diff options
author | Andrew Bartlett <abartlet@samba.org> | 2022-03-16 16:27:54 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2022-03-29 02:33:34 +0000 |
commit | 360bb864e9a958c395f841bdc8caf866f8dcb0e0 (patch) | |
tree | dd22f4aa8c1d4edfb817004703f81a622197af29 /source4/auth | |
parent | 1884bc11f0115078113253d48be684c32cb3c5f9 (diff) | |
download | samba-360bb864e9a958c395f841bdc8caf866f8dcb0e0.tar.gz |
s4-auth: Do not trigger RODC replication unless missing all passwords
With the NT hash becoming optional we cannot make blind assumptions that
a missing value means we are on an RODC needing the password replicated.
Instead, check for supplementalCredentials as well.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 8ece2697700..5a56076ac5b 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -220,6 +220,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con const char * const attrs[] = { "pwdHistoryLength", NULL }; struct ldb_message *dom_msg; struct samr_Password *nt_pwd; + const struct ldb_val *sc_val; bool am_rodc; tmp_ctx = talloc_new(mem_ctx); @@ -242,7 +243,9 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con return nt_status; } - if (nt_pwd == NULL) { + sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials"); + + if (nt_pwd == NULL && sc_val == NULL) { if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { /* * we don't have passwords for this |