Fix Domain Trust creation with Windows 2008 (and many other tools)

A dITConentRules attribute (unlike objectClasses) must not contain a 'SUP'. The ADSI layer in Windows would download the whole schema, and validate it. Thanks to the team at Microsoft for very long debugging session to find this. Andrew Bartlett
author: Andrew Bartlett <abartlet@samba.org> 2008-10-03 16:25:59 -0700
committer: Andrew Bartlett <abartlet@samba.org> 2008-10-06 14:16:29 -0700
commit: c412a930ad19da866503e6d8ccb71fb3191fc6d2 (patch)
tree: d29644a6e41328f8b2d25103803be4951fa519e0
parent: 2a35985283be45adbba63b5d7ced8499bcb64f59 (diff)
download: samba-c412a930ad19da866503e6d8ccb71fb3191fc6d2.tar.gz
samba-c412a930ad19da866503e6d8ccb71fb3191fc6d2.tar.bz2
samba-c412a930ad19da866503e6d8ccb71fb3191fc6d2.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c
index 6884c5284e..e152f44b97 100644
--- a/source4/dsdb/schema/schema_description.c
+++ b/source4/dsdb/schema/schema_description.c
@@ -309,7 +309,11 @@ char *schema_class_to_dITContentRule(TALLOC_CTX *mem_ctx, const struct dsdb_clas
 					   class->lDAPDisplayName,
 					   (const char **)aux_class_list,
 					   NULL, 
-					   class->subClassOf,
+					   NULL, /* Must not specify a
+						  * SUP (subclass) in
+						  * ditContentRules
+						  * per MS-ADTS
+						  * 3.1.1.3.1.1.1 */
 					   -1, must_attr_list, may_attr_list);
 	talloc_free(tmp_ctx);
 	return schema_description;
author	Andrew Bartlett <abartlet@samba.org>	2008-10-03 16:25:59 -0700
committer	Andrew Bartlett <abartlet@samba.org>	2008-10-06 14:16:29 -0700
commit	c412a930ad19da866503e6d8ccb71fb3191fc6d2 (patch)
tree	d29644a6e41328f8b2d25103803be4951fa519e0
parent	2a35985283be45adbba63b5d7ced8499bcb64f59 (diff)
download	samba-c412a930ad19da866503e6d8ccb71fb3191fc6d2.tar.gz samba-c412a930ad19da866503e6d8ccb71fb3191fc6d2.tar.bz2 samba-c412a930ad19da866503e6d8ccb71fb3191fc6d2.zip