samba-tool drs clone-dc: Add --include-secrets option

This allows the creation of domain clones that have no secrets,
and so make it safer to examine databases that demonstrate issues

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

1 files changed, 3 insertions, 1 deletions

diff --git a/python/samba/join.py b/python/samba/join.py
index 0f7dde237d1..cdfe45207cf 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -1206,7 +1206,7 @@ def join_DC(logger=None, server=None, creds=None, lp=None, site=None, netbios_na
     logger.info("Joined domain %s (SID %s) as a DC" % (ctx.domain_name, ctx.domsid))
 
 def join_clone(logger=None, server=None, creds=None, lp=None,
-            targetdir=None, domain=None):
+               targetdir=None, domain=None, include_secrets=False):
     """Join as a DC."""
     ctx = dc_join(logger, server, creds, lp, site=None, netbios_name=None, targetdir=targetdir, domain=domain,
                   machinepass=None, use_ntvfs=False, dns_backend="NONE", promote_existing=False, clone_only=True)
@@ -1222,6 +1222,8 @@ def join_clone(logger=None, server=None, creds=None, lp=None,
                          drsuapi.DRSUAPI_DRS_PER_SYNC |
                          drsuapi.DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
                          drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
+    if not include_secrets:
+        ctx.replica_flags |= drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
     ctx.domain_replica_flags = ctx.replica_flags
 
     ctx.do_join()