[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)
abartlet at samba.org
Wed Nov 30 06:32:44 UTC 2016
On Wed, 2016-11-30 at 07:12 +0100, Stefan Metzmacher wrote:
> Hi Andrew,
> here's a patch to fix https://bugzilla.samba.org/show_bug.cgi?id=1239
> The problem is that the combination DRSUAPI_DRS_CRITICAL_ONLY and
> DRSUAPI_DRS_GET_ANC. E.g. if the administrator account was moved
> to an OU, samba-tool domain join DC doesn't work, as the server
> doesn't include all ancestors.
What about just fixing it client-side by requesting all the objects if
we fail with that error? I made our python code expose the windows
error codes to help with this.
> Please review and push.
I think we need some tests, particularly to determine what windows does
(if anything), and to ensure we keep the new behaviour.
I certainly found that GET_ANC had no impact on the extended
operations, which I found surprising. (That is why that is locked down
in the tests).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical