s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Jason Moore jmoore at infoblox.com
Tue May 11 14:33:24 MDT 2010 

Hey guys, I am new to Infoblox through the Netcordia acquisition and am somehow on this mailing list, if you could remove me I would appreciate it. Thanks.

-Jason Moore

-----Original Message-----
From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Anatoliy Atanasov
Sent: Tuesday, May 11, 2010 4:28 AM
To: abartlet at samba.org
Cc: samba-technical at lists.samba.org
Subject: Re: s4-rodc: Fix provision warnings by creating ntds objectGUID in provision


----- Original Message -----
> From: Andrew Bartlett <abartlet at samba.org>
> To: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> Cc: samba-technical at lists.samba.org <samba-technical at lists.samba.org>
> Sent: Tuesday, May 11, 2010 11:09:21 AM (GMT+02:00) Athens, Bucharest, Istanbul
> Subject: Re: s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

> > On Tue, 2010-05-11 at 11:04 +0300, Anatoliy Atanasov wrote:
> > Hi Andrew,
> > > > On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
> > > > The branch, master has been updated
> > > >        via  658dac9... v2 Latest enhancements in ldapcmp tool
> > > >        via  c3cbb84... s4-rodc: Fix provision warnings by 
> creating 
> > > ntds objectGUID in provision
> > > >       from  8373606... s3-rpcclient: fix two more invalid 
> typecasts 
> > > in spoolss commands.
> > > > 
> > > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > > > 
> > > 
> > > > commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
> > > > Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> > > > Date:   Mon May 10 13:52:27 2010 +0300
> > > > 
> > > >     s4-rodc: Fix provision warnings by creating ntds objectGUID 
> in 
> > > provision
> > > > 
> > > > 
> > > 
> -----------------------------------------------------------------------
> 
> > > 
> > > > 
> > > > Summary of changes:
> > > >  source4/dsdb/pydsdb.c                       |   23 ++
> > > >  source4/scripting/devel/ldapcmp             |  402 
> > > +++++++++++++++++----------
> > > >  source4/scripting/python/samba/provision.py |    6 +-
> > > >  source4/scripting/python/samba/samdb.py     |    4 +
> > > >  4 files changed, 294 insertions(+), 141 deletions(-)
> > > > 
> > > 
> > > Anatoliy,
> > > 
> > > This patch is incorrect, and dangerous.
> > > 
> > > As far as I can see from the full patch, you set a GUID into the 
> > > opaque,
> > > but never actually make any effort to actually make it match the 
> GUID
> > > that will be stored in LDB.
> > Right, i misunderstood metze's suggestion to copy 
> samdb.set_invocation_id 
> > and do the same with objectGUID
> > 
> > > If the ultimate question that is causing this warning is 'am I an 
> > > RODC',
> > > then set an opaque for that.  If it is some other question, then 
> make 
> > > a
> > > cache for that other question.  But you can't set an opaque value
> > > caching an objectGUID unless you also make efforts to ensure that
> > > objectGUID is what is actually used.  However, given that we can't
> > > easily set an objectGUID on LDAP backends, I've generally 
> preferred to
> > > avoid this practice.
> > If i understood creating object guid during provision is bad idea, 
> right?
> > The thing is that I need it in samdb_rodc, where i switched from 
> using invocationID to objectGUID.
> > To answer amIRODC i need the NTDS entry for our server from the db 
> 
> This much you can cache the boolean for.  That was what we were trying
> to suggest :-)
> 
> > and read the msDS-isRODC attribute, which is constructed btw.
> 
> Is it read during provision?  For other servers it won't help -
> different objectGUID anyway :-)

Yeah, i understand now :)
i'll revert and make a new patch for that.

Regards,
Anatoliy

More information about the samba-technical mailing list