[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)

Andrew Bartlett abartlet at samba.org
Wed Nov 30 06:32:44 UTC 2016

On Wed, 2016-11-30 at 07:12 +0100, Stefan Metzmacher wrote:
> Hi Andrew,
> here's a patch to fix https://bugzilla.samba.org/show_bug.cgi?id=1239
> 8
> The problem is that the combination DRSUAPI_DRS_CRITICAL_ONLY and
> DRSUAPI_DRS_GET_ANC. E.g. if the administrator account was moved
> to an OU, samba-tool domain join DC doesn't work, as the server
> doesn't include all ancestors.

What about just fixing it client-side by requesting all the objects if
we fail with that error?  I made our python code expose the windows
error codes to help with this. 

> Please review and push.

I think we need some tests, particularly to determine what windows does
(if anything), and to ensure we keep the new behaviour. 

I certainly found that GET_ANC had no impact on the extended
operations, which I found surprising.  (That is why that is locked down
in the tests). 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list