subtree rename constraint checks
Matthieu Patou
mat at samba.org
Mon Apr 25 08:30:27 MDT 2011
Hello Mathias,
I'm asking some questions about the tests related to subtree_rename.c
module in samdb.
Have you tested the case when
CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld
is renamed but it has a subentry (ie. CN=NTDS
Settings,CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld)
After reading MS-ADTS, I still don't have an idea of what is wrong, but
I'm pretty sure that something is wrong as when I try to move a server
from 1 site to another in Active Directory Sites and Services
(dssite.msc) I have an error and the error came from the DN move that
are triggered on the subentries while moving
CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld
to CN=A,CN=Servers,CN=Test,CN=Sites,CN=Configuration,DC=domain,DC=tld.
It's clear that something is wrong as in ADTS in chapter 7.1.1.2.2.1.2.1
(Server Object) the system flags for it are: { FLAG_CONFIG_ALLOW_RENAME
| FLAG_CONFIG_ALLOW_LIMITED_MOVE |
FLAG_DISALLOW_MOVE_ON_DELETE }
So the (limited) move o CN=A,CN=Servers, ... is authorized. The "NTDS
Settings" entry is a nTDSDSA Object described at 7.1.1.2.2.1.2.1.1 says
systemFlags: {FLAG_DISALLOW_MOVE_ON_DELETE} so the way the code is done
we can never move nor rename a server object as its NTDS subentry do not
allow anything like this.
My assumption is that the checks should be done only on the DN that
trigger the subtree rename and not on the subentry as they are not
really changed and DN should be dynamically calculated.
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the samba-technical
mailing list