[PATCH] Fix server side DRSUAPI_DRS_GET_ANC handling (bug #12398)
Stefan Metzmacher
metze at samba.org
Wed Nov 30 06:12:00 UTC 2016
Hi Andrew,
here's a patch to fix https://bugzilla.samba.org/show_bug.cgi?id=12398
The problem is that the combination DRSUAPI_DRS_CRITICAL_ONLY and
DRSUAPI_DRS_GET_ANC. E.g. if the administrator account was moved
to an OU, samba-tool domain join DC doesn't work, as the server
doesn't include all ancestors.
Please review and push.
Thanks!
metze
-------------- next part --------------
From 8e7b2da0ba5842362138d23f155fba9af6f1555d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 29 Nov 2016 11:12:22 +0100
Subject: [PATCH] s4:rpc_server/drsuapi: implement DRSUAPI_DRS_GET_ANC more
correctly
The most important case is the combination of
DRSUAPI_DRS_CRITICAL_ONLY and DRSUAPI_DRS_GET_ANC.
With DRSUAPI_DRS_GET_ANC we need to make sure all ancestors
included even if they're not marked with
isCriticalSystemObject=TRUE.
I guess we still don't behave exactly as Windows, but it's much
better than before and fixes the initial replication if
someone moved the the administrator account to an OU.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/rpc_server/drsuapi/getncchanges.c | 209 +++++++++++++++++++++++++++---
1 file changed, 191 insertions(+), 18 deletions(-)
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 70ec04c..d9bb23a 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -37,6 +37,9 @@
#include "lib/util/tsort.h"
#include "auth/session.h"
#include "dsdb/common/util.h"
+#include "lib/dbwrap/dbwrap.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+#include "librpc/gen_ndr/ndr_misc.h"
/* state of a partially completed getncchanges call */
struct drsuapi_getncchanges_state {
@@ -707,16 +710,6 @@ struct drsuapi_changed_objects {
};
/*
- sort the objects we send by tree order
- */
-static int site_res_cmp_anc_order(struct drsuapi_changed_objects *m1,
- struct drsuapi_changed_objects *m2,
- struct drsuapi_getncchanges_state *getnc_state)
-{
- return ldb_dn_compare(m2->dn, m1->dn);
-}
-
-/*
sort the objects we send first by uSNChanged
*/
static int site_res_cmp_usn_order(struct drsuapi_changed_objects *m1,
@@ -1667,6 +1660,68 @@ static WERROR getncchanges_collect_objects_exop(struct drsuapi_bind_state *b_sta
}
}
+static WERROR dcesrv_drsuapi_anc_cache_add(struct db_context *anc_cache,
+ const struct GUID *guid)
+{
+ enum ndr_err_code ndr_err;
+ uint8_t guid_buf[16] = { 0, };
+ DATA_BLOB b = {
+ .data = guid_buf,
+ .length = sizeof(guid_buf),
+ };
+ TDB_DATA key = {
+ .dptr = b.data,
+ .dsize = b.length,
+ };
+ TDB_DATA val = {
+ .dptr = NULL,
+ .dsize = 0,
+ };
+ NTSTATUS status;
+
+ ndr_err = ndr_push_struct_into_fixed_blob(&b, guid,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ status = dbwrap_store(anc_cache, key, val, TDB_REPLACE);
+ if (!NT_STATUS_IS_OK(status)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ return WERR_OK;
+}
+
+static WERROR dcesrv_drsuapi_anc_cache_exists(struct db_context *anc_cache,
+ const struct GUID *guid)
+{
+ enum ndr_err_code ndr_err;
+ uint8_t guid_buf[16] = { 0, };
+ DATA_BLOB b = {
+ .data = guid_buf,
+ .length = sizeof(guid_buf),
+ };
+ TDB_DATA key = {
+ .dptr = b.data,
+ .dsize = b.length,
+ };
+ bool exists;
+
+ ndr_err = ndr_push_struct_into_fixed_blob(&b, guid,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ exists = dbwrap_exists(anc_cache, key);
+ if (!exists) {
+ return WERR_OBJECT_NOT_FOUND;
+ }
+
+ return WERR_OBJECT_NAME_EXISTS;
+}
+
/*
drsuapi_DsGetNCChanges
@@ -1711,6 +1766,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
struct dsdb_schema_prefixmap *pfm_remote = NULL;
bool full = true;
uint32_t *local_pas = NULL;
+ struct db_context *anc_cache = NULL;
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
@@ -2058,11 +2114,6 @@ allowed:
/* RID_ALLOC returns 3 objects in a fixed order */
if (req10->extended_op == DRSUAPI_EXOP_FSMO_RID_ALLOC) {
/* Do nothing */
- } else if (req10->replica_flags & DRSUAPI_DRS_GET_ANC) {
- LDB_TYPESAFE_QSORT(changes,
- getnc_state->num_records,
- getnc_state,
- site_res_cmp_anc_order);
} else {
LDB_TYPESAFE_QSORT(changes,
getnc_state->num_records,
@@ -2174,6 +2225,16 @@ allowed:
uint32_t_ptr_cmp);
}
+ /* RID_ALLOC returns 3 objects in a fixed order */
+ if (req10->extended_op == DRSUAPI_EXOP_FSMO_RID_ALLOC) {
+ /* Do nothing */
+ } else if (req10->replica_flags & DRSUAPI_DRS_GET_ANC) {
+ anc_cache = db_open_rbt(mem_ctx);
+ if (anc_cache == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ }
+
for (i=getnc_state->num_processed;
i<getnc_state->num_records &&
!null_scope &&
@@ -2181,6 +2242,7 @@ allowed:
&& !max_wait_reached;
i++) {
int uSN;
+ struct drsuapi_DsReplicaObjectListItemEx *new_objs = NULL;
struct drsuapi_DsReplicaObjectListItemEx *obj;
struct ldb_message *msg;
static const char * const msg_attrs[] = {
@@ -2192,6 +2254,7 @@ allowed:
NULL };
struct ldb_result *msg_res;
struct ldb_dn *msg_dn;
+ const struct GUID *next_anc_guid = NULL;
obj = talloc_zero(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
W_ERROR_HAVE_NO_MEMORY(obj);
@@ -2272,10 +2335,118 @@ allowed:
continue;
}
- r->out.ctr->ctr6.object_count++;
+ new_objs = obj;
- *currentObject = obj;
- currentObject = &obj->next_object;
+ if (anc_cache != NULL) {
+ werr = dcesrv_drsuapi_anc_cache_add(anc_cache,
+ &getnc_state->guids[i]);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ next_anc_guid = obj->parent_object_guid;
+ }
+
+ while (next_anc_guid != NULL) {
+ struct drsuapi_DsReplicaObjectListItemEx *anc_obj = NULL;
+ struct ldb_message *anc_msg = NULL;
+ struct ldb_result *anc_res = NULL;
+ struct ldb_dn *anc_dn = NULL;
+
+ werr = dcesrv_drsuapi_anc_cache_exists(anc_cache,
+ next_anc_guid);
+ if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
+ /*
+ * We don't need to send it twice.
+ */
+ break;
+ }
+ if (W_ERROR_IS_OK(werr)) {
+ return WERR_INTERNAL_ERROR;
+ }
+ if (!W_ERROR_EQUAL(werr, WERR_OBJECT_NOT_FOUND)) {
+ return werr;
+ }
+ werr = WERR_OK;
+
+ anc_obj = talloc_zero(mem_ctx,
+ struct drsuapi_DsReplicaObjectListItemEx);
+ if (anc_obj == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ anc_dn = ldb_dn_new_fmt(anc_obj, sam_ctx, "<GUID=%s>",
+ GUID_string(anc_obj, next_anc_guid));
+ if (anc_dn == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ ret = drsuapi_search_with_extended_dn(sam_ctx, anc_obj,
+ &anc_res, anc_dn,
+ LDB_SCOPE_BASE,
+ msg_attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ const char *anc_str = NULL;
+ const char *obj_str = NULL;
+
+ anc_str = ldb_dn_get_extended_linearized(anc_obj,
+ anc_dn,
+ 1);
+ obj_str = ldb_dn_get_extended_linearized(anc_obj,
+ msg->dn,
+ 1),
+
+ DBG_ERR("getncchanges: failed to fetch ANC "
+ "DN %s for DN %s - %s\n",
+ anc_str, obj_str,
+ ldb_errstring(sam_ctx));
+ return WERR_DS_DRA_INCONSISTENT_DIT;
+ }
+
+ anc_msg = anc_res->msgs[0];
+
+ werr = get_nc_changes_build_object(anc_obj, anc_msg,
+ sam_ctx,
+ getnc_state->ncRoot_dn,
+ getnc_state->is_schema_nc,
+ schema, &session_key,
+ getnc_state->min_usn,
+ req10->replica_flags,
+ req10->partial_attribute_set,
+ req10->uptodateness_vector,
+ req10->extended_op,
+ true, /* ??? max_wait_reached */
+ local_pas);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ werr = dcesrv_drsuapi_anc_cache_add(anc_cache,
+ next_anc_guid);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ /*
+ * prepend it to the list
+ */
+ anc_obj->next_object = new_objs;
+ new_objs = anc_obj;
+
+ /*
+ * We may need to resolve more...
+ */
+ next_anc_guid = anc_obj->parent_object_guid;
+ }
+
+ *currentObject = new_objs;
+ while (new_objs != NULL) {
+ r->out.ctr->ctr6.object_count += 1;
+ if (new_objs->next_object == NULL) {
+ currentObject = &new_objs->next_object;
+ }
+ new_objs = new_objs->next_object;
+ }
DEBUG(8,(__location__ ": replicating object %s\n", ldb_dn_get_linearized(msg->dn)));
@@ -2418,6 +2589,8 @@ allowed:
}
}
+ TALLOC_FREE(anc_cache);
+
if (!r->out.ctr->ctr6.more_data) {
talloc_steal(mem_ctx, getnc_state->la_list);
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161130/383e651e/signature.sig>
More information about the samba-technical
mailing list