https://bugzilla.samba.org/show_bug.cgi?id=10398 and others
Andrew Bartlett
abartlet at samba.org
Mon Jul 7 16:13:18 MDT 2014
On Mon, 2014-07-07 at 23:35 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >>>> I just noticed that we haven't backported the fixes for
> >>>> https://bugzilla.samba.org/show_bug.cgi?id=10398 and maybe some others
> >>>> (there was one also referring to a univention bug)
> >>>>
> >>>> I've created two branches with backports:
> >>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-test
> >>>> and
> >>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
> >>>> on top of the first one.
> >>>>
> >>>> v4-1-drepl contains more stuff that's not easy to backport as we would
> >>>> require a newer ldb version
> >>>> than older 4.1.x releases.
> >>>>
> >>>> Were there more patches which need to be backported? Some "conflict
> >>>> resolving" or "deletion" patches?
> >>>
> >>> Those seem to already be in 4.1
> >>
> >> The customer used >= 4.1.6, I'll try to reproduce the problem...
> >>
> >>>> I have a customer with strange problems.
> >>>>
> >>>> CN=NTDS
> >>>> Settings,CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite,....
> >>>> Is not deleted, while
> >>>> CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite
> >>>> is deleted. Our kcc finds this but later crash we in
> >>>> dreplsrv_get_target_principal()
> >>>> line 207, as dsdb_search_dn() doesn't have some logic like if
> >>>> (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
> >>>> in dsdb_search(). So we may get res->count == 0 instead of
> >>>> LDB_ERR_NO_SUCH_OBJECT.
> >>>>
> >>>> Should we implement dsdb_search_dn() on top of dsdb_search() passing
> >>>> DSDB_SEARCH_ONE_ONLY
> >>>> and LDB_SCOPE_BASE?
> >>>
> >>> I'm not sure, we should return ERR_NO_SUCH_OBJECT if the object is
> >>> deleted.
> >>
> >> I'll implement it as
> >>
> >> + return dsdb_search_one(ldb, mem_ctx, msg,
> >> + basedn, LDB_SCOPE_BASE,
> >> + attrs, dsdb_flags, NULL);
> >
> > What I meant is that we need to fix show_deleted to return
> > ERR_NO_SUCH_OBJECT. If we have to do this, then wouldn't we be exposing
> > the same issue over direct LDAP to clients?
>
> Ah, I got it, see the attached patches.
These look good.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> I created https://bugzilla.samba.org/show_bug.cgi?id=10694 for this.
>
> https://bugzilla.samba.org/show_bug.cgi?id=10060 might also be related
> to this.
>
> >>>> Jelmer, is there a way to overload the Ldb.Dn class, within python?
> >>>> Then we could backport the pylddb patches in a Samba specific file,
> >>>> so that dbcheck can work with an older system pyldb.
> >>>
> >>> In the past, we just required that the LDB be upgraded in-sync.
> >>
> >> Ok, I've backported all ldb-1.1.17 patches
> >> and also some more patches I found while searching for dsdb related
> >> commits in master.
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
> >
> > Thanks, it's important we don't have divergent 1.1.17 versions.
>
> I'll upload the ldb patches to
> https://bugzilla.samba.org/show_bug.cgi?id=10693
Thanks,
> >> I'll try to sort them and propose them to be backported on Monday.
> >
> > Thanks for doing all this. I guess I had assumed 4.2 would come soon
> > enough, but it seems to have been delayed.
> >
> >> I'll also take a look at integrating the userParameters patches...
> >
> > I do really appreciate that.
>
> Would it be ok if we reject writing userParameters if
> ldb_req_is_untrusted() return true?
> So it would not be available via LDAP for now.
I agree that banning userParameters updates over LDAP is a good idea.
That way we can write a clear log message that folks can come to us
with, and know if we actually need to implement that feature (with a
real-world user to test with etc).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list