[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)
metze at samba.org
Wed Nov 30 08:28:29 UTC 2016
>> here's a patch to fix https://bugzilla.samba.org/show_bug.cgi?id=1239
>> The problem is that the combination DRSUAPI_DRS_CRITICAL_ONLY and
>> DRSUAPI_DRS_GET_ANC. E.g. if the administrator account was moved
>> to an OU, samba-tool domain join DC doesn't work, as the server
>> doesn't include all ancestors.
> What about just fixing it client-side by requesting all the objects if
> we fail with that error? I made our python code expose the windows
> error codes to help with this.
Because it's the servers job. See [MS-DRSR] 184.108.40.206.2 GetReplChanges.
And samba-tool domain join DC --domain-critical-only needs to work
without fetching everything. And it already does against a Windows
dc (with the same database).
>> Please review and push.
> I think we need some tests, particularly to determine what windows does
> (if anything), and to ensure we keep the new behaviour.
> I certainly found that GET_ANC had no impact on the extended
> operations, which I found surprising. (That is why that is locked down
> in the tests).
But you only added that for DRSUAPI_EXOP_FSMO_RID_ALLOC not for all others.
I'll change the patch to skip it for all EXOPs.
Whould it be ok to add --domain-critical-only to 'samba-tool drs
and have a test for that, while having a critical object within a non
parent as a regression test for this.
I think having more detailed tests and get the 100% exact behavior as
is desired, but a major effort.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical