s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Tue May 11 02:04:19 MDT 2010 

Hi Andrew,
> > On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
> > The branch, master has been updated
> >        via  658dac9... v2 Latest enhancements in ldapcmp tool
> >        via  c3cbb84... s4-rodc: Fix provision warnings by creating 
> ntds objectGUID in provision
> >       from  8373606... s3-rpcclient: fix two more invalid typecasts 
> in spoolss commands.
> > 
> > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > 
> 
> > commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
> > Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
> > Date:   Mon May 10 13:52:27 2010 +0300
> > 
> >     s4-rodc: Fix provision warnings by creating ntds objectGUID in 
> provision
> > 
> > 
> -----------------------------------------------------------------------
> 
> > 
> > Summary of changes:
> >  source4/dsdb/pydsdb.c                       |   23 ++
> >  source4/scripting/devel/ldapcmp             |  402 
> +++++++++++++++++----------
> >  source4/scripting/python/samba/provision.py |    6 +-
> >  source4/scripting/python/samba/samdb.py     |    4 +
> >  4 files changed, 294 insertions(+), 141 deletions(-)
> > 
> 
> Anatoliy,
> 
> This patch is incorrect, and dangerous.
> 
> As far as I can see from the full patch, you set a GUID into the 
> opaque,
> but never actually make any effort to actually make it match the GUID
> that will be stored in LDB.
Right, i misunderstood metze's suggestion to copy samdb.set_invocation_id 
and do the same with objectGUID

> If the ultimate question that is causing this warning is 'am I an 
> RODC',
> then set an opaque for that.  If it is some other question, then make 
> a
> cache for that other question.  But you can't set an opaque value
> caching an objectGUID unless you also make efforts to ensure that
> objectGUID is what is actually used.  However, given that we can't
> easily set an objectGUID on LDAP backends, I've generally preferred to
> avoid this practice.
If i understood creating object guid during provision is bad idea, right?
The thing is that I need it in samdb_rodc, where i switched from using invocationID to objectGUID.
To answer amIRODC i need the NTDS entry for our server from the db and read the msDS-isRODC attribute, which is constructed btw.
Are there other options to do that, but using objectGUID to get the NTDS settings?

Regards,
Anatoliy

More information about the samba-technical mailing list