From: Garming Sam <garming@catalyst.net.nz>
Date: Wed, 16 Nov 2016 01:44:40 +0000 (+1300)
Subject: repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server
X-Git-Tag: ldb-1.1.31~62
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e244ba4a8f8dea571df6abb96324cb696af67450;p=thirdparty%2Fsamba.git

repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server

Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144
---

diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index ad322a5c542..f775a11b264 100644
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -909,7 +909,6 @@ class KCC(object):
                                      drsuapi.DRSUAPI_DRS_PER_SYNC |
                                      drsuapi.DRSUAPI_DRS_ADD_REF |
                                      drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
-                                     drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP |
                                      drsuapi.DRSUAPI_DRS_NONGC_RO_REP)
                     if t_repsFrom.replica_flags != replica_flags:
                         t_repsFrom.replica_flags = replica_flags
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index 8c4b70a1c94..fa19ba7efc5 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -178,7 +178,6 @@ uint32_t kccsrv_replica_flags(struct kccsrv_service *s)
 			DRSUAPI_DRS_PER_SYNC |
 			DRSUAPI_DRS_ADD_REF |
 			DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
-			DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP |
 			DRSUAPI_DRS_NONGC_RO_REP;
 	}
 	return DRSUAPI_DRS_INIT_SYNC |
diff --git a/source4/dsdb/repl/drepl_out_helpers.c b/source4/dsdb/repl/drepl_out_helpers.c
index d526f4558a5..079edc8ba46 100644
--- a/source4/dsdb/repl/drepl_out_helpers.c
+++ b/source4/dsdb/repl/drepl_out_helpers.c
@@ -518,7 +518,21 @@ static void dreplsrv_op_pull_source_get_changes_trigger(struct tevent_req *req)
 		} else {
 			replica_flags |= DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING;
 		}
+
+		/*
+		 * As per MS-DRSR:
+		 *
+		 * 4.1.10.4
+		 * Client Behavior When Sending the IDL_DRSGetNCChanges Request
+		 *
+		 * 4.1.10.4.1
+		 * ReplicateNCRequestMsg
+		 */
+		replica_flags |= DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP;
+	} else {
+		replica_flags |= DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP;
 	}
+
 	if (state->op->extended_op != DRSUAPI_EXOP_NONE) {
 		/*
 		 * If it's an exop never set the ADD_REF even if it's in