This is similar to ctdbd_unregister_ips(), but with the
difference that ctdb keeps the 'tickle' information for
the tcp connection alive, because another smbd process
took care of that tcp connection in a multichannel scenario.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 2e784789d78d09dfbc599085e5eb1c70c5b866b8)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit f3a03f3f774f0795fc1a163f12cccb9cedeebec1)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 77a559432ffde2d435e29bed126d20a09d33f48e)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 240139370aa19f53dd3de0ff468afd994d3bd973)
With multichannel a tcp connection is registered first with
a temporary smbd process, that calls CTDB_CONTROL_TCP_CLIENT
first and then passes the tcp connection to the longterm smbd
that already handles all connections belonging to the specific
client_guid. That smbd process calls CTDB_CONTROL_TCP_CLIENT
again, but the 'tickle' information is already there.
When the temporary smbd process exists/disconnects from ctdb
or calls CTDB_CONTROL_TCP_CLIENT_DISCONNECTED, the 'tickle'
information is removed, while the longterm smbd process
still serves the tcp connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 037e8e449deb136ad5ed5e4de05439411b545b6d)
With multichannel a ctdb connection from smbd may hold multiple
tcp connections, which can be disconnected before the smbd
process terminates the whole ctdb connection, so we a
way to remove undo 'CTDB_CONTROL_TCP_CLIENT' again.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit c6602b686b4e50d93272667ef86d3904181fb1ab)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 8395fd369d3c9d216817e922423727748581f133)
ctdb: make use of ctdb_canonicalize_ip_inplace() in ctdb_control_tcp_client()
We could also remove the src_addr and dest_addr helper variables
completely, but that would be too much for this commit.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 5f52d140f7b676ed68b5ce49d4445357bcbcb1a6)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit f2d9c012fc803b48564c3203ed640c02f99bcbaa)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 92badd3bdd82d1fa79727efcf81b6f479016811f)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Dec 12 10:01:36 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a7622bc7db093558c6f6e3da4d2a899a764dec09)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ab4b25964a43a1ef550f10580ad395e178fe647e)
Time to fix the smget share to not have `guest ok = yes` set. A new
[smbget_guest] will be used for guest only tests. This way we can
correctly test different authentication mechanisms.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c46769f3f10d21ed802e17aa79ae17e345168e63)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 468fb05d6357779228e411076e286abcdb70cf96)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62b0b79ce065246417996dec61afa6a10f6ab99b)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 337034e675aaeb366d360a791ec0d003426230af)
selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables
We should start using those in future. So we can distinguish which
privileges we want. Currently DC_USERNAME is the Administrator. Whatever
possible should use DOMIAN_USER instead.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 56d0c3a0263ed166452c129219e7a391ba4d014c)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a2af6946f5e53b7d954aa54d3d115dbe4975b1c4)
s3:tests: Fix authentication with smbget_user in smbget tests
Currently the smget share is broken. We set `guest ok = yes` so if you
specify invalid names, the authentication will still succeed as we
are mapped to guest.
The smbget_user is a local ad_member user. We need to set the
workstation as the "domain" for the user.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c14c5dec09fe1c86b29b3091ad521e73a2e1c3e9)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 763b2efe69dc74e1c0cd954607031012f832486d)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e5fe856e76eba26e3b85a391bcea02dfe045c26e)
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 27 21:19:35 UTC 2023 on atb-devel-224
Shachar Sharon [Thu, 16 Nov 2023 09:57:02 +0000 (11:57 +0200)]
vfs_ceph: call 'ceph_fgetxattr' only if valid fd
Align getxattr logic with the rest of xattr hooks: call ceph_fgetxattr
with appropriate io-fd when 'is_pathref' is false; otherwise, call
ceph_getxattr.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Dec 5 11:04:17 UTC 2023 on atb-devel-224
s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e92e4b9544231c15eaf0bdbba4505345cd0f6ab5)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c14a4f51443f67bc46a670a342eed8cb9e81f37d)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b2399b6994c89404f245e1a97ba1c1cf13d7fc86)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4a1f2071a6028a761bbe7efee20e9654851b51f0)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a8bd8f22aac2c223e85e318dba7af8b64052b053)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7cabbec2eaf5aefd3751c635c12556eca590f506)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 532701e3cce9d15e95166ee7c24cd1e4af51fcc4)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 740e704bd68a6b618b62336ba1583c0edeb82d6f)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bdab834dfad55776155915f7ec410b5a192406fa)
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e4afb211fe32f2aa92cc903df948874046f60305)
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Wed Nov 15 19:55:07 UTC 2023 on atb-devel-224
vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse. Move the vfs_gpfs_fstatat function and rename it to the more
generic name nfs4_acl_fstat.
vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is being moved to nf4_acls.c to allow
reuse. Move the vfs_gpfs_lstat function and rename to the more generic
name nfs4_acl_lstat.
vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse.
Move the vfs_gpfs_fstat function and rename to the more generic name
nfs4_acl_fstat.
vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other file system modules. Also rename the function to the more
generic name nfs4_acl_stat.
vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other filesystem modules. Also rename the function to the slightly
more precise name stat_with_cap_dac_overide.
AT_EMTPY_PATH does not exist on AIX. Address this by implementing an
override for fstat. Implement the new override function in nfs4_acls.c
since all stat functions with DAC_CAP_OVERRIDE will be moved there to
allow reuse by other filesystems.
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 8 18:42:13 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 938afb8b28973b0065cc3509b70ebe3f6986de47)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Nov 21 11:15:30 UTC 2023 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 362b0d69b16c5bbcd0ff7dd7ba12e1ac037a6b3d)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c290052fd28bbfa5b885119f322cb0718073e507)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9621a3d7a6949aa833425884cd22379387738cfa)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f337fd995024283f6e1b3f8ec1cc2b3aeb55a2a6)
Ralph Boehme [Thu, 16 Nov 2023 09:50:32 +0000 (10:50 +0100)]
smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor()
VFS modules like streams_xattr use the function fsp_is_alternate_stream() on the
fsp to determine in an fsp is a stream, eg in streams_xattr_close(). If
fspo->base_fsp is arlready set to NULL, this won't work anymore.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 16 18:31:17 UTC 2023 on atb-devel-224
Douglas Bagnall [Wed, 15 Nov 2023 00:03:27 +0000 (13:03 +1300)]
pytests: sid_strings: do not fail if epoch ending has zeros
To avoid collisions in random OID strings, we started using the epoch
date modulus 100 million. The trouble is we did not strip out the
leading zeros, so the field might be '00000123' when it should be
'123', if the date happened not to correspond to an epoch with a zero
in the eighth to last place. This has been the case for most of the
last 1041 days, but fortunately the bug was only introduced earlier
this year.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
(cherry picked from commit 426ca4cf4b667aae03f0344cee449e972de90ac7)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Nov 20 10:00:15 UTC 2023 on atb-devel-224
Ralph Boehme [Wed, 20 Sep 2023 21:21:44 +0000 (14:21 -0700)]
s3: smbd: Ignore fstat() error on deleted stream in fd_close().
In the fd_close() fsp->fsp_flags.fstat_before_close code path.
If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 21bb84ed1c30b863b4ef17fcebdd79f147142b9f)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Oct 23 09:43:03 UTC 2023 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Oct 18 15:47:09 UTC 2023 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5f7a834effea56d683f76a801924c7125385e534)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6063f3ee733348855d6b144091bbdbbe6862494c)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8)
The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().
This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.
Additionally, the allocation was not free()ed, resulting in a memory
leak. This means that a user could trigger ongoing memory allocation
in the server.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Oct 16 08:28:32 UTC 2023 on atb-devel-224
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224
Andrew Bartlett [Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)]
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
Andrew Bartlett [Tue, 12 Sep 2023 07:01:03 +0000 (19:01 +1200)]
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
Andrew Bartlett [Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)]
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
Andrew Bartlett [Tue, 8 Aug 2023 05:58:27 +0000 (17:58 +1200)]
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
Andrew Bartlett [Tue, 8 Aug 2023 02:30:19 +0000 (14:30 +1200)]
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
projects / thirdparty / samba.git / log
