s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges

When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0

diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 40978629fae8d7deae623fcb50bd45e63920346c..b8765cb17851e12bfd562c6dec4e4fc9b03b9d77 100644 (file)
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -59,3 +59,6 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 
 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
                                const char* call);
+
+void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
+                                     struct drsuapi_DsReplicaMetaData *meta_data);

diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index c78ebdd5fe177fc0822b72e04e1b37bbb1943951..9aef3172b9d55bc770f7895c93a459016638e230 100644 (file)
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -52,7 +52,6 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
                                    const char *sort_attrib,
                                    const char *filter)
 {
-       va_list ap;
        int ret;
        struct ldb_request *req;
        TALLOC_CTX *tmp_ctx;
@@ -134,3 +133,34 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char*
 
        return WERR_OK;
 }
+
+void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
+                                     struct drsuapi_DsReplicaMetaData *meta_data)
+{
+       if (attr->value_ctr.num_values == 0) {
+               return;
+       }
+
+       switch (attr->attid) {
+       case DRSUAPI_ATTRIBUTE_dBCSPwd:
+       case DRSUAPI_ATTRIBUTE_unicodePwd:
+       case DRSUAPI_ATTRIBUTE_ntPwdHistory:
+       case DRSUAPI_ATTRIBUTE_lmPwdHistory:
+       case DRSUAPI_ATTRIBUTE_supplementalCredentials:
+       case DRSUAPI_ATTRIBUTE_priorValue:
+       case DRSUAPI_ATTRIBUTE_currentValue:
+       case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
+       case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
+       case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
+       case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
+               /*set value to null*/
+               attr->value_ctr.num_values = 0;
+               talloc_free(attr->value_ctr.values);
+               attr->value_ctr.values = NULL;
+               meta_data->originating_change_time = 0;
+               return;
+       default:
+               return;
+       }
+       return;
+}

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 75f62139630c6434225d2ae7b3ea7480c8af6683..a9c4b451c246dfbc607ac638e4e9df244c95e88b 100644 (file)
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -41,7 +41,8 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
                                          struct ldb_dn *ncRoot_dn,
                                          struct dsdb_schema *schema,
                                          DATA_BLOB *session_key,
-                                         uint64_t highest_usn)
+                                         uint64_t highest_usn,
+                                         uint32_t replica_flags)
 {
        const struct ldb_val *md_value;
        int i, n;
@@ -182,7 +183,15 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
                                         sa->lDAPDisplayName, win_errstr(werr)));
                                return werr;
                        }
-
+                       /* if DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING is set
+                        * check if attribute is secret and send a null value
+                        * TODO: check if we can make this in the database layer
+                        */
+                       if ((replica_flags & DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING)
+                           == DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING) {
+                               drsuapi_process_secret_attribute(&obj->object.attribute_ctr.attributes[i],
+                                                                &obj->meta_data_ctr->meta_data[i]);
+                       }
                        /* some attributes needs to be encrypted
                           before being sent */
                        werr = drsuapi_encrypt_attribute(obj, session_key, rid, 
@@ -436,7 +445,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
                }
 
                werr = get_nc_changes_build_object(obj, site_res->msgs[i], sam_ctx, ncRoot_dn, 
-                                                  schema, &session_key, r->in.req->req8.highwatermark.highest_usn);
+                                                  schema, &session_key, r->in.req->req8.highwatermark.highest_usn, r->in.req->req8.replica_flags);
                if (!W_ERROR_IS_OK(werr)) {
                        return werr;
                }