s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Andrew Bartlett abartlet at samba.org
Mon May 10 16:03:02 MDT 2010


On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
> The branch, master has been updated
>        via  658dac9... v2 Latest enhancements in ldapcmp tool
>        via  c3cbb84... s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
>       from  8373606... s3-rpcclient: fix two more invalid typecasts in spoolss commands.
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 

> commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
> Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> Date:   Mon May 10 13:52:27 2010 +0300
> 
>     s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
> 
> -----------------------------------------------------------------------
> 
> Summary of changes:
>  source4/dsdb/pydsdb.c                       |   23 ++
>  source4/scripting/devel/ldapcmp             |  402 +++++++++++++++++----------
>  source4/scripting/python/samba/provision.py |    6 +-
>  source4/scripting/python/samba/samdb.py     |    4 +
>  4 files changed, 294 insertions(+), 141 deletions(-)
> 

Anatoliy,

This patch is incorrect, and dangerous.

As far as I can see from the full patch, you set a GUID into the opaque,
but never actually make any effort to actually make it match the GUID
that will be stored in LDB.

If the ultimate question that is causing this warning is 'am I an RODC',
then set an opaque for that.  If it is some other question, then make a
cache for that other question.  But you can't set an opaque value
caching an objectGUID unless you also make efforts to ensure that
objectGUID is what is actually used.  However, given that we can't
easily set an objectGUID on LDAP backends, I've generally preferred to
avoid this practice.

The invocationID is different, because we can choose that value freely. 

Perhaps I'm reading this wrong, but please clarify, fix or revert.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100511/99bdffaf/attachment.pgp>


More information about the samba-technical mailing list