s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Stefan (metze) Metzmacher metze at samba.org
Tue May 11 02:14:45 MDT 2010 

Anatoliy Atanasov schrieb:
> Hi Andrew,
>>> On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
>>> The branch, master has been updated
>>>        via  658dac9... v2 Latest enhancements in ldapcmp tool
>>>        via  c3cbb84... s4-rodc: Fix provision warnings by creating 
>> ntds objectGUID in provision
>>>       from  8373606... s3-rpcclient: fix two more invalid typecasts 
>> in spoolss commands.
>>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>>>
>>> commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
>>> Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
>>> Date:   Mon May 10 13:52:27 2010 +0300
>>>
>>>     s4-rodc: Fix provision warnings by creating ntds objectGUID in 
>> provision
>>>
>> -----------------------------------------------------------------------
>>
>>> Summary of changes:
>>>  source4/dsdb/pydsdb.c                       |   23 ++
>>>  source4/scripting/devel/ldapcmp             |  402 
>> +++++++++++++++++----------
>>>  source4/scripting/python/samba/provision.py |    6 +-
>>>  source4/scripting/python/samba/samdb.py     |    4 +
>>>  4 files changed, 294 insertions(+), 141 deletions(-)
>>>
>> Anatoliy,
>>
>> This patch is incorrect, and dangerous.
>>
>> As far as I can see from the full patch, you set a GUID into the 
>> opaque,
>> but never actually make any effort to actually make it match the GUID
>> that will be stored in LDB.
> Right, i misunderstood metze's suggestion to copy samdb.set_invocation_id 
> and do the same with objectGUID
> 
>> If the ultimate question that is causing this warning is 'am I an 
>> RODC',
>> then set an opaque for that.  If it is some other question, then make 
>> a
>> cache for that other question.  But you can't set an opaque value
>> caching an objectGUID unless you also make efforts to ensure that
>> objectGUID is what is actually used.  However, given that we can't
>> easily set an objectGUID on LDAP backends, I've generally preferred to
>> avoid this practice.
> If i understood creating object guid during provision is bad idea, right?
> The thing is that I need it in samdb_rodc, where i switched from using invocationID to objectGUID.
> To answer amIRODC i need the NTDS entry for our server from the db and read the msDS-isRODC attribute, which is constructed btw.
> Are there other options to do that, but using objectGUID to get the NTDS settings?

My suggestion was to have a 'samsb.set_is_rodc()' cached value similar
to samdb.set_invocation_id().

This way the provision can preset this value.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100511/2341d687/attachment.pgp>

More information about the samba-technical mailing list