[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Aug 14 09:17:02 MDT 2012
The branch, master has been updated
via a74ca56 s4:ntp_signd: fix SEGV if SID cannot be found
via ff5d177 s3-passdb: Silence scary DEBUG(0) message on first use of secrets.tdb databases
via 108c8b7 s4-dsdb: Use samdb_dn_is_our_ntdsa()
via d582e1b s4-dsdb: Add samdb_dn_is_our_ntdsa()
via 773d036 s4-dsdb: Use samdb_reference_dn_is_our_ntdsa()
via 7213199 s4-repl: Use samdb_reference_dn_is_our_ntdsa()
via 1e127b2 s4-dsdb: Add helper function samdb_reference_dn_is_our_ntdsa()
via 3c8d8f2 s4-dsdb: Use ldb_dn_copy() rather than talloc_reference()
via 0668f98 s4-libnet: Prepare libnet_BecomeDC for samdb_reference_dn() returning an extended DN
via fd0394d s4-libnet: Improve debugging of libnet_BecomeDC LDAP errors
from c47d73f s4:dsdb/repl: ldb_errstring() takes a 'struct ldb_context' not 'int'
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a74ca56c482257f79eb6f966fc490657a0d6407b
Author: Arvid Requate <requate at univention.de>
Date: Tue Aug 14 14:16:54 2012 +0200
s4:ntp_signd: fix SEGV if SID cannot be found
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug 14 17:16:54 CEST 2012 on sn-devel-104
commit ff5d177a6938a0c486552db362a9e179fbc68b9c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 22:58:19 2012 +1000
s3-passdb: Silence scary DEBUG(0) message on first use of secrets.tdb databases
When pdb_samba4 first opens this databse, this message is printed.
Andrew Bartlett
commit 108c8b758ad23cd83630b2f8adf21171e815589a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 19:48:32 2012 +1000
s4-dsdb: Use samdb_dn_is_our_ntdsa()
This uses a GUID based comparison, and avoids re-fetching the
samdb_ntds_settings_dn each time.
Andrew Bartlett
commit d582e1bef6783a788378e32c64199a639d51b4e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 19:44:18 2012 +1000
s4-dsdb: Add samdb_dn_is_our_ntdsa()
This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference.
Andrew Bartlett
commit 773d0367a6d1bc4cbc3147420ddc0e94ee7cdc2c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 18:48:24 2012 +1000
s4-dsdb: Use samdb_reference_dn_is_our_ntdsa()
commit 7213199f6e92713282cbf90d30ba7bb72a040734
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 18:47:54 2012 +1000
s4-repl: Use samdb_reference_dn_is_our_ntdsa()
commit 1e127b270cf60a34ea9f0c74bbefa98ef9dd019f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 18:46:47 2012 +1000
s4-dsdb: Add helper function samdb_reference_dn_is_our_ntdsa()
We often want to know if we own an FSMO role (for example). This tries to be more
efficient by comparing the GUID, rather than the string DN, as this does not need
to be re-fetched each time.
Andrew Bartlett
commit 3c8d8f206b79280604cb79f263e74aa2b681726e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 17:49:12 2012 +1000
s4-dsdb: Use ldb_dn_copy() rather than talloc_reference()
As the normal case (outside provision) uses a copy, this avoids a case
where a caller might modify a global variable accidentily.
As suggested by metze.
Andrew Bartlett
commit 0668f98d112f29f3fc7c306f69a9bea29eb8e2e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 22:54:26 2012 +1000
s4-libnet: Prepare libnet_BecomeDC for samdb_reference_dn() returning an extended DN
Remote LDAP servers will not accept an extended DN with other components.
Andrew Bartlett
commit fd0394d85d6da511eed96fe3dda72dfe92b83481
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 22:53:35 2012 +1000
s4-libnet: Improve debugging of libnet_BecomeDC LDAP errors
-----------------------------------------------------------------------
Summary of changes:
source3/passdb/machine_account_secrets.c | 15 +++--
source4/dsdb/common/util.c | 97 ++++++++++++++++++-----------
source4/dsdb/repl/drepl_fsmo.c | 32 ++++-----
source4/dsdb/repl/drepl_ridalloc.c | 11 +++-
source4/dsdb/samdb/ldb_modules/ridalloc.c | 27 ++++++++-
source4/dsdb/samdb/ldb_modules/rootdse.c | 11 +++-
source4/libnet/libnet_become_dc.c | 13 ++++
source4/ntp_signd/ntp_signd.c | 6 ++-
source4/rpc_server/drsuapi/getncchanges.c | 28 ++++-----
9 files changed, 159 insertions(+), 81 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index a4b5709..ebd7b4c 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -75,12 +75,17 @@ bool secrets_mark_domain_protected(const char *domain)
bool secrets_clear_domain_protection(const char *domain)
{
bool ret;
-
- ret = secrets_delete(protect_ids_keystr(domain));
- if (!ret) {
- DEBUG(0, ("Failed to remove Domain IDs protection\n"));
+ void *protection = secrets_fetch(protect_ids_keystr(domain), NULL);
+
+ if (protection) {
+ SAFE_FREE(protection);
+ ret = secrets_delete(protect_ids_keystr(domain));
+ if (!ret) {
+ DEBUG(0, ("Failed to remove Domain IDs protection\n"));
+ }
+ return ret;
}
- return ret;
+ return true;
}
bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 251e177..5d73df2 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1252,7 +1252,7 @@ struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb, TALLOC_CTX *mem_c
/* see if we have a cached copy */
settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "forced.ntds_settings_dn");
if (settings_dn) {
- return talloc_reference(mem_ctx, settings_dn);
+ return ldb_dn_copy(mem_ctx, settings_dn);
}
tmp_ctx = talloc_new(mem_ctx);
@@ -1588,8 +1588,10 @@ int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_
attrs[0] = attribute;
attrs[1] = NULL;
- ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY, NULL);
+ ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY|DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "Cannot find DN %s to get attribute %s for reference dn: %s",
+ ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb));
return ret;
}
@@ -1611,6 +1613,58 @@ int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_
}
/*
+ find if a DN (must have GUID component!) is our ntdsDsa
+ */
+int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa)
+{
+ NTSTATUS status;
+ TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+ struct GUID dn_guid;
+ const struct GUID *our_ntds_guid;
+ status = dsdb_get_extended_dn_guid(dn, &dn_guid, "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ our_ntds_guid = samdb_ntds_objectGUID(ldb);
+ if (!our_ntds_guid) {
+ DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s - %s\n", ldb_dn_get_linearized(dn), ldb_errstring(ldb)));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ *is_ntdsa = GUID_equal(&dn_guid, our_ntds_guid);
+ return LDB_SUCCESS;
+}
+
+/*
+ find a 'reference' DN that points at another object and indicate if it is our ntdsDsa
+ */
+int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base,
+ const char *attribute, bool *is_ntdsa)
+{
+ int ret;
+ struct ldb_dn *referenced_dn;
+ NTSTATUS status;
+ TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+ struct GUID referenced_guid;
+ const struct GUID *our_ntds_guid;
+ if (tmp_ctx == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ret = samdb_reference_dn(ldb, tmp_ctx, base, attribute, &referenced_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0, ("Failed to find object %s for attribute %s - %s\n", ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb)));
+ return ret;
+ }
+
+ ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa);
+
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+/*
find our machine account via the serverReference attribute in the
server DN
*/
@@ -1776,50 +1830,19 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
*/
bool samdb_is_pdc(struct ldb_context *ldb)
{
- const char *dom_attrs[] = { "fSMORoleOwner", NULL };
int ret;
- struct ldb_result *dom_res;
- TALLOC_CTX *tmp_ctx;
bool is_pdc;
- struct ldb_dn *pdc;
- tmp_ctx = talloc_new(ldb);
- if (tmp_ctx == NULL) {
- DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
- return false;
- }
-
- ret = ldb_search(ldb, tmp_ctx, &dom_res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, dom_attrs, NULL);
+ ret = samdb_reference_dn_is_our_ntdsa(ldb, ldb_get_default_basedn(ldb), "fsmoRoleOwner",
+ &is_pdc);
if (ret != LDB_SUCCESS) {
- DEBUG(1,("Searching for fSMORoleOwner in %s failed: %s\n",
+ DEBUG(1,("Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in %s failed: %s\n",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
ldb_errstring(ldb)));
- goto failed;
- }
- if (dom_res->count != 1) {
- goto failed;
- }
-
- pdc = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, dom_res->msgs[0],
- "fSMORoleOwner");
- if (pdc == NULL) {
- goto failed;
- }
-
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), pdc) == 0) {
- is_pdc = true;
- } else {
- is_pdc = false;
+ return false;
}
- talloc_free(tmp_ctx);
-
return is_pdc;
-
-failed:
- DEBUG(1,("Failed to find if we are the PDC for this ldb\n"));
- talloc_free(tmp_ctx);
- return false;
}
/*
diff --git a/source4/dsdb/repl/drepl_fsmo.c b/source4/dsdb/repl/drepl_fsmo.c
index 4a1d08a..0e83982 100644
--- a/source4/dsdb/repl/drepl_fsmo.c
+++ b/source4/dsdb/repl/drepl_fsmo.c
@@ -52,15 +52,6 @@ static void drepl_role_callback(struct dreplsrv_service *service,
irpc_send_reply(fsmo->msg, NT_STATUS_OK);
}
-static bool fsmo_master_equal(struct ldb_dn *ntds_dn, struct ldb_dn *role_owner_dn)
-{
- if (ldb_dn_compare(ntds_dn, role_owner_dn) == 0) {
- DEBUG(0,("\nWe are the FSMO master.\n"));
- return true;
- }
- return false;
-}
-
/*
see which role is we are asked to assume, initialize data and send request
*/
@@ -69,20 +60,15 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
{
struct dreplsrv_service *service = talloc_get_type(msg->private_data,
struct dreplsrv_service);
- struct ldb_dn *role_owner_dn, *fsmo_role_dn, *ntds_dn;
+ struct ldb_dn *role_owner_dn, *fsmo_role_dn;
TALLOC_CTX *tmp_ctx = talloc_new(service);
uint64_t fsmo_info = 0;
enum drsuapi_DsExtendedOperation extended_op = DRSUAPI_EXOP_NONE;
WERROR werr;
enum drepl_role_master role = r->in.role;
struct fsmo_role_state *fsmo;
-
- ntds_dn = samdb_ntds_settings_dn(service->samdb, tmp_ctx);
- if (!ntds_dn) {
- talloc_free(tmp_ctx);
- r->out.result = WERR_DS_DRA_INTERNAL_ERROR;
- return NT_STATUS_OK;
- }
+ bool is_us;
+ int ret;
werr = dsdb_get_fsmo_role_info(tmp_ctx, service->samdb, role,
&fsmo_role_dn, &role_owner_dn);
@@ -112,7 +98,17 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
return NT_STATUS_OK;
}
- if (fsmo_master_equal(ntds_dn, role_owner_dn) ||
+ ret = samdb_dn_is_our_ntdsa(service->samdb, role_owner_dn, &is_us);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("FSMO role check failed (failed to confirm if our ntdsDsa) for DN %s and owner %s \n",
+ ldb_dn_get_linearized(fsmo_role_dn),
+ ldb_dn_get_linearized(role_owner_dn)));
+ talloc_free(tmp_ctx);
+ r->out.result = WERR_DS_DRA_INTERNAL_ERROR;
+ return NT_STATUS_OK;
+ }
+
+ if (is_us ||
(extended_op == DRSUAPI_EXOP_NONE)) {
DEBUG(0,("FSMO role check failed for DN %s and owner %s \n",
ldb_dn_get_linearized(fsmo_role_dn),
diff --git a/source4/dsdb/repl/drepl_ridalloc.c b/source4/dsdb/repl/drepl_ridalloc.c
index c817c31..bd3a62b 100644
--- a/source4/dsdb/repl/drepl_ridalloc.c
+++ b/source4/dsdb/repl/drepl_ridalloc.c
@@ -168,6 +168,7 @@ WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service)
WERROR werr;
int ret;
uint64_t alloc_pool;
+ bool is_us;
if (service->am_rodc) {
talloc_free(tmp_ctx);
@@ -208,7 +209,15 @@ WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service)
return WERR_DS_DRA_INTERNAL_ERROR;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) == 0) {
+ ret = samdb_dn_is_our_ntdsa(ldb, fsmo_role_dn, &is_us);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find detrmine if %s is our ntdsDsa object - %s\n",
+ ldb_dn_get_linearized(fsmo_role_dn), ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (is_us) {
/* we are the RID Manager - no need to do a
DRSUAPI_EXOP_FSMO_RID_ALLOC */
talloc_free(tmp_ctx);
diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c
index 915248c..d0266ed 100644
--- a/source4/dsdb/samdb/ldb_modules/ridalloc.c
+++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c
@@ -388,6 +388,8 @@ static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *me
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct GUID fsmo_role_guid, *our_ntds_guid;
+ NTSTATUS status;
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
@@ -407,7 +409,19 @@ static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *me
return ret;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) != 0) {
+ status = dsdb_get_extended_dn_guid(fsmo_role_dn, &fsmo_role_guid, "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
+ }
+
+ our_ntds_guid = samdb_ntds_objectGUID(ldb_module_get_ctx(module));
+ if (!our_ntds_guid) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
+ }
+
+ if (!GUID_equal(&fsmo_role_guid, our_ntds_guid)) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
@@ -429,6 +443,7 @@ static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool,
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ bool is_us;
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
@@ -448,7 +463,15 @@ static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool,
return ret;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) != 0) {
+ ret = samdb_dn_is_our_ntdsa(ldb, fsmo_role_dn, &is_us);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "Failed to confirm if our ntdsDsa is %s: %s",
+ ldb_dn_get_linearized(fsmo_role_dn), ldb_errstring(ldb));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ if (!is_us) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 9ae5b20..0668d1a 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -183,7 +183,7 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d
struct ldb_dn *owner_dn;
ret = dsdb_module_search_dn(module, tmp_ctx, &res,
- dn, attrs, DSDB_FLAG_NEXT_MODULE, parent);
+ dn, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_SEARCH_SHOW_EXTENDED_DN, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -197,7 +197,14 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d
return LDB_SUCCESS;
}
- *master = (ldb_dn_compare(owner_dn, samdb_ntds_settings_dn(ldb_module_get_ctx(module), tmp_ctx)) == 0);
+ ret = samdb_dn_is_our_ntdsa(ldb_module_get_ctx(module), dn, master);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module), "Failed to confirm if our ntdsDsa is %s: %s",
+ ldb_dn_get_linearized(owner_dn), ldb_errstring(ldb_module_get_ctx(module)));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 28bb5a1..3e4c7f8 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1047,11 +1047,17 @@ static NTSTATUS becomeDC_ldap1_infrastructure_fsmo(struct libnet_BecomeDC_state
DS_GUID_INFRASTRUCTURE_CONTAINER,
&basedn);
if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to get well known DN for DS_GUID_INFRASTRUCTURE_CONTAINER on %s: %s\n",
+ ldb_dn_get_linearized(ldb_get_default_basedn(s->ldap1.ldb)),
+ ldb_errstring(s->ldap1.ldb)));
return NT_STATUS_LDAP(ret);
}
ret = samdb_reference_dn(s->ldap1.ldb, s, basedn, "fSMORoleOwner", &ntds_dn);
if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to get reference DN from fsmoRoleOwner on %s: %s\n",
+ ldb_dn_get_linearized(basedn),
+ ldb_errstring(s->ldap1.ldb)));
talloc_free(basedn);
return NT_STATUS_LDAP(ret);
}
@@ -1068,6 +1074,9 @@ static NTSTATUS becomeDC_ldap1_infrastructure_fsmo(struct libnet_BecomeDC_state
ret = ldb_search(s->ldap1.ldb, s, &r, server_dn, LDB_SCOPE_BASE,
dns_attrs, "(objectClass=*)");
if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to get server DN %s: %s\n",
+ ldb_dn_get_linearized(server_dn),
+ ldb_errstring(s->ldap1.ldb)));
return NT_STATUS_LDAP(ret);
} else if (r->count != 1) {
talloc_free(r);
@@ -1080,9 +1089,13 @@ static NTSTATUS becomeDC_ldap1_infrastructure_fsmo(struct libnet_BecomeDC_state
talloc_free(r);
+ ldb_dn_remove_extended_components(ntds_dn);
ret = ldb_search(s->ldap1.ldb, s, &r, ntds_dn, LDB_SCOPE_BASE,
guid_attrs, "(objectClass=*)");
if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to get NTDS Settings DN %s: %s\n",
+ ldb_dn_get_linearized(ntds_dn),
+ ldb_errstring(s->ldap1.ldb)));
return NT_STATUS_LDAP(ret);
} else if (r->count != 1) {
talloc_free(r);
diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c
index c6d6056..1de9cc3 100644
--- a/source4/ntp_signd/ntp_signd.c
+++ b/source4/ntp_signd/ntp_signd.c
@@ -180,8 +180,12 @@ static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
}
if (res->count == 0) {
- DEBUG(5, ("Failed to find SID %s in SAM for NTP signing\n",
+ DEBUG(2, ("Failed to find SID %s in SAM for NTP signing\n",
dom_sid_string(mem_ctx, sid)));
+ return signing_failure(ntp_signd_conn,
+ mem_ctx,
+ output,
+ sign_request.packet_id);
} else if (res->count != 1) {
DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
dom_sid_string(mem_ctx, sid), res->count));
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 22ff614..c366eed 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -684,12 +684,12 @@ static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state,
struct drsuapi_DsGetNCChangesRequest10 *req10,
struct drsuapi_DsGetNCChangesCtr6 *ctr6)
{
- struct ldb_dn *rid_manager_dn, *fsmo_role_dn, *req_dn;
+ struct ldb_dn *rid_manager_dn, *req_dn;
int ret;
struct ldb_context *ldb = b_state->sam_ctx;
struct ldb_result *ext_res;
- struct ldb_dn *base_dn;
struct dsdb_fsmo_extended_op *exop;
+ bool is_us;
/*
steps:
@@ -715,15 +715,14 @@ static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state,
}
/* find the DN of the RID Manager */
- ret = samdb_reference_dn(ldb, mem_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn);
+ ret = samdb_reference_dn_is_our_ntdsa(ldb, rid_manager_dn, "fSMORoleOwner", &is_us);
if (ret != LDB_SUCCESS) {
- DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s\n",
- ldb_errstring(ldb)));
+ DEBUG(0,("Failed to find fSMORoleOwner in RID Manager object\n"));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
return WERR_DS_DRA_INTERNAL_ERROR;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, mem_ctx), fsmo_role_dn) != 0) {
+ if (!is_us) {
/* we're not the RID Manager - go away */
DEBUG(0,(__location__ ": RID Alloc request when not RID Manager\n"));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
@@ -769,8 +768,6 @@ static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state,
talloc_free(ext_res);
- base_dn = ldb_get_default_basedn(ldb);
-
DEBUG(2,("Allocated RID pool for server %s\n",
GUID_string(mem_ctx, &req10->destination_dsa_guid)));
@@ -1034,11 +1031,12 @@ static WERROR getncchanges_change_master(struct drsuapi_bind_state *b_state,
struct drsuapi_DsGetNCChangesRequest10 *req10,
struct drsuapi_DsGetNCChangesCtr6 *ctr6)
{
- struct ldb_dn *fsmo_role_dn, *req_dn, *ntds_dn;
+ struct ldb_dn *req_dn, *ntds_dn;
int ret;
unsigned int i;
struct ldb_context *ldb = b_state->sam_ctx;
struct ldb_message *msg;
+ bool is_us;
/*
steps:
@@ -1056,17 +1054,17 @@ static WERROR getncchanges_change_master(struct drsuapi_bind_state *b_state,
}
/* retrieve the current role owner */
- ret = samdb_reference_dn(ldb, mem_ctx, req_dn, "fSMORoleOwner", &fsmo_role_dn);
+ /* find the DN of the RID Manager */
+ ret = samdb_reference_dn_is_our_ntdsa(ldb, req_dn, "fSMORoleOwner", &is_us);
if (ret != LDB_SUCCESS) {
- DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in context - %s\n",
- ldb_errstring(ldb)));
+ DEBUG(0,("Failed to find fSMORoleOwner in RID Manager object\n"));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
return WERR_DS_DRA_INTERNAL_ERROR;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, mem_ctx), fsmo_role_dn) != 0) {
- /* we're not the current owner - go away */
- DEBUG(0,(__location__ ": FSMO transfer request when not owner\n"));
+ if (!is_us) {
+ /* we're not the RID Manager - go away */
+ DEBUG(0,(__location__ ": RID Alloc request when not RID Manager\n"));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
return WERR_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list