descriptor calculation for NC

Nadezhda Ivanova nivanova at
Wed Nov 16 01:08:39 MST 2011

Hi Matthieu,
I agree with Andrew, we should always be checking if there is instanceType.
When I first wrote that code we did not have any Application partitions,
and replication wasn't ready yet too, so that wasn't a use case, but now it
needs to be fixed. Could you please do it? I am trying to get back into
samba development, but I will not have time to look into this until Sunday,
when I will also be investigating the proper setting of SD's on application
partitions now that we have them.


On Wed, Nov 16, 2011 at 12:34 AM, Andrew Bartlett <abartlet at>wrote:

> On Tue, 2011-11-15 at 23:06 +0100, Matthieu Patou wrote:
> > Hello Nadya and all the SD/NtACLs experts,
> >
> > I'm debugging what's happening when a Windows DC asks samba to create a
> > new NC for the DNS zone, and logically it's going in the descriptor
> > module for the creation of the SD.
> >
> > I found this code and at least for my case it didn't work or more
> > exactly I think it won't be correct
> > So I'm wondering if:
> > 1) the comment is still valid as when we replicate it seems that we have
> > the instanceType attribute, the same for the provision and the same when
> > the NC is created after (with DRS_addEntry for instance).
> > 2) if we could introduce a test to check the presence of instanceType
> > and the indicator of NC_HEAD and use it in priority.
> This sounds exactly the right way to handle this.  We should generally
> work this out based on instanceType.  The code in descriptor_modify
> looks correct for add (reworked to look at the incoming add, not the
> search).  Perhaps some of it can be factored out into a common routine.
> Andrew Bartlett
> --
> Andrew Bartlett                      
> Authentication Developer, Samba Team 

More information about the samba-technical mailing list