From 68fe705fcd97381c6c7af3c163173285c6cb27c2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Aug 2016 15:54:35 +1200
Subject: [PATCH 1/2] dsdb: Allow missing a mandatory attribute from a dbcheck
 fix

dbcheck of the rid pool (CN=RID Set) for another server will otherwise fail because
rIDNextRid is not replicated, and so it not present

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12178

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9d0c869e36ba2f43fd2ed4cd090b48102d499bc8)
---
 source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index f739c40..c83c2e9 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -419,8 +419,15 @@ static int attr_handler2(struct oc_context *ac)
 		}
 	}
 
+	/*
+	 * We skip this check under dbcheck to allow fixing of other
+	 * attributes even if an attribute is missing.  This matters
+	 * for CN=RID Set as the required attribute rIDNextRid is not
+	 * replicated.
+	 */
 	if (found_must_contain[0] != NULL &&
-	    ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE") == 0) {
+	    ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE") == 0 &&
+	    ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK) == NULL) {
 		ldb_asprintf_errstring(ldb, "objectclass_attrs: at least one mandatory attribute ('%s') on entry '%s' wasn't specified!",
 				       found_must_contain[0],
 				       ldb_dn_get_linearized(msg->dn));
-- 
1.9.1


From ecac35121dee00a488a219c073eb236aab8f2fc0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Aug 2016 15:53:19 +1200
Subject: [PATCH 2/2] dbcheck: Abandon dbcheck if we get an error during a
 transaction

Otherwise, anything that the transaction has already done to the DB will be left in the DB
even despite the failure.  For example, if a fix wrote to the DB, but then failed a post-write
check, then the fix will not be unrolled.

This is because we do not have nested transactions in TDB.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12178

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Aug 29 12:46:21 CEST 2016 on sn-devel-144

(cherry picked from commit db32a0e5ea8f652857e45480cc31ecb1ef884c1a)
---
 python/samba/dbchecker.py                |  7 +++++++
 testprogs/blackbox/dbcheck-oldrelease.sh | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index e904b4a..9b0784b 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -31,6 +31,7 @@ from samba.common import dsdb_Dn
 from samba.dcerpc import security
 from samba.descriptor import get_wellknown_sds, get_diff_sds
 from samba.auth import system_session, admin_session
+from samba.netcmd import CommandError
 
 
 class dbcheck(object):
@@ -324,6 +325,8 @@ systemFlags: -1946157056%s""" % (dn, guid_suffix),
             controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
             self.samdb.delete(dn, controls=controls)
         except Exception, err:
+            if self.in_transaction:
+                raise CommandError("%s : %s" % (msg, err))
             self.report("%s : %s" % (msg, err))
             return False
         return True
@@ -336,6 +339,8 @@ systemFlags: -1946157056%s""" % (dn, guid_suffix),
             controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
             self.samdb.modify(m, controls=controls, validate=validate)
         except Exception, err:
+            if self.in_transaction:
+                raise CommandError("%s : %s" % (msg, err))
             self.report("%s : %s" % (msg, err))
             return False
         return True
@@ -353,6 +358,8 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
             controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
             self.samdb.rename(from_dn, to_dn, controls=controls)
         except Exception, err:
+            if self.in_transaction:
+                raise CommandError("%s : %s" % (msg, err))
             self.report("%s : %s" % (msg, err))
             return False
         return True
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index 1efea67..dd176cf 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -186,6 +186,15 @@ check_expected_before_values() {
 }
 
 # This should 'fail', because it returns the number of modified records
+dbcheck_objectclass() {
+    if [ x$RELEASE = x"release-4-1-6-partial-object" ]; then
+	$PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --attrs=objectclass $@
+    else
+	return 1
+    fi
+}
+
+# This should 'fail', because it returns the number of modified records
 dbcheck() {
        $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
 }
@@ -363,6 +372,7 @@ if [ -d $release_dir ]; then
     testit "reindex" reindex
     testit "current_version_mod" do_current_version_mod
     testit "check_expected_before_values" check_expected_before_values
+    testit_expect_failure "dbcheck_objectclass" dbcheck_objectclass
     testit_expect_failure "dbcheck" dbcheck
     testit "check_expected_after_values" check_expected_after_values
     testit "check_forced_duplicate_values" check_forced_duplicate_values
-- 
1.9.1