repl: Give an error if we get a secret when not expecting one

We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING

This asserts that this is the case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

1 files changed, 20 insertions, 3 deletions

diff --git a/source4/dsdb/repl/replicated_objects.c b/source4/dsdb/repl/replicated_objects.c
index df880ad7373..1afdb36f70d 100644
--- a/source4/dsdb/repl/replicated_objects.c
+++ b/source4/dsdb/repl/replicated_objects.c
@@ -347,7 +347,7 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
 			      struct dsdb_extended_replicated_object *out)
 {
 	NTSTATUS nt_status;
-	WERROR status;
+	WERROR status = WERR_OK;
 	uint32_t i;
 	struct ldb_message *msg;
 	struct replPropertyMetaDataBlob *md;
@@ -444,8 +444,25 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
 		}
 
 		for (j=0; j<a->value_ctr.num_values; j++) {
-			status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, gensec_skey, rid, a);
-			W_ERROR_NOT_OK_RETURN(status);
+			status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob,
+							   gensec_skey, rid,
+							   dsdb_repl_flags, a);
+			if (!W_ERROR_IS_OK(status)) {
+				break;
+			}
+		}
+		if (W_ERROR_EQUAL(status, WERR_TOO_MANY_SECRETS)) {
+			WERROR get_name_status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote,
+									       a, msg->elements, e);
+			if (W_ERROR_IS_OK(get_name_status)) {
+				DEBUG(0, ("Unxpectedly got secret value %s on %s from DRS server\n",
+					  e->name, ldb_dn_get_linearized(msg->dn)));
+			} else {
+				DEBUG(0, ("Unxpectedly got secret value on %s from DRS server",
+					  ldb_dn_get_linearized(msg->dn)));
+			}
+		} else if (!W_ERROR_IS_OK(status)) {
+			return status;
 		}
 
 		status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote,