Endi's Bug 7530 patches (LDAP backend)

Andrew Bartlett abartlet at samba.org
Mon Jun 28 16:30:23 MDT 2010


On Mon, 2010-06-28 at 12:47 -0500, Matthias Dieter Wallnöfer wrote:
> The branch, master has been updated
>        via  7cb98a0... s4/spnupdate: Fixed spnupdate to use secrets credentials when accessing SamDB.
>        via  5bee3ef... s4/libcli: Register LDB_CONTROL_REVEAL_INTERNALS and DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID controls.
>        via  ed4c107... s4/dsdb: Fixed partition_search() not to pass special DN's to LDAP backend.
>        via  fa9557f... s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not available in the DN.
>       from  ba0ba4e... s3: Make some routines static in smbldap
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit 7cb98a0cdcef27f591357ec63633b50fd9dce29f
> Author: Endi S. Dewata <edewata at redhat.com>
> Date:   Mon Jun 28 11:13:03 2010 -0500
> 
>     s4/spnupdate: Fixed spnupdate to use secrets credentials when accessing SamDB.
>     
>     Signed-off-by: Matthias Dieter Wallnöfer <mdw at samba.org>

This looks OK, but I think we need a utility function to handle this. 

> commit 5bee3efacac76fdf8753a7c7cb2845bf6058d088
> Author: Endi S. Dewata <edewata at redhat.com>
> Date:   Mon Jun 28 11:18:16 2010 -0500
> 
>     s4/libcli: Register LDB_CONTROL_REVEAL_INTERNALS and DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID controls.
>     
>     Signed-off-by: Matthias Dieter Wallnöfer <mdw at samba.org>

I guess this is OK, but we need to find a better solution in the long
term.  The catch-up here is getting silly. 

> commit ed4c107bc1eac8531fdd8d09f7698efcbc7ecb14
> Author: Endi S. Dewata <edewata at redhat.com>
> Date:   Mon Jun 28 10:54:37 2010 -0500
> 
>     s4/dsdb: Fixed partition_search() not to pass special DN's to LDAP backend.
>     
>     Signed-off-by: Matthias Dieter Wallnöfer <mdw at samba.org>
> 
> commit fa9557fee3ca546878d99b77f1ff37f724c37024
> Author: Endi S. Dewata <edewata at redhat.com>
> Date:   Mon Jun 28 10:45:04 2010 -0500
> 
>     s4/auth: Fixed authsam_expand_nested_groups() to find entry SID if not available in the DN.
>     
>     Signed-off-by: Matthias Dieter Wallnöfer <mdw at samba.org>

I'm sorry, but both these patches are totally wrong.  Endi's patches are
usually very good, but these are based on incorrect starting
assumptions. 

The partitions patch will, as I read it, totally break replication, as
it will remove the search for @REPLCHANGED from being propagated down to
each backend database. (so we know if a particular database needs
replication)

The expand_nested_groups patch will work, but I do not wish us to take
this approach.  The LDAP backend needs to provide, one way or another,
this information - if we start to have fallbacks in the code, we will
duplicate the whole extended DN infrastructure in each caller.  The
OpenLDAP backend provides this by a server-side module, and either
Fedora DS must do the same, or fake it up in a Samba module at the
bottom of the stack. 

I was about to make these comments on the bug itself, but you were just
a little too efficient in pushing the patches. :-)

I'm sorry to have to ask, particularly has you have now further refined
it, but can you please revert?  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100629/24ccc5db/attachment.pgp>


More information about the samba-technical mailing list