Review on crackname patch
Andrew Bartlett
abartlet at samba.org
Sat Jul 30 18:32:08 MDT 2011
On Sun, 2011-07-31 at 01:08 +0400, Matthieu Patou wrote:
> Hello Metze & Tridge,
>
> Can one of you have a look on the first patch and check the resolution.
> The problem is that Samba didn't manage without this patch to do a
> crackname on name that are related to deleted objects.
> I found this problem when debuging a replication problems on a server
> with deleted objects.
>
> This problem can quite easily be checked:
>
> 1) locate the guid of the "Deleted objects container on a Windows DC
> 2) Run:
> python source4/scripting/devel/crackname ip_server -U administrator
> --name='{objectGUID}'
> 3) See that Windows return something
> 4) locate the guid of the "Deleted Objects" on a samba DC
> 5) Run:
> python source4/scripting/devel/crackname ip_server_samba -U
> administrator --name='{objectGUID2}'
> 6) See that samba return None + status name not resolved
>
> After applying my patch step 5 returns a correct DN.
>
> Note: the crackname script is in the second patch.
I'm quite uncomfortable with the idea of just adding 'show deleted'
here. Are we expected to show deleted user account too? This call is
at the core of our authentication stack, and only works well if the
mapping is unique. That a lookup (say as an NT4 name domain\user) for a
deleted-and-readded user entry would map to multiple entries (and
therefore return as not unique) worries me in particular.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list