subtree rename constraint checks

Matthieu Patou mat at samba.org
Mon Apr 25 14:07:59 MDT 2011 

On 25/04/2011 18:30, Matthieu Patou wrote:
> Hello Mathias,
>
> I'm asking some questions about the tests related to subtree_rename.c 
> module in samdb.
>
> Have you tested the case when 
> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld 
> is renamed but it has a subentry (ie. CN=NTDS 
> Settings,CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld)
>
> After reading MS-ADTS, I still don't have an idea of what is wrong, 
> but I'm pretty sure that something is wrong as when I try to move a 
> server from 1 site to another in Active Directory Sites and Services 
> (dssite.msc) I have an error and the error came from the DN move that 
> are triggered on the subentries while moving 
> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld 
> to CN=A,CN=Servers,CN=Test,CN=Sites,CN=Configuration,DC=domain,DC=tld.
>
> It's clear that something is wrong as in ADTS in chapter 
> 7.1.1.2.2.1.2.1 (Server Object) the system flags for it are: { 
> FLAG_CONFIG_ALLOW_RENAME | FLAG_CONFIG_ALLOW_LIMITED_MOVE |
> FLAG_DISALLOW_MOVE_ON_DELETE }
>
> So the (limited) move o CN=A,CN=Servers, ... is authorized. The "NTDS 
> Settings" entry is a nTDSDSA Object described at 7.1.1.2.2.1.2.1.1 
> says systemFlags: {FLAG_DISALLOW_MOVE_ON_DELETE} so the way the code 
> is done we can never move nor rename a server object as its NTDS 
> subentry do not allow anything like this.
>
> My assumption is that the checks should be done only on the DN that 
> trigger the subtree rename and not on the subentry as they are not 
> really changed and DN should be dynamically calculated.
>
What about a patch like this ?
> Matthieu.
>
>
>
>
>


-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dsdb-s4-Enforce-DN-rename-checks-only-on-DN-that-is-.patch
Type: text/x-patch
Size: 1173 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110426/a9d77e3d/attachment.bin>

More information about the samba-technical mailing list