[PATCH] samba-tool dbcheck: handle missing objectClass

Andrew Bartlett abartlet at samba.org
Wed Feb 26 20:23:12 MST 2014 

On Thu, 2014-02-27 at 14:58 +1300, Andrew Bartlett wrote:
> On Tue, 2014-02-25 at 12:25 +0100, Felix Botner wrote:
> > Am Dienstag, 25. Februar 2014, 10:22:30 schrieb Felix Botner: 
> > > I am not sure and we cannot reproduce this on a regular basis but it happens
> > > in multiserver environments (after the replication) and all objects lacking
> > > the objectClass have been "\0ADEL:" objects.
> > 
> > unfortunately, that is not completely true. This also affects normal (non-
> > deleted) objects.
> > 
> > dn: CN=WIN-PC,CN=Computers,DC=abc,DC=ucs
> > instanceType: 4
> > whenChanged: 20140211141300.0Z
> > uSNCreated: 182964
> > uSNChanged: 182964
> > objectGUID: 98c7d79d-bf52-4b4c-b461-51ee0a907593
> > operatingSystem: Windows 7 Professional
> > operatingSystemVersion: 6.1 (7601)
> > operatingSystemServicePack: Service Pack 1
> > msDS-SupportedEncryptionTypes: 28
> > distinguishedName: CN=WIN-PC,CN=Computers,DC=abc,DC=ucs
> 
> This is a very serious issue, and I have been pointed at
> https://bugzilla.samba.org/show_bug.cgi?id=10398 in connection with
> this.  I agree we have no option but to delete these objects given how
> little information remains.
> 
> However, we must ensure this does not happen again - these attributes
> are mandatory, and if we get corrupt objects over DRS, I think we should
> reject the replication.

Attached are two patches.  One fixes our existing dbcheck code to work
when --attrs=cn is specified, and the other implements a test to ensure
that remains the case.  I also attach a fixed version of your patch for
the same issue.

Do you have a test domain that demonstrates this issue, without
confidential data in it?  It would be great to upload such a domain into
our test framework, to ensure we correctly fix it.  (We have some
similar domains already, for example with the zero-guid issue). 

If you are OK with the changed patch, please indicate so (I object to
silently changing a patch under someone else's authorship), and I'll get
a second team reviewer on this and so help it into master! 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dbcheck-Ensure-dbcheck-can-operate-with-attrs-set.patch
Type: text/x-patch
Size: 1587 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140227/9c174a9f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-samba-tool-dbcheck-handle-missing-objectClass.patch
Type: text/x-patch
Size: 3884 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140227/9c174a9f/attachment-0001.bin>

More information about the samba-technical mailing list