Restrictions on invocationID?

Stefan (metze) Metzmacher metze at
Sun Apr 29 12:24:34 GMT 2007

Hash: SHA1

Andrew Bartlett schrieb:
> Metze:
> I'm trying to implement the cn=configuration container against LDAP.
> Currently, it doesn't work because we fix the invocationID *and*
> objectGUID of the cn=NTDS Settings,cn=$COMPUTER... record to be a
> 'fixed' random value (ie, not generated by the LDAP backend).  
> OpenLDAP objects to us setting it's entryUUID values.  My questions is:
> does the invocationID need to match the objectGUID on that entry?

Hi Andrew,

in the "load schema by default" patch I changed our way to handle this.

so the objectGUID will always be generated by the backend, and we don't
need a special rule for it. And the invocationId will be set by the
caller as it's currently.

Normaly the first objectGUID and invocationId match on the first
installed DC in a forest. On all other DC it doesn't match,
because the new DC chooses its invocationID before the NTDS Settings
object is created via DsAddEntry() on the other DC, the reply of
DsAddEntry() returns then the objectGUID of the object.

So we should just remove all objectGUID: elements from our ldif files.
Windows also doesn't allow a caller to specify the objectGUID and our
repl_meta_data module also rejects it.


Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list