The branch, v4-17-stable has been updated
via bdd1a7c5f2f VERSION: Disable GIT_SNAPSHOT for the 4.17.8 release.
via 5f8ce6404cf WHATSNEW: Add release notes for Samba 4.17.8.
via 05f30cea353 winbind: Fix "wbinfo -u" on a Samba AD DC with >1000
users
via 8cf0241459f winbind: Test wbinfo -u with more than 1000 users
via 2d5ac37d251 dsgetdcname: do not assume local system uses IPv4
via b026bbe24c1 s3:lib: Do not try to match '.' and '..' directories in
is_in_path()
via c13b5b7dc89 s3:tests: Add test that veto files works for hidden
files
via 647c7c75f8f s3:tests: Create a temporary directory for
test_veto_files.sh
via 65168f33f95 libcli/security: rewrite
calculate_inherited_from_parent()
via f53ef993ffc shadow_copy2: Fix stream open for streams_depot paths
via 8c9945e24b2 streams_depot: Create files when requested
via 8011cea58e3 rpcd_mdssvc: initialize POSIX locking
via 0c633912732 smbXsrv_tcon: avoid storing temporary (invalid!)
records.
via fd477e4ff6f net_ads: fill ads->auth.realm from c->creds
via 45a264bf5b6 testprogs/blackbox: add test_net_ads_search_server.sh
via d8fa74a176e smbd: Fix case normalization in for directories
via d7d81510c38 s3: smbd: Fix log spam. Change a normal error message
from DBG_ERR (level 0) to DBG_INFO (level 5).
via 72d3c4f6799 smbd: Prevent creation of vetoed files
via ad60260323c CI: add a test creating a vetoed file
via 0fba21c1bfa dsdb/tests: Double number of expressions in
large_ldap.py ldap_timeout test
via e9e902f7393 dsdb/tests: Move SD modification on class-created
objects to classSetUp
via 7fe8a7d710d s3: libcli: Refuse to connect to any server with zero
values for max_trans_size, max_read_size, max_write_size.
via f7e888f78ec tests: Add samba3.blackbox.zero_readsize test.
via e2df45934ab dsdb: Avoid ERROR(ldb): uncaught exception - Deleted
target CN=NTDS Settings... in join
via eaff4ef6162 selftest/drs: Demonstrate ERROR(ldb): uncaught
exception - Deleted target CN=NTDS Settings... in join
via 3ecdec683b6 CVE-2020-25720 pydsdb: Add AD schema GUID constants
via b1c7df203d0 tsocket: Increase tcp_user_timeout max_loops
via bf5ccd5a140 idmap_hash: remember new domain sids in
idmap_hash_sid_to_id()
via f27cff23350 idmap_hash: don't return ID_REQUIRE_TYPE if the domain
is known in the netsamlogon cache
via 182410af7de idmap_hash: only return ID_REQUIRE_TYPE if we don't
know about the domain yet
via 13a593254af idmap_hash: return ID_REQUIRE_TYPE only if there's a
chance to get a mapping later
via e5c9a3597af idmap_hash: split out a idmap_hash_sid_to_id() helper
function
via da270642918 idmap_hash: split out a idmap_hash_id_to_sid() helper
function
via 61f3e674076 idmap_hash: mirror the
NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid
via a19fe930199 idmap_hash: we don't need to call
idmap_hash_initialize() over an over again
via 5a754810dea idmap_hash: remove unused error checks
via 1e6eeb8efb2 idmap_hash: fix comments about the algorithm
via bac09f85daa idmap_hash: provide ID_TYPE_BOTH mappings also for
unixids_to_sids
via edc8659b505 idmap_autorid: fix ID_REQUIRE_TYPE for more than one
SID for an unknown domain
via 148d5ad7698 winbindd: don't call set_domain_online_request() in the
idmap child
via cb204cfc69b VERSION: Bump version up to Samba 4.17.8...
from 2761e60b563 VERSION: Disable GIT_SNAPSHOT for the 4.17.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 82 +++++-
lib/tsocket/tests/test_tstream.c | 2 +-
libcli/security/create_descriptor.c | 247 +++++++++++++-----
libcli/smb/smbXcli_base.c | 11 +
libds/common/flags.h | 14 ++
python/samba/join.py | 19 ++
selftest/target/Samba3.pm | 4 +
source3/lib/util.c | 5 +
source3/libsmb/dsgetdcname.c | 49 ++--
source3/modules/vfs_shadow_copy2.c | 25 +-
source3/modules/vfs_streams_depot.c | 2 +-
source3/rpc_server/rpcd_mdssvc.c | 8 +
source3/script/tests/test_veto_files.sh | 80 +++++-
source3/script/tests/test_wbinfo_u_large_ad.sh | 28 +++
source3/script/tests/test_zero_readsize.sh | 101 ++++++++
source3/smbd/filename.c | 18 +-
source3/smbd/globals.h | 5 +
source3/smbd/open.c | 2 +-
source3/smbd/smb1_service.c | 48 ++--
source3/smbd/smb2_service.c | 15 --
source3/smbd/smb2_tcon.c | 58 +++--
source3/smbd/smbXsrv_tcon.c | 29 ++-
source3/utils/net_ads.c | 10 +-
source3/winbindd/idmap_autorid.c | 15 +-
source3/winbindd/idmap_hash/idmap_hash.c | 302 +++++++++++++++--------
source3/winbindd/winbindd_dual.c | 7 -
source3/winbindd/winbindd_samr.c | 102 +++++---
source4/dsdb/pydsdb.c | 15 ++
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +-
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/tests/python/large_ldap.py | 20 +-
source4/selftest/tests.py | 16 ++
source4/torture/drs/python/ridalloc_exop.py | 135 ++++++++++
testprogs/blackbox/test_net_ads_search_server.sh | 37 +++
35 files changed, 1202 insertions(+), 326 deletions(-)
create mode 100755 source3/script/tests/test_wbinfo_u_large_ad.sh
create mode 100755 source3/script/tests/test_zero_readsize.sh
create mode 100755 testprogs/blackbox/test_net_ads_search_server.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f1fe0a90b66..bcfbd046e24 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 694e29c45eb..c9f39ce3912 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,82 @@
+ ==============================
+ Release Notes for Samba 4.17.8
+ May 11, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.7
+--------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied:
+ message level should be lower.
+ * BUG 15306: Floating point exception (FPE) via cli_pull_send at
+ source3/libsmb/clireadwrite.c.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on
+ Rackspace GitLab runners.
+ * BUG 15329: Reduce flapping of ridalloc test.
+ * BUG 15351: large_ldap test is unreliable.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15143: New filename parser doesn't check veto files smb.conf
parameter.
+ * BUG 15354: mdssvc may crash when initializing.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15313: Large directory optimization broken for non-lcomp path
elements.
+ * BUG 15357: streams_depot fails to create streams.
+ * BUG 15358: shadow_copy2 and streams_depot don't play well together.
+ * BUG 15366: wbinfo -u fails on ad dc with >1000 users.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15317: winbindd idmap child contacts the domain controller without a
+ need.
+ * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the
+ first time.
+ * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
+ * BUG 15323: net ads search -P doesn't work against servers in other
domains.
+ * BUG 15338: DS ACEs might be inherited to unrelated object classes.
+ * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15360: Setting veto files = /.*/ break listing directories.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15329: Reduce flapping of ridalloc test.
+
+o Nathaniel W. Turner <ntur...@exagrid.com>
+ * BUG 15325: dsgetdcname: assumes local system uses IPv4.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.17.7
March 29, 2023
@@ -67,8 +146,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.17.6
March 09, 2023
diff --git a/lib/tsocket/tests/test_tstream.c b/lib/tsocket/tests/test_tstream.c
index a920e671cda..47008bb8bf8 100644
--- a/lib/tsocket/tests/test_tstream.c
+++ b/lib/tsocket/tests/test_tstream.c
@@ -322,7 +322,7 @@ static void
test_tstream_server_spin_client_tcp_user_timeout(struct socket_pair
rc = write(sp->socket_client, TEST_STRING, sizeof(TEST_STRING));
assert_return_code(rc, errno);
sp->expected_errno = ETIMEDOUT;
- sp->max_loops = 15;
+ sp->max_loops = 30;
}
static void test_tstream_server_spin_client_both_timer(struct tevent_context
*ev,
diff --git a/libcli/security/create_descriptor.c
b/libcli/security/create_descriptor.c
index ef60d847033..947d6c19d58 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -78,7 +78,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask)
/* Not sure what this has to be,
* and it does not seem to have any influence */
-static bool object_in_list(struct GUID *object_list, struct GUID *object)
+static bool object_in_list(const struct GUID *object_list, const struct GUID
*object)
{
size_t i;
@@ -107,7 +107,7 @@ static bool object_in_list(struct GUID *object_list, struct
GUID *object)
/* returns true if the ACE gontains generic information
* that needs to be processed additionally */
-static bool desc_ace_has_generic(struct security_ace *ace)
+static bool desc_ace_has_generic(const struct security_ace *ace)
{
if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask &
SEC_GENERIC_READ ||
ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask &
SEC_GENERIC_EXECUTE) {
@@ -155,12 +155,114 @@ static struct security_acl
*calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
}
for (i=0; i < acl->num_aces; i++) {
- struct security_ace *ace = &acl->aces[i];
- if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
- (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
- struct GUID inherited_object = GUID_zero();
+ const struct security_ace *ace = &acl->aces[i];
+ const struct GUID *inherited_object = NULL;
+ const struct GUID *inherited_property = NULL;
+ struct security_ace *tmp_ace = NULL;
+ bool applies = false;
+ bool inherited_only = false;
+ bool expand_ace = false;
+ bool expand_only = false;
+
+ if (is_container && (ace->flags &
SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+ applies = true;
+ } else if (!is_container && (ace->flags &
SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ applies = true;
+ }
+
+ if (!applies) {
+ /*
+ * If the ace doesn't apply to the
+ * current node, we should only keep
+ * it as SEC_ACE_FLAG_OBJECT_INHERIT
+ * on a container. We'll add
+ * SEC_ACE_FLAG_INHERITED_ACE
+ * and SEC_ACE_FLAG_INHERIT_ONLY below.
+ *
+ * Otherwise we should completely ignore it.
+ */
+ if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ continue;
+ }
+ }
+
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+ break;
+
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ if (ace->object.object.flags &
SEC_ACE_OBJECT_TYPE_PRESENT) {
+ inherited_property =
&ace->object.object.type.type;
+ }
+ if (ace->object.object.flags &
SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
+ inherited_object =
&ace->object.object.inherited_type.inherited_type;
+ }
+
+ if (inherited_object != NULL &&
!object_in_list(object_list, inherited_object)) {
+ /*
+ * An explicit object class schemaId is given,
+ * but doesn't belong to the current object.
+ */
+ applies = false;
+ }
- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces,
+ break;
+ }
+
+ if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+ if (!applies) {
+ /*
+ * If the ACE doesn't apply to
+ * the current object, we should
+ * ignore it as it should not be
+ * inherited any further
+ */
+ continue;
+ }
+ /*
+ * We should only keep the expanded version
+ * of the ACE on the current object.
+ */
+ expand_ace = true;
+ expand_only = true;
+ } else if (applies) {
+ /*
+ * We check if should also add
+ * the expanded version of the ACE
+ * in addition, in case we should
+ * expand generic access bits or
+ * special sids.
+ *
+ * In that case we need to
+ * keep the original ACE with
+ * SEC_ACE_FLAG_INHERIT_ONLY.
+ */
+ expand_ace = desc_ace_has_generic(ace);
+ if (expand_ace) {
+ inherited_only = true;
+ }
+ } else {
+ /*
+ * If the ACE doesn't apply
+ * to the current object,
+ * we need to keep it with
+ * SEC_ACE_FLAG_INHERIT_ONLY
+ * in order to apply them to
+ * grandchildren
+ */
+ inherited_only = true;
+ }
+
+ if (expand_ace) {
+ tmp_acl->aces = talloc_realloc(tmp_acl,
+ tmp_acl->aces,
struct security_ace,
tmp_acl->num_aces+1);
if (tmp_acl->aces == NULL) {
@@ -168,61 +270,96 @@ static struct security_acl
*calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
return NULL;
}
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- tmp_acl->aces[tmp_acl->num_aces].flags |=
SEC_ACE_FLAG_INHERITED_ACE;
- /* remove IO flag from the child's ace */
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
- !desc_ace_has_generic(ace)) {
- tmp_acl->aces[tmp_acl->num_aces].flags &=
~SEC_ACE_FLAG_INHERIT_ONLY;
- }
+ tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
+ tmp_acl->num_aces++;
- if (is_container && (ace->flags &
SEC_ACE_FLAG_OBJECT_INHERIT))
- tmp_acl->aces[tmp_acl->num_aces].flags |=
SEC_ACE_FLAG_INHERIT_ONLY;
-
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- case SEC_ACE_TYPE_ACCESS_DENIED:
- case SEC_ACE_TYPE_SYSTEM_AUDIT:
- case SEC_ACE_TYPE_SYSTEM_ALARM:
- case SEC_ACE_TYPE_ALLOWED_COMPOUND:
- break;
-
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
- if (ace->object.object.flags &
SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
- inherited_object =
ace->object.object.inherited_type.inherited_type;
- }
+ *tmp_ace = *ace;
+
+ /*
+ * Expand generic access bits as well as special
+ * sids.
+ */
+ desc_expand_generic(tmp_ace, owner, group);
+
+ /*
+ * Expanded ACEs are marked as inherited,
+ * but never inherited any further to
+ * grandchildren.
+ */
+ tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
+
+ /*
+ * Expanded ACEs never have an explicit
+ * object class schemaId, so clear it
+ * if present.
+ */
+ if (inherited_object != NULL) {
+ tmp_ace->object.object.flags &=
~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
+ }
- if (!object_in_list(object_list,
&inherited_object)) {
- tmp_acl->aces[tmp_acl->num_aces].flags
|= SEC_ACE_FLAG_INHERIT_ONLY;
+ /*
+ * If the ACE had an explicit object class
+ * schemaId, but no attribute/propertySet
+ * we need to downgrate the _OBJECT variants
+ * to the normal ones.
+ */
+ if (inherited_property == NULL) {
+ switch (tmp_ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+ break;
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ tmp_ace->type =
SEC_ACE_TYPE_ACCESS_ALLOWED;
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ tmp_ace->type =
SEC_ACE_TYPE_ACCESS_DENIED;
+ break;
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ tmp_ace->type =
SEC_ACE_TYPE_SYSTEM_ALARM;
+ break;
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ tmp_ace->type =
SEC_ACE_TYPE_SYSTEM_AUDIT;
+ break;
}
-
- break;
}
- tmp_acl->num_aces++;
- if (is_container) {
- if (!(ace->flags &
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) &&
- (desc_ace_has_generic(ace))) {
- tmp_acl->aces =
talloc_realloc(tmp_acl,
-
tmp_acl->aces,
-
struct security_ace,
-
tmp_acl->num_aces+1);
- if (tmp_acl->aces == NULL) {
- talloc_free(tmp_ctx);
- return NULL;
- }
- tmp_acl->aces[tmp_acl->num_aces] =
*ace;
-
desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
- owner,
- group);
-
tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE;
- tmp_acl->num_aces++;
- }
+ if (expand_only) {
+ continue;
}
}
+
+ tmp_acl->aces = talloc_realloc(tmp_acl,
+ tmp_acl->aces,
+ struct security_ace,
+ tmp_acl->num_aces+1);
+ if (tmp_acl->aces == NULL) {
+ talloc_free(tmp_ctx);
+ return NULL;
+ }
+
+ tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
+ tmp_acl->num_aces++;
+
+ *tmp_ace = *ace;
+ tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
+
+ if (inherited_only) {
+ tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ } else {
+ tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+ }
+
+ if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+ tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
+ }
}
if (tmp_acl->num_aces == 0) {
return NULL;
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c5d13bd5837..1500d484e83 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5088,6 +5088,17 @@ static void smbXcli_negprot_smb2_done(struct tevent_req
*subreq)
conn->smb2.server.system_time = BVAL(body, 40);
conn->smb2.server.start_time = BVAL(body, 48);
+ if (conn->smb2.server.max_trans_size == 0 ||
+ conn->smb2.server.max_read_size == 0 ||
+ conn->smb2.server.max_write_size == 0) {
+ /*
+ * We can't connect to servers we can't
+ * do any operations on.
+ */
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+
security_offset = SVAL(body, 56);
security_length = SVAL(body, 58);
diff --git a/libds/common/flags.h b/libds/common/flags.h
index bee1016b294..c013d2f0f25 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -237,6 +237,20 @@
/* wellknown GUIDs for optional directory features */
#define DS_GUID_FEATURE_RECYCLE_BIN
"766ddcd8-acd0-445e-f3b9-a7f9b6744f2a"
+/* GUIDs for AD schema attributes and classes */
+#define DS_GUID_SCHEMA_ATTR_DEPARTMENT
"bf96794f-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME
"72e39547-7b18-11d1-adef-00c04fd8d5cd"
+#define DS_GUID_SCHEMA_ATTR_INSTANCE_TYPE
"bf96798c-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_MS_SFU_30
"16c5d1d3-35c2-4061-a870-a5cefda804f0"
+#define DS_GUID_SCHEMA_ATTR_NT_SECURITY_DESCRIPTOR
"bf9679e3-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID
"bf967a00-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME
"f3a64788-5306-11d1-a9c5-0000f80367c1"
+#define DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL
"bf967a68-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_USER_PASSWORD
"bf967a6e-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_CLASS_COMPUTER
"bf967a86-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_CLASS_MANAGED_SERVICE_ACCOUNT
"ce206244-5827-4a86-ba1c-1c0c386c1b64"
+#define DS_GUID_SCHEMA_CLASS_USER
"bf967aba-0de6-11d0-a285-00aa003049e2"
+
/* dsHeuristics character indexes see MS-ADTS 7.1.1.2.4.1.2 */
#define DS_HR_SUPFIRSTLASTANR 0x00000001
diff --git a/python/samba/join.py b/python/samba/join.py
index 650bb5a08ae..30d33d43f11 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -50,6 +50,7 @@ import tempfile
from collections import OrderedDict
from samba.common import get_string
from samba.netcmd import CommandError
+from samba import dsdb
class DCJoinException(Exception):
@@ -937,6 +938,10 @@ class DCJoinContext(object):
"""Replicate the SAM."""
ctx.logger.info("Starting replication")
+
+ # A global transaction is started so that linked attributes
+ # are applied at the very end, once all partitions are
+ # replicated. This helps get all cross-partition links.
ctx.local_samdb.transaction_start()
try:
source_dsa_invocation_id = misc.GUID(ctx.samdb.get_invocation_id())
@@ -1057,7 +1062,21 @@ class DCJoinContext(object):
ctx.local_samdb.transaction_cancel()
raise
else:
+
+ # This is a special case, we have completed a full
+ # replication so if a link comes to us that points to a
+ # deleted object, and we asked for all objects already, we
+ # just have to ignore it, the chance to re-try the
+ # replication with GET_TGT has long gone. This can happen
+ # if the object is deleted and sent to us after the link
+ # was sent, as we are processing all links in the
+ # transaction_commit().
+ if not ctx.domain_replica_flags &
drsuapi.DRSUAPI_DRS_CRITICAL_ONLY:
+
ctx.local_samdb.set_opaque_integer(dsdb.DSDB_FULL_JOIN_REPLICATION_COMPLETED_OPAQUE_NAME,
+ 1)
ctx.local_samdb.transaction_commit()
+
ctx.local_samdb.set_opaque_integer(dsdb.DSDB_FULL_JOIN_REPLICATION_COMPLETED_OPAQUE_NAME,
+ 0)
ctx.logger.info("Committed SAM database")
--
Samba Shared Repository
