https://bugzilla.samba.org/show_bug.cgi?id=10398 and others
Stefan (metze) Metzmacher
metze at samba.org
Mon Jul 7 15:35:41 MDT 2014
Hi Andrew,
>>>> I just noticed that we haven't backported the fixes for
>>>> https://bugzilla.samba.org/show_bug.cgi?id=10398 and maybe some others
>>>> (there was one also referring to a univention bug)
>>>>
>>>> I've created two branches with backports:
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-test
>>>> and
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
>>>> on top of the first one.
>>>>
>>>> v4-1-drepl contains more stuff that's not easy to backport as we would
>>>> require a newer ldb version
>>>> than older 4.1.x releases.
>>>>
>>>> Were there more patches which need to be backported? Some "conflict
>>>> resolving" or "deletion" patches?
>>>
>>> Those seem to already be in 4.1
>>
>> The customer used >= 4.1.6, I'll try to reproduce the problem...
>>
>>>> I have a customer with strange problems.
>>>>
>>>> CN=NTDS
>>>> Settings,CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite,....
>>>> Is not deleted, while
>>>> CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite
>>>> is deleted. Our kcc finds this but later crash we in
>>>> dreplsrv_get_target_principal()
>>>> line 207, as dsdb_search_dn() doesn't have some logic like if
>>>> (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
>>>> in dsdb_search(). So we may get res->count == 0 instead of
>>>> LDB_ERR_NO_SUCH_OBJECT.
>>>>
>>>> Should we implement dsdb_search_dn() on top of dsdb_search() passing
>>>> DSDB_SEARCH_ONE_ONLY
>>>> and LDB_SCOPE_BASE?
>>>
>>> I'm not sure, we should return ERR_NO_SUCH_OBJECT if the object is
>>> deleted.
>>
>> I'll implement it as
>>
>> + return dsdb_search_one(ldb, mem_ctx, msg,
>> + basedn, LDB_SCOPE_BASE,
>> + attrs, dsdb_flags, NULL);
>
> What I meant is that we need to fix show_deleted to return
> ERR_NO_SUCH_OBJECT. If we have to do this, then wouldn't we be exposing
> the same issue over direct LDAP to clients?
Ah, I got it, see the attached patches.
I created https://bugzilla.samba.org/show_bug.cgi?id=10694 for this.
https://bugzilla.samba.org/show_bug.cgi?id=10060 might also be related
to this.
>>>> Jelmer, is there a way to overload the Ldb.Dn class, within python?
>>>> Then we could backport the pylddb patches in a Samba specific file,
>>>> so that dbcheck can work with an older system pyldb.
>>>
>>> In the past, we just required that the LDB be upgraded in-sync.
>>
>> Ok, I've backported all ldb-1.1.17 patches
>> and also some more patches I found while searching for dsdb related
>> commits in master.
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
>
> Thanks, it's important we don't have divergent 1.1.17 versions.
I'll upload the ldb patches to
https://bugzilla.samba.org/show_bug.cgi?id=10693
>> I'll try to sort them and propose them to be backported on Monday.
>
> Thanks for doing all this. I guess I had assumed 4.2 would come soon
> enough, but it seems to have been delayed.
>
>> I'll also take a look at integrating the userParameters patches...
>
> I do really appreciate that.
Would it be ok if we reject writing userParameters if
ldb_req_is_untrusted() return true?
So it would not be available via LDAP for now.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 7176 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140707/58068e1a/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140707/58068e1a/attachment.pgp>
More information about the samba-technical
mailing list