[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)
Stefan Metzmacher
metze at samba.org
Wed Nov 30 08:28:29 UTC 2016
Hi Andrew,
>> here's a patch to fix https://bugzilla.samba.org/show_bug.cgi?id=1239
>> 8
>>
>> The problem is that the combination DRSUAPI_DRS_CRITICAL_ONLY and
>> DRSUAPI_DRS_GET_ANC. E.g. if the administrator account was moved
>> to an OU, samba-tool domain join DC doesn't work, as the server
>> doesn't include all ancestors.
>
> What about just fixing it client-side by requesting all the objects if
> we fail with that error? I made our python code expose the windows
> error codes to help with this.
Because it's the servers job. See [MS-DRSR] 4.1.10.5.2 GetReplChanges.
And samba-tool domain join DC --domain-critical-only needs to work
without fetching everything. And it already does against a Windows
dc (with the same database).
>> Please review and push.
>
> I think we need some tests, particularly to determine what windows does
> (if anything), and to ensure we keep the new behaviour.
>
> I certainly found that GET_ANC had no impact on the extended
> operations, which I found surprising. (That is why that is locked down
> in the tests).
But you only added that for DRSUAPI_EXOP_FSMO_RID_ALLOC not for all others.
I'll change the patch to skip it for all EXOPs.
Whould it be ok to add --domain-critical-only to 'samba-tool drs
clone-dc-database'
and have a test for that, while having a critical object within a non
critical
parent as a regression test for this.
I think having more detailed tests and get the 100% exact behavior as
Windows
is desired, but a major effort.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161130/e513aa66/signature.sig>
More information about the samba-technical
mailing list