auth/sam: Remove lastLogonTimestamp from RODC success accounting

This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 14 insertions, 4 deletions

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 759585ef49c..7df23d55d80 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -831,6 +831,7 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx,
 	struct timeval tv_now;
 	NTTIME now;
 	NTTIME lastLogonTimestamp;
+	bool am_rodc = false;
 
 	mem_ctx = talloc_new(msg);
 	if (mem_ctx == NULL) {
@@ -902,11 +903,20 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx,
 		}
 	}
 
-	status = authsam_update_lastlogon_timestamp(sam_ctx, msg_mod, domain_dn,
-						    lastLogonTimestamp, now);
-	if (!NT_STATUS_IS_OK(status)) {
+	ret = samdb_rodc(sam_ctx, &am_rodc);
+	if (ret != LDB_SUCCESS) {
 		TALLOC_FREE(mem_ctx);
-		return NT_STATUS_NO_MEMORY;
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	if (!am_rodc) {
+		/* TODO Perform the (async) SendToSAM calls for MS-SAMS */
+		status = authsam_update_lastlogon_timestamp(sam_ctx, msg_mod, domain_dn,
+							    lastLogonTimestamp, now);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(mem_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
 	}
 
 	if (msg_mod->num_elements > 0) {