Common errors in ldb use
Andrew Bartlett
abartlet at samba.org
Tue Dec 27 09:51:39 GMT 2005
On Tue, 2005-12-27 at 10:42 +0100, Simo Sorce wrote:
> On Tue, 2005-12-27 at 20:14 +1100, Andrew Bartlett wrote:
> > I've been thinking about common mistakes I have been making with the LDB
> > APIs:
> >
> > The first issue is transactions: We need to have a generic way to
> > automatically cancel a transaction from talloc
> >
> > However, the issue that prompts this mail is that of mismatches between
> > the attributes asked for in a search, and those we enquire of in a
> > result.
> >
> > That is, when we do not include (for example) "msDS-KeyVersionNumber" in
> > the search attributes, but then enquire of it's value. This happens
> > frequently.
>
> Can you point me at an example, I'm no sure I completely understand the
> problem.
>
> > I was wondering if we should add a new member to struct ldb_message, to
> > contain the list of attributes requested. If (in calling
> > ldb_msg_find_element()) we ask for an attribute not in that list (and we
> > didn't ask for all attributes), we should abort().
>
> I can't understand the need for such a thing.
> In which case you get back a list of attributes that are not requested ?
This was allegedly part of the win2000 issue in the KDC. The
sam_get_results_principal() is in auth/auth_sam.c, and uses the
attribute lists at the top of this file, but they are queried in
hdb-ldb.c
The issue that prompted this mail is in rpc_server/samr/samr_password.c
The list of user_attrs[] in samdb_set_password() does not include
"msDS-KeyVersionNumber", but the code:
kvno = samdb_result_uint(res[0],
"msDS-KeyVersionNumber", 0);
expects it to be there in the result.
> If that's just for sanity, then you should probably build a function
> that check your expectations by passing in a list of attributes and an
> ldb_message structure.
Frankly, I don't care were the function is (samdb, gendb, ldb), but I
would suggest that we made the mistake too often to just trust the
current functions.
> I do not see any good reason to make this inside general usage
> functions.
It is the lack of this safety that causes bugs in Samba4 today.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051227/a2550a47/attachment.bin
More information about the samba-technical
mailing list