s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Andrew Bartlett abartlet at samba.org
Tue May 11 02:15:59 MDT 2010 

On Tue, 2010-05-11 at 11:04 +0300, Anatoliy Atanasov wrote:
> Hi Andrew,
> > > On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
> > > The branch, master has been updated
> > >        via  658dac9... v2 Latest enhancements in ldapcmp tool
> > >        via  c3cbb84... s4-rodc: Fix provision warnings by creating 
> > ntds objectGUID in provision
> > >       from  8373606... s3-rpcclient: fix two more invalid typecasts 
> > in spoolss commands.
> > > 
> > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > > 
> > 
> > > commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
> > > Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> > > Date:   Mon May 10 13:52:27 2010 +0300
> > > 
> > >     s4-rodc: Fix provision warnings by creating ntds objectGUID in 
> > provision
> > > 
> > > 
> > -----------------------------------------------------------------------
> > 
> > > 
> > > Summary of changes:
> > >  source4/dsdb/pydsdb.c                       |   23 ++
> > >  source4/scripting/devel/ldapcmp             |  402 
> > +++++++++++++++++----------
> > >  source4/scripting/python/samba/provision.py |    6 +-
> > >  source4/scripting/python/samba/samdb.py     |    4 +
> > >  4 files changed, 294 insertions(+), 141 deletions(-)
> > > 
> > 
> > Anatoliy,
> > 
> > This patch is incorrect, and dangerous.
> > 
> > As far as I can see from the full patch, you set a GUID into the 
> > opaque,
> > but never actually make any effort to actually make it match the GUID
> > that will be stored in LDB.
> Right, i misunderstood metze's suggestion to copy samdb.set_invocation_id 
> and do the same with objectGUID
> 
> > If the ultimate question that is causing this warning is 'am I an 
> > RODC',
> > then set an opaque for that.  If it is some other question, then make 
> > a
> > cache for that other question.  But you can't set an opaque value
> > caching an objectGUID unless you also make efforts to ensure that
> > objectGUID is what is actually used.  However, given that we can't
> > easily set an objectGUID on LDAP backends, I've generally preferred to
> > avoid this practice.
> If i understood creating object guid during provision is bad idea, right?
> The thing is that I need it in samdb_rodc, where i switched from using invocationID to objectGUID.
> To answer amIRODC i need the NTDS entry for our server from the db 

This much you can cache the boolean for.  That was what we were trying
to suggest :-)

> and read the msDS-isRODC attribute, which is constructed btw.

Is it read during provision?  For other servers it won't help -
different objectGUID anyway :-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100511/129790c6/attachment.pgp>

More information about the samba-technical mailing list