s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Wed May 12 04:44:33 MDT 2010 

Hi Metze, 

Thanks for the caching example.
This doesn't solve the print issue that we have. The problem is that samdb_rodc is still called and the objectGUID is still missing from the cache/db, so the print is there. 
This is visible in make test/quicktest and updateprovision script(as was reported in this mail) 
We can skip the samdb_rodc check if there is a CONTROL_RELAX set during provision time. But i couldn't find a way to do that atm. Make test provision is difficult to track. 
Any pointers how to add relax control to make test/quicktest updateprovision is appreciated.
Is it possible to break in samba4 while executing Samba4.pm?
I identified which calls should be guarded so i attach the patch, the setting for relax:0 should still be added.


Regards,
Anatoliy
----- Original Message -----
> From: Stefan (metze) Metzmacher <metze at samba.org>
> To: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> Cc: abartlet at samba.org <abartlet at samba.org>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>
> Sent: Tuesday, May 11, 2010 11:08:20 AM (GMT+02:00) Athens, Bucharest, Istanbul
> Subject: Re: s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

> > Anatoliy Atanasov schrieb:
> > Hi Andrew,
> >>> On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
> >>> The branch, master has been updated
> >>>        via  658dac9... v2 Latest enhancements in ldapcmp tool
> >>>        via  c3cbb84... s4-rodc: Fix provision warnings by creating 
> 
> >> ntds objectGUID in provision
> >>>       from  8373606... s3-rpcclient: fix two more invalid 
> typecasts 
> >> in spoolss commands.
> >>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> >>>
> >>> commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
> >>> Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> >>> Date:   Mon May 10 13:52:27 2010 +0300
> >>>
> >>>     s4-rodc: Fix provision warnings by creating ntds objectGUID in 
> 
> >> provision
> >>>
> >> 
> -----------------------------------------------------------------------
> 
> >>
> >>> Summary of changes:
> >>>  source4/dsdb/pydsdb.c                       |   23 ++
> >>>  source4/scripting/devel/ldapcmp             |  402 
> >> +++++++++++++++++----------
> >>>  source4/scripting/python/samba/provision.py |    6 +-
> >>>  source4/scripting/python/samba/samdb.py     |    4 +
> >>>  4 files changed, 294 insertions(+), 141 deletions(-)
> >>>
> >> Anatoliy,
> >>
> >> This patch is incorrect, and dangerous.
> >>
> >> As far as I can see from the full patch, you set a GUID into the 
> >> opaque,
> >> but never actually make any effort to actually make it match the 
> GUID
> >> that will be stored in LDB.
> > Right, i misunderstood metze's suggestion to copy 
> samdb.set_invocation_id 
> > and do the same with objectGUID
> > 
> >> If the ultimate question that is causing this warning is 'am I an 
> >> RODC',
> >> then set an opaque for that.  If it is some other question, then 
> make 
> >> a
> >> cache for that other question.  But you can't set an opaque value
> >> caching an objectGUID unless you also make efforts to ensure that
> >> objectGUID is what is actually used.  However, given that we can't
> >> easily set an objectGUID on LDAP backends, I've generally preferred 
> to
> >> avoid this practice.
> > If i understood creating object guid during provision is bad idea, 
> right?
> > The thing is that I need it in samdb_rodc, where i switched from 
> using invocationID to objectGUID.
> > To answer amIRODC i need the NTDS entry for our server from the db 
> and read the msDS-isRODC attribute, which is constructed btw.
> > Are there other options to do that, but using objectGUID to get the 
> NTDS settings?
> 
> My suggestion was to have a 'samsb.set_is_rodc()' cached value similar
> to samdb.set_invocation_id().
> 
> This way the provision can preset this value.
> 
> metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-rodc-Check-for-RELAX-control-before-samdb_rodc-ch.patch
Type: text/x-patch
Size: 2771 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100512/6de013d5/attachment.bin>

More information about the samba-technical mailing list