if (samdb_result_dn(sam_ctx, frame,
obj_msg, "msDS-KrbTgtLinkBL", NULL)) {
TALLOC_FREE(frame);
+ DBG_INFO("Denied attempt to replicate to/act as a RODC krbtgt trust account %s using RODC: %s\n",
+ ldb_dn_get_linearized(obj_msg->dn),
+ ldb_dn_get_linearized(rodc_msg->dn));
return WERR_DS_DRA_SECRETS_DENIED;
}
if (ldb_msg_find_attr_as_uint(obj_msg,
"userAccountControl", 0) &
UF_INTERDOMAIN_TRUST_ACCOUNT) {
+ DBG_INFO("Denied attempt to replicate to/act as a inter-domain trust account %s using RODC: %s\n",
+ ldb_dn_get_linearized(obj_msg->dn),
+ ldb_dn_get_linearized(rodc_msg->dn));
TALLOC_FREE(frame);
return WERR_DS_DRA_SECRETS_DENIED;
}
0);
if ((rodc_uac & UF_PARTIAL_SECRETS_ACCOUNT)
!= UF_PARTIAL_SECRETS_ACCOUNT) {
- TALLOC_FREE(frame);
DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
ldb_dn_get_linearized(rodc_msg->dn));
+ TALLOC_FREE(frame);
return WERR_DS_DRA_SECRETS_DENIED;
}
&num_never_reveal_sids,
&never_reveal_sids);
if (!W_ERROR_IS_OK(werr)) {
+ DBG_ERR("Failed to parse msDS-NeverRevealGroup on %s: %s\n",
+ ldb_dn_get_linearized(rodc_msg->dn),
+ win_errstr(werr));
TALLOC_FREE(frame);
return WERR_DS_DRA_SECRETS_DENIED;
}
&num_reveal_sids,
&reveal_sids);
if (!W_ERROR_IS_OK(werr)) {
+ DBG_ERR("Failed to parse msDS-RevealOnDemandGroup on %s: %s\n",
+ ldb_dn_get_linearized(rodc_msg->dn),
+ win_errstr(werr));
TALLOC_FREE(frame);
return WERR_DS_DRA_SECRETS_DENIED;
}
&token_sids,
object_sid, 1);
if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
+ DBG_ERR("Failed to get tokenGroups on %s to confirm access via RODC %s: %s\n",
+ ldb_dn_get_linearized(obj_msg->dn),
+ ldb_dn_get_linearized(rodc_msg->dn),
+ win_errstr(werr));
return WERR_DS_DRA_SECRETS_DENIED;
}