From 9ff42a03418939da428ab1576b174b3abe4fce79 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Jul 2014 16:00:48 +0200
Subject: [PATCH 1/3] s4:dsdb/schema_load: make error message more verbose

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/samdb/ldb_modules/schema_load.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c b/source4/dsdb/samdb/ldb_modules/schema_load.c
index d8bc8c7..4538e89 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_load.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_load.c
@@ -213,7 +213,8 @@ static struct dsdb_schema *dsdb_schema_refresh(struct ldb_module *module, struct
 			schema->metadata_usn = schema_seq_num;
 		} else {
 			/* From an old provision it can happen that the tdb didn't exists yet */
-			DEBUG(0, ("Error while searching for the schema usn in the metadata\n"));
+			DEBUG(0, ("Error while searching for the schema usn in the metadata ignoring: %d:%s:%s\n",
+			      ret, ldb_strerror(ret), ldb_errstring(ldb)));
 			schema->metadata_usn = 0;
 		}
 		schema->last_refresh = ts;
-- 
1.9.1


From 7266b6941dbe4e82194bf6bb36636a8cf6f7ecaa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 7 Jul 2014 22:53:19 +0200
Subject: [PATCH 2/3] s4:dsdb/kcc: use SHOW_RECYCLED instead of SHOW_DELETED in
 when deleting tombstone/deleted objects

SHOW_RECYCLED implies SHOW_DELETED.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/kcc/kcc_deleted.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
index 331d4fb..93d74ca 100644
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ b/source4/dsdb/kcc/kcc_deleted.c
@@ -128,7 +128,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 				whenChanged = ldb_string_to_time(tstring);
 			}
 			if (t - whenChanged > tombstoneLifetime*60*60*24) {
-				ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_DELETED|DSDB_MODIFY_RELAX);
+				ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
 				if (ret != LDB_SUCCESS) {
 					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
 						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-- 
1.9.1


From 4cc0676e5af283590ba0cb3734c4f8c2600d2d29 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 7 Jul 2014 12:00:14 +0200
Subject: [PATCH 3/3] s4:dsdb/extended_dn_in: don't force
 DSDB_SEARCH_SHOW_RECYCLED

We should take the controls the caller provided when we search
for existing objects.

A search with a basedn of '<GUID=....>' should result in LDB_ERR_NO_SUCH_OBJECT
is the object has isDeleted=TRUE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 37 +++++++++++++------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index df45f75..f738bc4 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -318,6 +318,7 @@ struct extended_dn_filter_ctx {
 	struct ldb_module *module;
 	struct ldb_request *req;
 	struct dsdb_schema *schema;
+	uint32_t dsdb_flags;
 };
 
 /*
@@ -421,10 +422,7 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
 		return LDB_SUCCESS;
 	}
 
-	dsdb_flags = DSDB_FLAG_NEXT_MODULE |
-		DSDB_FLAG_AS_SYSTEM |
-		DSDB_SEARCH_SHOW_RECYCLED |
-		DSDB_SEARCH_SHOW_EXTENDED_DN;
+	dsdb_flags = filter_ctx->dsdb_flags | DSDB_FLAG_NEXT_MODULE;
 
 	if (guid_val) {
 		expression = talloc_asprintf(filter_ctx, "objectGUID=%s", ldb_binary_encode(filter_ctx, *guid_val));
@@ -485,7 +483,9 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
   fix the parse tree to change any extended DN components to their
   caconical form
  */
-static int extended_dn_fix_filter(struct ldb_module *module, struct ldb_request *req)
+static int extended_dn_fix_filter(struct ldb_module *module,
+				  struct ldb_request *req,
+				  uint32_t default_dsdb_flags)
 {
 	struct extended_dn_filter_ctx *filter_ctx;
 	int ret;
@@ -503,6 +503,7 @@ static int extended_dn_fix_filter(struct ldb_module *module, struct ldb_request
 	filter_ctx->module    = module;
 	filter_ctx->req       = req;
 	filter_ctx->schema    = dsdb_get_schema(ldb_module_get_ctx(module), filter_ctx);
+	filter_ctx->dsdb_flags= default_dsdb_flags;
 
 	ret = ldb_parse_tree_walk(req->op.search.tree, extended_dn_filter_callback, filter_ctx);
 	if (ret != LDB_SUCCESS) {
@@ -551,10 +552,20 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
 	static const char *no_attr[] = {
 		NULL
 	};
-	bool all_partitions = false;
+	uint32_t dsdb_flags = DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_EXTENDED_DN;
+
+	if (ldb_request_get_control(req, LDB_CONTROL_SHOW_DELETED_OID)) {
+		dsdb_flags |= DSDB_SEARCH_SHOW_DELETED;
+	}
+	if (ldb_request_get_control(req, LDB_CONTROL_SHOW_RECYCLED_OID)) {
+		dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
+	}
+	if (ldb_request_get_control(req, DSDB_CONTROL_DBCHECK)) {
+		dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
+	}
 
 	if (req->operation == LDB_SEARCH) {
-		ret = extended_dn_fix_filter(module, req);
+		ret = extended_dn_fix_filter(module, req, dsdb_flags);
 		if (ret != LDB_SUCCESS) {
 			return ret;
 		}
@@ -566,7 +577,6 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
 	} else {
 		/* It looks like we need to map the DN */
 		const struct ldb_val *sid_val, *guid_val, *wkguid_val;
-		uint32_t dsdb_flags = 0;
 
 		if (!ldb_dn_match_allowed(dn, req)) {
 			return ldb_error(ldb_module_get_ctx(module),
@@ -583,7 +593,7 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
 		  ForeignSecurityPrinciples due to provision errors
 		 */
 		if (guid_val) {
-			all_partitions = true;
+			dsdb_flags |= DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
 			base_dn = NULL;
 			base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)",
 							 ldb_binary_encode(req, *guid_val));
@@ -594,7 +604,7 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
 			base_dn_attrs = no_attr;
 
 		} else if (sid_val) {
-			all_partitions = true;
+			dsdb_flags |= DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
 			base_dn = NULL;
 			base_dn_filter = talloc_asprintf(req, "(objectSid=%s)",
 							 ldb_binary_encode(req, *sid_val));
@@ -671,13 +681,6 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
 			return ldb_operr(ldb_module_get_ctx(module));
 		}
 
-		dsdb_flags = DSDB_FLAG_AS_SYSTEM |
-			DSDB_SEARCH_SHOW_RECYCLED |
-			DSDB_SEARCH_SHOW_EXTENDED_DN;
-		if (all_partitions) {
-			dsdb_flags |= DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
-		}
-
 		ret = dsdb_request_add_controls(down_req, dsdb_flags);
 		if (ret != LDB_SUCCESS) {
 			return ret;
-- 
1.9.1