From: Garming Sam Date: Mon, 3 Apr 2017 03:22:08 +0000 (+1200) Subject: rodc: Set non-authoritative for RODC bad passwords X-Git-Tag: ldb-1.1.30~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f40fdaea7f64bcf7461a53f61fd6ffe8def0c8e9;p=thirdparty%2Fsamba.git rodc: Set non-authoritative for RODC bad passwords This requires as a pre-requisite that the auth stack is not run twice. We remove the knownfail introduced in the earlier patch. Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail b/selftest/knownfail index 76578c9517a..c6047c85445 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -335,4 +335,3 @@ # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* ^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos -^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_ntlm diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index cfe7455501b..0b175b5ecc7 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -174,6 +174,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con struct ldb_message *dom_msg; struct samr_Password *lm_pwd; struct samr_Password *nt_pwd; + bool am_rodc; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -196,7 +197,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con } if (lm_pwd == NULL && nt_pwd == NULL) { - bool am_rodc; if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { /* * we don't have passwords for this @@ -458,6 +458,10 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con nt_errstr(nt_status))); } + if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { + *authoritative = false; + } + TALLOC_FREE(tmp_ctx); return NT_STATUS_WRONG_PASSWORD; }