[PATCH] s4-drs: Set default RODC filtered attribute set

Fri Feb 19 06:24:13 MST 2010

Hi Fernando,

> Hi!
> 
>This small patch sets the correct bits on searchflags to make some
> attributes part of the RODC filtered attribute set (I do it on
> MS-AD_Schema_2K8_R2_Attributes.txt and
> MS-AD_Schema_2K8_R2_Classes.txt, so it is set during provision.
> Please, let me know if any of you think it isn't nice ...). This patch
> is also available at my repository in repo.or.cz, at rodc branch.

I think that we are not allowed to modify the schema definition files.
The changes that you have added are supposed to happen as part of the RODC join process. 
I still have to check when and how, but my guess is that this is the moment when the 
"RODC filtered attribute set" is created. I think it's a good first step to investigate this.

> I also wrote a function to make any schema attribute as part of the
> RODC filtered attribute set, but I don't know where exactly in S4 code
> I should put it ... Should I put it in some existing tool (perhaps
> like ldbmodify ...), so it would set an attribute as part of RODC
> filtered set if some specific option is mentioned on command line? Or
> should I create another tool (some kind of "admin tool") and put it
> there? (hoping that more helping functions would also be added to such
> tool on the future  ...).
I couldn't find that function you are talking about in your 'rodc' branch, but 
I agree that this is the right way.
I think that there is no need for separate tool for that op. The command we are using is 'bin/net vampire'.
I added a check when we are doing RODC join, so you can go and try to use the code.

> Another option would be discard such function, then the user should
> add an attribute to the RODC filtered set by setting the flags
> manually through ldbmodify, just like the recomended on microsoft
> documentation: http://technet.microsoft.com/en-
> us/library/cc772331(WS.10).aspx

Keep me posted how it goes, I'll be more than happy to assist you.

Regards,
Anatoliy

> 
>Cheers,
> 
> 
> 
>--
> Fernando J V da Silva
> M Sc Computer Science Student
> Institute of Computing, State University of Campinas
> +55 15 8801-2165
> 
> 
>2010/2/11 Anatoliy Atanasov <anatoliy.atanasov at postpath.com>:
> >Sounds good to me :), I am still working on join as RODC task.
> >
> >>-----Original Message-----
> >>From: fernandojvdasilva at gmail.com [mailto:fernandojvdasilva at gmail.com]
> On
> >>Behalf Of Fernando J V da Silva
> >>Sent: Thursday, February 11, 2010 19:13
> >>To: Anatoliy Atanasov; samba-technical at lists.samba.org
> >>Cc: abartlet at samba.org
> >>Subject: Re: s4-drs: Working on Support RODC
> >>
> >>Hi Anatolyi! Thanks for reply!
> >>
> >>
> >>2010/2/11 Anatoliy Atanasov <anatoliy.atanasov at postpath.com>:
> >> >I just started doing that and I just managed to gather some tasks and
> I
> >>published them on the DRS_TODO list. Currently I am working on joining
> >>Samba as RODC using the libnet_Become_dc code; I saw that I can't do it
> by
> >>just modifying the ./setup/provision script :). So there is a lot that
> you
> >>can do, just pick one and give it a try and tell me how it goes :) The
> >>credential caching is Andrew Bartlett field of expertise so you might
> want
> >>to safe that for him.
> >>
> >>Ok! So I think I'm going to try the "Support for the RODC filtered
> >>attribute set" task (if you haven't worked on it while working on
> >>joining Samba as RODC ...).
> >>
> >>I'm trying to write a function to add an attribute to the set of RODC
> >>filtered ones (I suppose that perhaps it could be called by some kind
> >>of "admin tool" (or even ldbadd, ldbmodify or ldbedit ... ) to avoid
> >>the direct modify on the attribute schema, like described at
> >>http://technet.microsoft.com/en-us/library/cc772331(WS.10).aspx and
> >>also could be called by any function that wants to add an attribute to
> >>the set of RODC filtered ... ). Do you think that it would be ok?
> >>
> >>Regards,
> >>
> >>--
> >> Fernando J V da Silva
> >>M Sc Computer Science Student
> >>Institute of Computing, State University of Campinas
> >>+55 15 8801-2165
> >