From 17e5bb42dc5ece66124872c48d4fecbdd828c61c Mon Sep 17 00:00:00 2001
From: Roel van Meer <roel@1afa.com>
Date: Tue, 28 Oct 2014 12:21:38 +0100
Subject: [PATCH] Modify remote SamDB when demoting a RODC

---
 python/samba/netcmd/domain.py |   43 ++++++++++++++++++++++++++++++----------
 1 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 9dfbc39..181d565 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -694,12 +694,19 @@ class cmd_domain_demote(Command):
 
         self.errf.write("Deactivating inbound replication\n")
 
+        remote_samdb = SamDB(url="ldap://%s" % server,
+                            session_info=system_session(),
+                            credentials=creds, lp=lp)
+
         nmsg = ldb.Message()
         nmsg.dn = msg[0].dn
 
         dsa_options |= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
         nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-        samdb.modify(nmsg)
+        if samdb.am_rodc():
+            remote_samdb.modify(nmsg)
+        else:
+            samdb.modify(nmsg)
 
         if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
 
@@ -719,10 +726,6 @@ class cmd_domain_demote(Command):
                     samdb.modify(nmsg)
                     raise CommandError("Error while sending a DsReplicaSync for partion %s" % str(part), e)
         try:
-            remote_samdb = SamDB(url="ldap://%s" % server,
-                                session_info=system_session(),
-                                credentials=creds, lp=lp)
-
             self.errf.write("Changing userControl and container\n")
             res = remote_samdb.search(base=str(remote_samdb.get_root_basedn()),
                                 expression="(&(objectClass=user)(sAMAccountName=%s$))" %
@@ -736,7 +739,10 @@ class cmd_domain_demote(Command):
                 "Error while demoting, re-enabling inbound replication\n")
             dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
             nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-            samdb.modify(nmsg)
+            if samdb.am_rodc():
+                remote_samdb.modify(nmsg)
+            else:
+                samdb.modify(nmsg)
             raise CommandError("Error while changing account control", e)
 
         if (len(res) != 1):
@@ -744,7 +750,10 @@ class cmd_domain_demote(Command):
                 "Error while demoting, re-enabling inbound replication")
             dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
             nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-            samdb.modify(nmsg)
+            if samdb.am_rodc():
+                remote_samdb.modify(nmsg)
+            else:
+                samdb.modify(nmsg)
             raise CommandError("Unable to find object with samaccountName = %s$"
                                " in the remote dc" % netbios_name.upper())
 
@@ -766,7 +775,10 @@ class cmd_domain_demote(Command):
                 "Error while demoting, re-enabling inbound replication")
             dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
             nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-            samdb.modify(nmsg)
+            if samdb.am_rodc():
+                remote_samdb.modify(nmsg)
+            else:
+                samdb.modify(nmsg)
 
             raise CommandError("Error while changing account control", e)
 
@@ -793,7 +805,10 @@ class cmd_domain_demote(Command):
                     "Error while demoting, re-enabling inbound replication\n")
                 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
                 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-                samdb.modify(nmsg)
+                if samdb.am_rodc():
+                    remote_samdb.modify(nmsg)
+                else:
+                    samdb.modify(nmsg)
 
                 msg = ldb.Message()
                 msg.dn = dc_dn
@@ -818,7 +833,10 @@ class cmd_domain_demote(Command):
                 "Error while demoting, re-enabling inbound replication\n")
             dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
             nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-            samdb.modify(nmsg)
+            if samdb.am_rodc():
+                remote_samdb.modify(nmsg)
+            else:
+                samdb.modify(nmsg)
 
             msg = ldb.Message()
             msg.dn = dc_dn
@@ -841,7 +859,10 @@ class cmd_domain_demote(Command):
                 "Error while demoting, re-enabling inbound replication\n")
             dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
             nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
-            samdb.modify(nmsg)
+            if samdb.am_rodc():
+                remote_samdb.modify(nmsg)
+            else:
+                samdb.modify(nmsg)
 
             msg = ldb.Message()
             msg.dn = newdn
-- 
1.7.1