From 6ab4cf906ffe4dc448da8780908920ac99035ce8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 10 Mar 2016 13:43:15 +1300 Subject: [PATCH] dsdb/repl: Ensure we use the LOCAL attid value, not the remote one The key here is that while this never was an issue for builtin schema, nor for objects with an msDS-IntID used outside the schema partition, additional attributes added and used in the schema partition were incorrectly using the wrong attributeID value in the replPropertyMetaData. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11783 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Mar 13 23:29:14 CET 2016 on sn-devel-144 (cherry picked from commit 6ecfc4cb254f9b2524ec5619ed8cee9db5d959b2) --- source4/dsdb/repl/replicated_objects.c | 18 ++++++++++++++---- source4/dsdb/schema/schema_syntax.c | 12 +++++++++++- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/source4/dsdb/repl/replicated_objects.c b/source4/dsdb/repl/replicated_objects.c index e9225f5..a112e18 100644 --- a/source4/dsdb/repl/replicated_objects.c +++ b/source4/dsdb/repl/replicated_objects.c @@ -455,7 +455,7 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, } if (W_ERROR_EQUAL(status, WERR_TOO_MANY_SECRETS)) { WERROR get_name_status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote, - a, msg->elements, e); + a, msg->elements, e, NULL); if (W_ERROR_IS_OK(get_name_status)) { DEBUG(0, ("Unxpectedly got secret value %s on %s from DRS server\n", e->name, ldb_dn_get_linearized(msg->dn))); @@ -467,11 +467,21 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, return status; } + /* + * This function also fills in the local attid value, + * based on comparing the remote and local prefixMap + * tables. If we don't convert the value, then we can + * have invalid values in the replPropertyMetaData we + * store on disk, as the prefixMap is per host, not + * per-domain. This may be why Microsoft added the + * msDS-IntID feature, however this is not used for + * extra attributes in the schema partition itself. + */ status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote, - a, msg->elements, e); + a, msg->elements, e, + &m->attid); W_ERROR_NOT_OK_RETURN(status); - m->attid = a->attid; m->version = d->version; m->originating_change_time = d->originating_change_time; m->originating_invocation_id = d->originating_invocation_id; @@ -1038,7 +1048,7 @@ static WERROR dsdb_origin_object_convert(struct ldb_context *ldb, e = &msg->elements[i]; status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, schema->prefixmap, - a, msg->elements, e); + a, msg->elements, e, NULL); W_ERROR_NOT_OK_RETURN(status); } diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c index f9c50b8..5cf1664 100644 --- a/source4/dsdb/schema/schema_syntax.c +++ b/source4/dsdb/schema/schema_syntax.c @@ -2701,7 +2701,8 @@ WERROR dsdb_attribute_drsuapi_to_ldb(struct ldb_context *ldb, const struct dsdb_schema_prefixmap *pfm_remote, const struct drsuapi_DsReplicaAttribute *in, TALLOC_CTX *mem_ctx, - struct ldb_message_element *out) + struct ldb_message_element *out, + enum drsuapi_DsAttributeId *local_attid_as_enum) { const struct dsdb_attribute *sa; struct dsdb_syntax_ctx syntax_ctx; @@ -2737,6 +2738,15 @@ WERROR dsdb_attribute_drsuapi_to_ldb(struct ldb_context *ldb, return WERR_DS_ATT_NOT_DEF_IN_SCHEMA; } + /* + * We return the same class of attid as we were given. That + * is, we trust the remote server not to use an + * msDS-IntId value in the schema partition + */ + if (local_attid_as_enum != NULL) { + *local_attid_as_enum = (enum drsuapi_DsAttributeId)attid_local; + } + return sa->syntax->drsuapi_to_ldb(&syntax_ctx, sa, in, mem_ctx, out); } -- 1.9.1