[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)

Stefan Metzmacher metze at samba.org
Wed Nov 30 08:28:29 UTC 2016

Hi Andrew,

>> here's a patch to fix https://bugzilla.samba.org/show_bug.cgi?id=1239
>> 8
>> The problem is that the combination DRSUAPI_DRS_CRITICAL_ONLY and
>> DRSUAPI_DRS_GET_ANC. E.g. if the administrator account was moved
>> to an OU, samba-tool domain join DC doesn't work, as the server
>> doesn't include all ancestors.
> What about just fixing it client-side by requesting all the objects if
> we fail with that error?  I made our python code expose the windows
> error codes to help with this. 

Because it's the servers job. See [MS-DRSR] GetReplChanges.

And samba-tool domain join DC --domain-critical-only needs to work
without fetching everything. And it already does against a Windows
dc (with the same database).

>> Please review and push.
> I think we need some tests, particularly to determine what windows does
> (if anything), and to ensure we keep the new behaviour. 
> I certainly found that GET_ANC had no impact on the extended
> operations, which I found surprising.  (That is why that is locked down
> in the tests). 

But you only added that for DRSUAPI_EXOP_FSMO_RID_ALLOC not for all others.

I'll change the patch to skip it for all EXOPs.

Whould it be ok to add --domain-critical-only to 'samba-tool drs
and have a test for that, while having a critical object within a non
parent as a regression test for this.

I think having more detailed tests and get the 100% exact behavior as
is desired, but a major effort.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161130/e513aa66/signature.sig>

More information about the samba-technical mailing list