Problem with dsdb_find_nc_root
Nadezhda Ivanova
nivanova at samba.org
Fri Jan 14 05:06:57 MST 2011
Hi list,
I found out that the function dsdb_find_nc_root, which is used in a lot of
places to get the current naming context for a dn, has a wrong behavior
during provisioning, when no all of the naming contexts are created. This
issue results in problems with SD inheritance, as the descriptor module was
recently fixed to use it to determine if the currently created object is an
NC and not inherit any ACES, rather than ldb_get_XXXXXX_dn functions.
What happens is the following:
This function reads the namingContexts from rootDSE, if there aren't any,
constructs a temporary list, which is correct. So at first when we create
the default naming context, everything is fine.
However, when we create Configuration, naming contexts is not empty, so we
do not create a temporary list, and the only entry is the default. As a
result, we get that the root NC for Configuration is the default, and the
root nc for Schema is Configuration, instead of themselves.
In the descriptor.c module I will fix the issue by checking the instanceType
first, but this behavior of dsdb_find_nc_root may cause problems if people
are unaware. I am not sure, however, what is the best way to actually fix
dsdb_find_nc_root.
Any ideas?
Regards,
Nadya
More information about the samba-technical
mailing list