[cifs-protocol] Errors when doing a DsAddEntry

Hongwei Sun hongweis at microsoft.com
Thu Sep 15 16:27:20 MDT 2011


  I just want to close loop on this request even we already  worked together and resolved the related issue.  I want to make sure the document is updated properly to include the error conditions.     

 The first error can be returned by Windows DC handling IDL_DRSAddEntry if  it is a Domain Naming FSMO role owner but its ownership canotn be validated because the DC has never been synchronized with any existing partners.   This is not explicitly called out in the document.  I filed a request to specify this condition.

  For the second error, when the nTDSDSA object is created under server object, it needs to find an existing crossRef that matches the domain name.  If it cannot be found , then  ERROR_DS_NO_CROSSREF_FOR_NC will be returned.   The logic is specified in the subroutine CreateNtdsDsa  (  MS-DSRS),which is called by IDL_DRSAddEntry()   as following:

	domainCR := select one v from ConfigNC() where v!nCName = domainName 
  	and crossRef in v!objectClass  
  	and FLAG_CR_NTDS_DOMAIN in v!systemFlags 
   We need to update the error condition here mentioning if domainCR cannot be found, then ERROR_DS_NO_CROSSREF_FOR_NC will be returned.       This explains that his  your workaround is the correct way.    

  I will send you the final update when it is available.    Please let me know if there is any more questions  regarding this issue.  



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 30, 2011 11:29 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org
Subject: Errors when doing a DsAddEntry

We have been looking at DRSUAPI/DsAddEntry, and have a few questions.

We are trying to implement subdomain support in Samba4 before the plugfest.

We have been able to generate error cases that do not seem to be 'possible' in the docs.  Can you please clarify exactly what errors this function should be able to return, and document how to avoid these:

in join-s1.txt we have an error that is only listed in the docs when removing a DC from the domain.  

extended_err             : WERR_DS_ROLE_NOT_VERIFIED

This is currently blocking us.  Our only theory is that we must perform a replication cycle before we do this call. 

in join-s1-2.txt we have another error, that we worked around by creating the partitions object before creating the server object.
However, as we need to match the server-side behaviour, we need to know the undocumented circumstances that cause this error.

extended_err             : WERR_DS_NO_CROSSREF_FOR_NC

Finally, is there any documentation of the high-level procedure for creating a subdomain?


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list