb/repl/drepl_partitions.c
@@ -94,6 +94,61 @@ WERROR dreplsrv_load_partitions(struct dreplsrv_service *s)
 	return WERR_OK;
 }
 
+/*
+  work out the principal to use for DRS replication connections
+ */
+NTSTATUS dreplsrv_get_target_principal(struct dreplsrv_service *s,
+				       TALLOC_CTX *mem_ctx,
+				       const struct repsFromTo1 *rft,
+				       const char **target_principal)
+{
+	TALLOC_CTX *tmp_ctx;
+	struct ldb_result *res;
+	const char *attrs[] = { "dNSHostName", NULL };
+	int ret;
+	const char *hostname;
+	struct ldb_dn *dn;
+
+	*target_principal = NULL;
+
+	tmp_ctx = talloc_new(mem_ctx);
+
+	/* we need to find their hostname */
+	ret = dsdb_find_dn_by_guid(s->samdb, tmp_ctx, &rft->source_dsa_obj_guid, &dn);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(tmp_ctx);
+		/* its OK for their NTDSDSA DN not to be in our database */
+		return NT_STATUS_OK;
+	}
+
+	/* strip off the NTDS Settings */
+	if (!ldb_dn_remove_child_components(dn, 1)) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_OK;
+	}
+
+	ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, dn, attrs, 0);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(tmp_ctx);
+		/* its OK for their account DN not to be in our database */
+		return NT_STATUS_OK;
+	}
+
+	hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
+	if (hostname == NULL) {
+		talloc_free(tmp_ctx);
+		/* its OK to not have a dnshostname */
+		return NT_STATUS_OK;
+	}
+
+	*target_principal = talloc_asprintf(mem_ctx, "GC/%s/%s",
+					    hostname,
+					    lpcfg_dnsdomain(s->task->lp_ctx));
+	talloc_free(tmp_ctx);
+	return NT_STATUS_OK;
+}
+
+
 WERROR dreplsrv_out_connection_attach(struct dreplsrv_service *s,
 				      const struct repsFromTo1 *rft,
 				      struct dreplsrv_out_connection **_conn)
@@ -136,6 +191,13 @@ WERROR dreplsrv_out_connection_attach(struct dreplsrv_service *s,
 			return ntstatus_to_werror(nt_status);
 		}
 
+		/* use the GC principal for DRS replication */
+		nt_status = dreplsrv_get_target_principal(s, conn->binding,
+							  rft, &conn->binding->target_principal);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			return ntstatus_to_werror(nt_status);
+		}
+
 		DLIST_ADD_END(s->connections, conn, struct dreplsrv_out_connection *);
 
 		DEBUG(2,("dreplsrv_out_connection_attach(%s): create\n", conn->binding->host));
diff --git a/source4/dsdb/repl/drepl_service.h b/source4/dsdb/repl/drepl_service.h
index 7aeb7633b1..ba1f1950ef 100644
--- a/source4/dsdb/repl/drepl_service.h
+++ b/source4/dsdb/repl/drepl_service.h
@@ -52,6 +52,9 @@ struct dreplsrv_out_connection {
 
 	/* the out going connection to the source dsa */
 	struct dreplsrv_drsuapi_connection *drsuapi;
+
+	/* used to force the GC principal name */
+	const char *principal_name;
 };
 
 struct dreplsrv_partition_source_dsa {
@@ -130,6 +133,7 @@ struct dreplsrv_notify_operation {
 
 	struct dreplsrv_partition_source_dsa *source_dsa;
 	bool is_urgent;
+	uint32_t replica_flags;
 };
 
 struct dreplsrv_service {
-- 
2.34.1