https://bugzilla.samba.org/show_bug.cgi?id=10398 and others

Andrew Bartlett abartlet at samba.org
Thu Jul 3 14:51:48 MDT 2014 

On Thu, 2014-07-03 at 16:15 +0200, Stefan (metze) Metzmacher wrote:
> Am 03.07.2014 00:20, schrieb Andrew Bartlett:
> > On Wed, 2014-07-02 at 23:23 +0200, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >> I just noticed that we haven't backported the fixes for
> >> https://bugzilla.samba.org/show_bug.cgi?id=10398 and maybe some others
> >> (there was one also referring to a univention bug)
> >>
> >> I've created two branches with backports:
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-test
> >> and
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
> >> on top of the first one.
> >>
> >> v4-1-drepl contains more stuff that's not easy to backport as we would
> >> require a newer ldb version
> >> than older 4.1.x releases.
> >>
> >> Were there more patches which need to be backported? Some "conflict
> >> resolving" or "deletion" patches?
> > 
> > Those seem to already be in 4.1
> 
> The customer used >= 4.1.6, I'll try to reproduce the problem...
> 
> >> I have a customer with strange problems.
> >>
> >> CN=NTDS
> >> Settings,CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite,....
> >> Is not deleted, while
> >> CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite
> >> is deleted. Our kcc finds this but later crash we in
> >> dreplsrv_get_target_principal()
> >> line 207, as dsdb_search_dn() doesn't have some logic like if
> >> (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
> >> in dsdb_search(). So we may get res->count == 0 instead of
> >> LDB_ERR_NO_SUCH_OBJECT.
> >>
> >> Should we implement dsdb_search_dn() on top of dsdb_search() passing
> >> DSDB_SEARCH_ONE_ONLY
> >> and LDB_SCOPE_BASE?
> > 
> > I'm not sure, we should return ERR_NO_SUCH_OBJECT if the object is
> > deleted. 
> 
> I'll implement it as
> 
> +       return dsdb_search_one(ldb, mem_ctx, msg,
> +                              basedn, LDB_SCOPE_BASE,
> +                              attrs, dsdb_flags, NULL);

What I meant is that we need to fix show_deleted to return
ERR_NO_SUCH_OBJECT.  If we have to do this, then wouldn't we be exposing
the same issue over direct LDAP to clients?

> >> Jelmer, is there a way to overload the Ldb.Dn class, within python?
> >> Then we could backport the pylddb patches in a Samba specific file,
> >> so that dbcheck can work with an older system pyldb.
> > 
> > In the past, we just required that the LDB be upgraded in-sync.  
> 
> Ok, I've backported all ldb-1.1.17 patches
> and also some more patches I found while searching for dsdb related
> commits in master.
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl

Thanks, it's important we don't have divergent 1.1.17 versions. 

> I'll try to sort them and propose them to be backported on Monday.

Thanks for doing all this.  I guess I had assumed 4.2 would come soon
enough, but it seems to have been delayed. 

> I'll also take a look at integrating the userParameters patches...

I do really appreciate that. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140704/7b698d3e/attachment.pgp>

More information about the samba-technical mailing list