[PATCH] s4-drs: replmd_delete implementation

Eduardo Lima eduardoll at gmail.com
Fri Nov 27 14:10:26 MST 2009

Hi Tridge,

Thanks, now it's working. I was not using  ldb_modify(ldb, msg) to call the
modify procedure. I think that was the problem.

Only element sAMAccountType fails when I try to remove it. Follows the piece
of code of samldb.c that is failing when I try to remove sAMAccountType:

if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
            "sAMAccountType must not be specified!");

It will fail whenever sAMAccountType is specified in the message to be
modified. Just for testing purpose, I modified the code above to not fail
when el->flag == LDB_FLAG_MOD_DELETE:

el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
    if ((el != NULL) && (el->flags != LDB_FLAG_MOD_DELETE)) {
            "sAMAccountType must not be specified!");

It solved the deletion problem and removed sAMAccountType from the deleted
object, but I don't know if I can do this change in the code. I still have
to do more tests, but it would be nice to have your opinion about how I can
test it or to propose another way to fix the sAMAccountType issue.

My git tree is updated to these latest changes: git://

Regarding the delete test on Windows 2008, I could not find out an easy way
to insert a new object into the CN=Schema,CN=Configuration,DC=x partition.
Using ADSI Edit and LDP, I could create and see the object successfully, but
it is not displayed when I do:

bin/ldbsearch -H ldap://w2k8 -Uadministrator%password --controls
show_deleted:1,search_options:1:2 --show-binary

Is there any other control I have to use to show the created object?

Another application that I used was Active Directory Schema. When I try to
create an object in the Schema partition it shows the following warning:
*"Creating schema objects is a permanent operation. While these objects may
be disabled to prevent their usage, they can not be deleted and will become
a permanent part of your enterprise installation".*

Perhaps this is the reason I can not delete the objects I've created. Even
using the Administrator account the delete operation fails. The reason for
the failure is "Access is denied (INSUFF_ACCESS_RIGHTS)".

I can see the Deleted Objects container that is in the Schema partition, but
I still don't know for what it is used. I'm trying to find the answear
reading some documentations, but I still haven't had success.

Another thing I noticed is that all the deleted objects in
CN=Deleted Objects,CN=Configuration,DC=x*

have lastKnownParent:


When browsing my DC using LDP I also noticed that shows a wellKnownObjects
list that has de deleted container:


Does samba has this wellKnownObjects? If so, should I create a entry in the
samba's wellKnownObjects list?


Eduardo Lima

On Wed, Nov 25, 2009 at 01:58, <tridge at samba.org> wrote:

> Hi Eduardo,
>  > ret = ldb_msg_add_empty(msg, "badPwdCount", LDB_FLAG_MOD_DELETE, &el);
> that looks fine, I suspect you have something else wrong in the
> surrounding code. You didn't attach a patch so I can't tell you what
> is wrong.
> I've written a simple example for you to look at though. Have a
> careful look at this example function:
> static int change_example(struct ldb_context *ldb)
> {
>        TALLOC_CTX *tmp_ctx = talloc_new(ldb);
>        struct ldb_message *msg;
>        struct ldb_message_element *el;
>        int ret;
>        /* create a message which describes what we want to change
>           about the object */
>        msg = ldb_msg_new(tmp_ctx);
>        /* we need to say which object we want to change */
>        msg->dn = ldb_dn_new(msg, ldb,
> "CN=foouser,CN=Users,DC=bludom,DC=tridgell,DC=net");
>        /* let's remove badPwdCount */
>         ldb_msg_add_empty(msg, "badPwdCount", LDB_FLAG_MOD_DELETE, &el);
>         /* let's add isDeleted=TRUE */
>        ldb_msg_add_string(msg, "isDeleted", "TRUE");
>        msg->elements[1].flags = LDB_FLAG_MOD_ADD;
>        /* and let's change badPasswordTime to 1234 (for no good reason!) */
>        ldb_msg_add_fmt(msg, "badPasswordTime", "%u", 1234);
>        msg->elements[2].flags = LDB_FLAG_MOD_REPLACE;
>        /* for completness, let's print the message. This is good for
> debugging */
>        printf("We are changing:\n%s\n",
>               ldb_ldif_message_string(ldb, tmp_ctx,
>                                         LDB_CHANGETYPE_MODIFY,
>                                       msg));
>        /* now ask ldb to actually make the modification */
>        ret = ldb_modify(ldb, msg);
>        printf("modify gave: %d - '%s'\n", ret, ldb_errstring(ldb));
>        talloc_free(tmp_ctx);
>        return ret;
> }
> the above code does all of the things you are trying to do I think. It
> adds a new attribute (isDeleted). It removes an attribute
> (badPwdCount) and it modifies an attribute (badPasswordTime).
> You might like to use the ldb_ldif_message_string() function I show
> above it your code to help you with debugging. It allows you to print
> out what you are asking ldb_modify() to change about the object. For
> example, when I run the above example I get this:
>  We are changing:
>  dn: CN=foouser,CN=Users,DC=bludom,DC=tridgell,DC=net
>  changetype: modify
>  delete: badPwdCount
>  -
>  add: isDeleted
>  isDeleted: TRUE
>  -
>  replace: badPasswordTime
>  badPasswordTime: 1234
>  -
>  modify gave: 0 - '(null)'
> so the code is printing out the changes that are being requested in
> ldif format. That format is what the ldbmodify command line tool
> accepts.
>  > But when I run this code, the field is not deleted and isDeleted and
>  > lastKnownParent are not added to the object. (If I don't use this code,
>  > isDeleted and lastKnownParent are inserted correctly).
> make sure you are looking at any errors that ldb gives with
> ldb_errstring(). Also please print the msg using
> ldb_ldif_message_string(). Together that should allow you to isolate
> the problem.
> If you are still stuck, then please push what you've done to your
> repository so I can see the code as a whole rather than individual
> lines of code.
> Cheers, Tridge

More information about the samba-technical mailing list