https://bugzilla.samba.org/show_bug.cgi?id=10398 and others

Andrew Bartlett abartlet at samba.org
Mon Jul 7 17:58:36 MDT 2014 

On Tue, 2014-07-08 at 00:23 +0200, Stefan (metze) Metzmacher wrote:
> Am 08.07.2014 00:13, schrieb Andrew Bartlett:
> > On Mon, 2014-07-07 at 23:35 +0200, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >>>>>> I just noticed that we haven't backported the fixes for
> >>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10398 and maybe some others
> >>>>>> (there was one also referring to a univention bug)
> >>>>>>
> >>>>>> I've created two branches with backports:
> >>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-test
> >>>>>> and
> >>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
> >>>>>> on top of the first one.
> >>>>>>
> >>>>>> v4-1-drepl contains more stuff that's not easy to backport as we would
> >>>>>> require a newer ldb version
> >>>>>> than older 4.1.x releases.
> >>>>>>
> >>>>>> Were there more patches which need to be backported? Some "conflict
> >>>>>> resolving" or "deletion" patches?
> >>>>>
> >>>>> Those seem to already be in 4.1
> >>>>
> >>>> The customer used >= 4.1.6, I'll try to reproduce the problem...
> >>>>
> >>>>>> I have a customer with strange problems.
> >>>>>>
> >>>>>> CN=NTDS
> >>>>>> Settings,CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite,....
> >>>>>> Is not deleted, while
> >>>>>> CN=DC1\ACNF:9a2f0f4f-a693-4f06-b035-2f1e05d00bfe,CN=SomeSite
> >>>>>> is deleted. Our kcc finds this but later crash we in
> >>>>>> dreplsrv_get_target_principal()
> >>>>>> line 207, as dsdb_search_dn() doesn't have some logic like if
> >>>>>> (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
> >>>>>> in dsdb_search(). So we may get res->count == 0 instead of
> >>>>>> LDB_ERR_NO_SUCH_OBJECT.
> >>>>>>
> >>>>>> Should we implement dsdb_search_dn() on top of dsdb_search() passing
> >>>>>> DSDB_SEARCH_ONE_ONLY
> >>>>>> and LDB_SCOPE_BASE?
> >>>>>
> >>>>> I'm not sure, we should return ERR_NO_SUCH_OBJECT if the object is
> >>>>> deleted. 
> >>>>
> >>>> I'll implement it as
> >>>>
> >>>> +       return dsdb_search_one(ldb, mem_ctx, msg,
> >>>> +                              basedn, LDB_SCOPE_BASE,
> >>>> +                              attrs, dsdb_flags, NULL);
> >>>
> >>> What I meant is that we need to fix show_deleted to return
> >>> ERR_NO_SUCH_OBJECT.  If we have to do this, then wouldn't we be exposing
> >>> the same issue over direct LDAP to clients?
> >>
> >> Ah, I got it, see the attached patches.
> > 
> > These look good.  
> > 
> > Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> > 
> >> I created https://bugzilla.samba.org/show_bug.cgi?id=10694 for this.
> >>
> >> https://bugzilla.samba.org/show_bug.cgi?id=10060 might also be related
> >> to this.
> >>
> >>>>>> Jelmer, is there a way to overload the Ldb.Dn class, within python?
> >>>>>> Then we could backport the pylddb patches in a Samba specific file,
> >>>>>> so that dbcheck can work with an older system pyldb.
> >>>>>
> >>>>> In the past, we just required that the LDB be upgraded in-sync.  
> >>>>
> >>>> Ok, I've backported all ldb-1.1.17 patches
> >>>> and also some more patches I found while searching for dsdb related
> >>>> commits in master.
> >>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-1-drepl
> >>>
> >>> Thanks, it's important we don't have divergent 1.1.17 versions. 
> >>
> >> I'll upload the ldb patches to
> >> https://bugzilla.samba.org/show_bug.cgi?id=10693
> > 
> > 
> > Thanks,
> > 
> >>>> I'll try to sort them and propose them to be backported on Monday.
> >>>
> >>> Thanks for doing all this.  I guess I had assumed 4.2 would come soon
> >>> enough, but it seems to have been delayed. 
> >>>
> >>>> I'll also take a look at integrating the userParameters patches...
> >>>
> >>> I do really appreciate that. 
> >>
> >> Would it be ok if we reject writing userParameters if
> >> ldb_req_is_untrusted() return true?
> >> So it would not be available via LDAP for now.
> > 
> > I agree that banning userParameters updates over LDAP is a good idea.
> > That way we can write a clear log message that folks can come to us
> > with, and know if we actually need to implement that feature (with a
> > real-world user to test with etc).
> 
> Exactly! Do you have time to create a patch for this
> or can you at least tell me in which module we should implement this?

objectclass_attrs or samldb I think.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140708/99f02d7b/attachment.pgp>

More information about the samba-technical mailing list