Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Now that parentGUID is reliable again, use it instead
of building our own
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
When windows abandons a DRS sync, it will sometimes re-use the same bind handle for
a new sync. This means we need to check the DN of the sync and blank the getnc_state
if the DN has changed.
This also fixes the UDV to use the highest uSN for the partition, not for
the whole SAM.
|
|
|
|
ntSecurityDescriptor is no longer included by default
|
|
|
|
The DRSUAPI_DRS_ADD_REF flag tells the DRS server to run an UpdateRefs
call on behalf of the client after the DsGetNCChanges call. The lack
of support for this option may explain why the repsTo attribute was
not being created for w2k8-r2 replication partners.
|
|
Check the validity of the requested options in DsGetNCChanges
|
|
When we indicate that a getncchanges request is not complete, we set
the more_data flag to true in the response. The client usually then
asks for the next block of data. If the client decides it wants to
skip that replication and do a different replication then we need to
make sure that the next call is in fact a continuation of the existing
call, and not a new call.
This relies on returning the results sorted by uSNChanged, as the
client uses the tmp_highest_usn in each result to see if progress is
being made.
|
|
Now that the bind opens samdb with the right credentials, we no longer
need the re-open in updaterefs and getncchanges
|
|
|
|
- always fetch parentGUID from databases, don't rely on parentGUID in
attributes
- re-fetch nc root mesages to avoid the problem of dual messages for
roots
- support returning messages a chunk at a time, using max_object_count
from request
|
|
getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
|
|
When this flag is specified in the request we should return
for ncRoot only and so scope of search is LDB_SCOPE_BASE.
|
|
When this flag is specified in the request we shouldn't use the
uptodateness vector in the request.
|
|
|
|
In DsGetNCChanges we need to fill in the parentGUID and objectGUID of
each object, plus we need to filter out the rDN from the meta data,
and always send the instanceType
|
|
This might help the windows client with ordered requests. Later we
need to support the "ancestors" mode flag.
|
|
|
|
There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
|
|
|
|
The key DRS calls should only be allowed by administrators or domain
controllers
|
|
The getncchanges uSN is in our local space, so we must compare it to
the local_usn in replPropertyMetaData
|
|
a rename may have no attribute changes
|
|
At least on the command line the braces are needed. Strange.
|
|
It's useful seeing the object count without as much detail
|
|
Without this the client will not update its repsFrom highest_usn values
|
|
When the client tells us the highest_usn they have is N, then we want
to send them objects with usn>N, not>=N, as otherwise we end up
sending them the same object (the one with the highest uSN) again and
again.
|
|
uSNChanged>=N is good enough, and offers a possibility of a simple
optimisation where the partition module could look for that expression
and check the partitions sequence number, then avoid searching a
partition that doesn't have any records with a larger uSN.
|
|
We were relying on the uSNChanged>=n search always finding the DN of
the root of the partition, but this now doesn't happen very often as
we are now restricting when we change uSNChanged. This means we need
to always load the replUpToDateVector attribute from the NC root and
use it to populate the cursors in the return.
|
|
|
|
Right now parentGUID is a normal attribute in s4, but it should be
generated, which means we need to ask for it in a search if we want to
use it.
|
|
This means we now get passwords vampired correctly for s4<->s4
replication.
|
|
|
|
thanks to metze for pointing this out
|
|
These two arrays need to be in sync, as they are walked in sync by the
client
|
|
It is easier to understand without the heavy nesting
|
|
These will get quite complex eventually, I think we are better
separating them so the code is a bit easier to follow
|