[PATCH] rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists

Sinelnikov Evgeniy Sinelnikov.E at digdes.com
Tue Apr 5 13:56:52 UTC 2016 

> -----Original Message-----
> Sent: Monday, April 4, 2016 9:39 PM
> To: Andrew Bartlett <abartlet at samba.org>; sin at altlinux.ru; samba-
> technical at lists.samba.org
> Subject: RE: [PATCH] rpc_server/drsuapi: Set msDS_IntId as attid for linked
> attributes if exists
> 
> > -----Original Message-----
> > Sent: Friday, April 1, 2016 10:26 PM
> > To: sin at altlinux.ru; samba-technical at lists.samba.org
> > Subject: Re: [PATCH] rpc_server/drsuapi: Set msDS_IntId as attid for
> > linked attributes if exists
> >
> > On Fri, 2016-04-01 at 17:46 +0300, Evgeny Sinelnikov wrote:
> > > Hello,
> > >
> > > I send this email about topic of "Error 8418: The replication
> > > operation failed because of a schema mismatch between the servers
> > > involved":
[...]
> > > https://lists.samba.org/archive/samba-technical/2016-April/113304.html
[...]
> > > Current patch solves this problem and tested on Samba-4.4.0 release.
> > >
> > > Please, review and push it.
> >
> > Very well done.  I'm impressed!
> >
> > We need to confirm the behaviour in the schema partition, and once we
> > have that worked out, we can proceed to merge this.
> >
> > Doing that requires creating a linked attribute with an msDS-IntID
> > value, on a schema object.  This may never happen in the real world,
> > but if we are going to solve it, we should solve it correctly.
> >
> > I did mention that we need tests.  We need the custom schema tests to
> > create a linked attribute pair with an msDS-IntID value, and we then
> > need to perform a DRS operation to fetch those, like the repl_exop
> > test code does, and assert on the values.  We also need to make our
> > DRS client assert that the correct values are being used, and so fail just as
> Windows did.
> >
> > Finally, be aware that there are still bugs in this area.  In
> > particular I have a set of patches to fix other replication issues at
> > h
> > ttp://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tombs
> > t one-reanimation, but couldn't get those into Samba because we (now)
> > start consistently hit the 'normal attribute' version of this issue,
> > but only in a full make test.
> >
> > Thanks!
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett                       http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> >
> 
> Ok, I spent two tests around behaviour in the schema partition.
> But creating a linked attribute with an msDS-IntID value requires
> manipulations with schema object not provided with standard tools.
> So, I used manual LDAP changes with adexplorer.
> 
> Firstly of all need to understand that the changes to the schema attributes
> requires SchemaMasterRole.
> Secondly, that we have two parts of linked attribute - link and backlink.
> 
> Creating link as SchemaClass object attribute not provided as far as I could
> find.
> Creating backlink is just add some Schema object as link dn to another
> object.
> 
> My tests shows backlink issues.
> There are two variants of creating backlink attribute we could test:
> - on same DC;
> - on another DC.
> 
> Also we need to find an object with attribute that could set Schema Object
> dn as value.
> Most of time I tries to find such object with such attribute.
> 
> For our tests I found Exchange object:
[...] 
> This is not really useful. At the moment I stood on this.

So, I final this test with homeMDB/homeMDBBL linked pair on same environment
with Windows 2003 Server 64bit + MS Exchange Server 2003:

dn: CN=ms-Exch-Home-MDB,CN=Schema,CN=Configuration,DC=company3,DC=dd
lDAPDisplayName: homeMDB
linkID: 32
msDS-IntId: -1997764425 (0x88EC88B7)

dn: CN=ms-Exch-Home-MDB-BL,CN=Schema,CN=Configuration,DC=company3,DC=dd
lDAPDisplayName: homeMDBBL
linkID: 33
msDS-IntId: -1971266462 (0x8A80DC62)

I added homeMDBBL to mayContain attribute of Top Schema class object:
http://i.imgur.com/slyICiB.png

1) WindowsDC

When I trying to change homeMDB for user1 to Computer Schema object on Windows DC
http://i.imgur.com/dVKCf3s.png
I get changes at in Computer Schema object with paired homeMDBBL attribute:
http://i.imgur.com/ZegxD0s.png

But during replication to Samba DC occurs an error:
[2016/04/05 11:49:41.664316,  1] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: schema_data_modify: we are not master: reject request

[2016/04/05 11:49:41.664482,  0] ../source4/dsdb/repl/replicated_objects.c:882(dsdb_replicated_objects_commit)
  ../source4/dsdb/repl/replicated_objects.c:882 Failed to prepare commit of transaction: Failed to add backlink from CN=user1,CN=Users,DC=company3,DC=dd to CN=Computer,CN=Schema,CN=Configuration,DC=company3,DC=dd - schema_data_modify: we are not master: reject request

[2016/04/05 11:49:41.664637,  0] ../source4/dsdb/repl/drepl_out_helpers.c:776(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE


After Schema FSMO role seized to Samba DC occurs another error:
[2016/04/05 12:28:13.430645,  1] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: schema_data_modify: updates are not allowed: reject request

[2016/04/05 12:28:13.430809,  0] ../source4/dsdb/repl/replicated_objects.c:882(dsdb_replicated_objects_commit)
  ../source4/dsdb/repl/replicated_objects.c:882 Failed to prepare commit of transaction: Failed to add backlink from CN=user1,CN=Users,DC=company3,DC=dd to CN=Computer,CN=Schema,CN=Configuration,DC=company3,DC=dd - schema_data_modify: up
dates are not allowed: reject request

[2016/04/05 12:28:13.431087,  0] ../source4/dsdb/repl/drepl_out_helpers.c:776(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

Part of GetChangesNC from WindowsDC to SambaDC:
......
                            linked_attributes: struct drsuapi_DsReplicaLinkedAttribute
                                identifier               : *
                                    identifier: struct drsuapi_DsReplicaObjectIdentifier
                                        __ndr_size               : 0x0000003a (58)
                                        __ndr_size_sid           : 0x00000000 (0)
                                        guid                     : dc62f392-9a3d-4cd9-b909-6cdf1e5b24a8
                                        sid                      : S-0-0
                                        __ndr_size_dn            : 0x00000000 (0)
                                        dn                       : ''
                                attid                    : UNKNOWN_ENUM_VALUE (0x88EC88B7)
                                value: struct drsuapi_DsAttributeValue
                                    __ndr_size               : 0x000000aa (170)
                                    blob                     : *
                                        blob                     : DATA_BLOB length=170
[0000] AA 00 00 00 00 00 00 00   9F 9C 95 5F 58 C5 8F 49   ........ ..._X..I
[0010] 97 76 A4 D3 3A E0 07 2F   00 00 00 00 00 00 00 00   .v..:../ ........
skipping zero buffer bytes
[0030] 00 00 00 00 38 00 00 00   43 00 4E 00 3D 00 43 00   ....8... C.N.=.C.
[0040] 6F 00 6D 00 70 00 75 00   74 00 65 00 72 00 2C 00   o.m.p.u. t.e.r.,.
[0050] 43 00 4E 00 3D 00 53 00   63 00 68 00 65 00 6D 00   C.N.=.S. c.h.e.m.
[0060] 61 00 2C 00 43 00 4E 00   3D 00 43 00 6F 00 6E 00   a.,.C.N. =.C.o.n.
[0070] 66 00 69 00 67 00 75 00   72 00 61 00 74 00 69 00   f.i.g.u. r.a.t.i.
[0080] 6F 00 6E 00 2C 00 44 00   43 00 3D 00 63 00 6F 00   o.n.,.D. C.=.c.o.
[0090] 6D 00 70 00 61 00 6E 00   79 00 33 00 2C 00 44 00   m.p.a.n. y.3.,.D.
[00A0] 43 00 3D 00 64 00 64 00   00 00                     C.=.d.d. ..
                                flags                    : 0x00000001 (1)
                                       1: DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
                                originating_add_time     : Tue Apr  5 11:39:14 AM 2016 UTC
                                meta_data: struct drsuapi_DsReplicaMetaData
                                    version                  : 0x00000003 (3)
                                    originating_change_time  : Tue Apr  5 11:52:35 AM 2016 UTC
                                    originating_invocation_id: ae22e205-5f46-48ef-b165-27df4468843b
                                    originating_usn          : 0x000000000000a19f (41375)
......


2) SambaDC

When I trying to change homeMDB for user2 to Computer Schema object on Samba DC,
I get next error:
http://i.imgur.com/ZwxjLqZ.png

Unable to update attribute:
The server is unwilling to process the request.

[2016/04/05 13:10:23.065016,  1] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: schema_data_modify: updates are not allowed: reject request

________________________

So, what we have at final? We have next results:
- This "may never happen in the real world" scenario with linked attributes for Schema checks on SambaDC more strongly than on WindowsDC.
- During Schema partition replication for extended linked attributes with msDS-IntId schema attribute,
attid sets to msDS-IntId on WindowsDC:
                    : UNKNOWN_ENUM_VALUE (0x88EC88B7)
So, this mean that current patсh works right for Schema partition.


Also we not have reverse SCHEMA_MISMATCH checks and needs to writing tests for it.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 420-16173-test47-DsGetNCChanges-response-call_id_11.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160405/2fc90454/420-16173-test47-DsGetNCChanges-response-call_id_11.txt>

More information about the samba-technical mailing list