[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)

Bob Campbell bobcampbell at catalyst.net.nz
Wed Dec 14 03:36:09 UTC 2016


Hi Metze,

Garming & I have extended the tests a bit more and gotten them all to
pass against Samba. There are two inconsistencies with Windows: Firstly,
when two DNs aren't ancestors/children of each other, they are sorted
differently, which has no consequence as far as we can see. Secondly, we
still don't handle max_objects=0 the same way; Windows ignores this
while we don't replicate any objects.

In addition to the expected issue of the conflict between
DRSUAPI_DRS_GET_ANC and DRSUAPI_DRS_CRITICAL_ONLY, we found that the
uptodateness_vector wasn't considered when replicating links. This meant
that, in some cases, unnecessary links were being replicated.

We haven't made a test specifically for moving a critical object away
from a critical parent to be under a non-critical parent as described in
the bug report, however we have reasoned that this is merely a
consequence of the critical object being a child of a non-critical
object, rather than it being a consequence of the move.

It's just about the end of the workday for us, so it's likely we'll have
it cleaned up in git tomorrow. Current work is still in
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/anctests

Thanks,
Bob

On 13/12/16 17:03, Bob Campbell wrote:
> Hi Metze,
>
> I've spent the last couple of days getting my head around replication,
> and I've made a couple of small additions to your test, although it
> already seems to test most of the issue. I've also moved it out into
> getnc_exop. My changes are at
> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/anctests
> These additions are by no means complete yet, this is just to let you
> know what I've been up to.
>
> I've also had a look at your patch to fix joining new servers. It seems
> like Windows only returns immediate ancestors when DRSUAPI_DRS_GET_ANC
> is used (and this is the test behaviour); is there some reliance on
> Samba's current behavior which means that this can't be done easily?
>
> Thanks,
> Bob
>
> On 09/12/16 22:38, Stefan Metzmacher wrote:
>> Hi Andrew,
>>
>>>>> I think having more detailed tests and get the 100% exact behavior
>>>>> as
>>>>> Windows
>>>>> is desired, but a major effort.
>>>> I want to see shown that:
>>>>  - additional objects are added to the reply
>>>>  - that they are non-critical
>>>>  - that they are added in a reasonable order (doens't need to be
>>>> exactly what windows does, but needs to be reasonable).
>>>>  - In particular that a paternity sequence of critical -> non-
>>>> critical
>>>> -> critical is handled correctly.
>>>>
>>>> Replication bugs bite us pretty hard, as you have seen in my changes
>>>> here, I do want them very well tested. 
>>> I know quite how busy you are, so after the great work he has done on
>>> DNS testing, I have asked Bob to make a start on the tests required
>>> here.  It should be a good introduction to the guts of GetNCChanges ;-)
>>>
>>> I hope that helps move this task forward.
>> Thanks!
>>
>> I've already started with it. See
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-fix
>>
>> This adds a test as source4/torture/drs/python/getnc.py
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3a3b8a5f3a5f337561b9852a371db222917d2cc6
>> But I guess it should be somehow merged with
>> source4/torture/drs/python/getnc_exop.py
>>
>> While the tests show that it's not 100% correct,
>> we're using the following patch in our packages
>> to avoid the problems with joining new servers:
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=193b08f0b096dba4798fc04ef9b0d6081fd1e1ec
>>
>> Maybe Bob can go on from there.
>>
>> metze
>>




More information about the samba-technical mailing list