s4-gmsa: Do not attempt password set on remote LDAP connections

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/source4/dsdb/gmsa/util.c b/source4/dsdb/gmsa/util.c
index b33626557a883d00103848770aeefb0cc657395b..08e4045a1717e9562e16e04a65a09721ae22ad07 100644 (file)
--- a/source4/dsdb/gmsa/util.c
+++ b/source4/dsdb/gmsa/util.c
@@ -1637,6 +1637,22 @@ int dsdb_update_gmsa_keys(struct ldb_context *ldb,
        NTTIME current_time;
        bool am_rodc = true;
 
+       /*
+        * This is non-zero if we are local to the sam.ldb, this is an
+        * opaque set by the samba_dsdb module
+        */
+       void *samba_dsdb_opaque = ldb_get_opaque(
+               ldb, DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME);
+
+       if (samba_dsdb_opaque == NULL) {
+               /*
+                * We are not connected locally, so no point trying to
+                * set passwords
+                */
+               *retry_out = false;
+               return LDB_SUCCESS;
+       }
+
        {
                /* Calculate the current time, as reckoned for gMSAs. */
                bool ok = dsdb_gmsa_current_time(ldb, &current_time);

diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 37213a5febc8742d19e126d8593ded4854402e0f..e494ca85f97659feacf5b9147229a07c26fb48b5 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -452,6 +452,7 @@ static int samba_dsdb_init(struct ldb_module *module)
                                   NULL, backend_modules);
        CHECK_LDB_RET(ret);
 
+       /* This opaque is also used by the gMSA code to confirm that it has local DB access */
        ret = ldb_set_opaque(ldb, DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME, partition_msg);
        CHECK_LDB_RET(ret);