s4-rodc: RODC should not accept requests for role transfer

A RODC cannot assume a role, and unwillingToPerform must be
returned if such request is sent via LDAP

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 4f0b11b0ab43e7c22765be25097f60bbb88a953e..6c2a1e630d6e695d523080ffd41c131de024c3f6 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1059,7 +1059,19 @@ static int rootdse_become_master(struct ldb_module *module,
        struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
        NTSTATUS status_call;
        WERROR status_fn;
+       bool am_rodc;
        struct dcerpc_binding_handle *irpc_handle;
+       int ret;
+
+       ret = samdb_rodc(ldb, &am_rodc);
+       if (ret != LDB_SUCCESS) {
+               return ldb_error(ldb, ret, "Could not determine if server is RODC.");
+       }
+
+       if (am_rodc) {
+               return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
+                                "RODC cannot become a role master.");
+       }
 
        msg = messaging_client_init(tmp_ctx, lpcfg_messaging_path(tmp_ctx, lp_ctx),
                                    ldb_get_event_context(ldb));