From f8d14e140f55505cecd36c9029d84cadff5d9f6a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 31 Aug 2016 11:39:24 +1200
Subject: [PATCH 01/34] selftest: Correct name of
 samba4.blackbox.dbcheck.release-4-5-0-pre1

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 599d3f7f8358f6107e1d13ab0a92c3143f32435e)
---
 selftest/tests.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/selftest/tests.py b/selftest/tests.py
index e02f049..21f2096 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -90,6 +90,11 @@ plantestsuite(
     ["PYTHON=%s" % python, os.path.join(bbdir, "dbcheck-oldrelease.sh"),
      '$PREFIX_ABS/provision', 'release-4-1-6-partial-object', configuration])
 plantestsuite(
+    "samba4.blackbox.dbcheck.release-4-5-0-pre1", "none",
+    ["PYTHON=%s" % python,
+     os.path.join(bbdir, "dbcheck-oldrelease.sh"),
+     '$PREFIX_ABS/provision', 'release-4-5-0-pre1', configuration])
+plantestsuite(
     "samba4.blackbox.upgradeprovision.alpha13", "none",
     ["PYTHON=%s" % python,
      os.path.join(bbdir, "upgradeprovision-oldrelease.sh"),
@@ -99,11 +104,6 @@ plantestsuite(
     ["PYTHON=%s" % python,
      os.path.join(bbdir, "upgradeprovision-oldrelease.sh"),
      '$PREFIX_ABS/provision', 'release-4-0-0', configuration])
-plantestsuite(
-    "samba4.blackbox.upgradeprovision.release-4-5-0-pre1", "none",
-    ["PYTHON=%s" % python,
-     os.path.join(bbdir, "dbcheck-oldrelease.sh"),
-     '$PREFIX_ABS/provision', 'release-4-5-0-pre1', configuration])
 planpythontestsuite("none", "samba.tests.upgradeprovision")
 planpythontestsuite("none", "samba.tests.xattr")
 planpythontestsuite("none", "samba.tests.ntacls")
-- 
1.9.1


From 4186af427889a7e1a0b3e41203ff763e91ab56dc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Aug 2016 11:28:32 +1200
Subject: [PATCH 02/34] pydsdb: Raise TypeError for type errors, rather than
 incorrectly raising an LdbError

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 9142a01bb55a09e836c70d15fe420fb2599aec6f)
---
 source4/dsdb/pydsdb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index efaf66b..1fe8c13 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -34,14 +34,14 @@ void initdsdb(void);
 /* FIXME: These should be in a header file somewhere */
 #define PyErr_LDB_OR_RAISE(py_ldb, ldb) \
 	if (!py_check_dcerpc_type(py_ldb, "ldb", "Ldb")) { \
-		PyErr_SetString(py_ldb_get_exception(), "Ldb connection object required"); \
+		PyErr_SetString(PyExc_TypeError, "Ldb connection object required"); \
 		return NULL; \
 	} \
 	ldb = pyldb_Ldb_AsLdbContext(py_ldb);
 
 #define PyErr_LDB_DN_OR_RAISE(py_ldb_dn, dn) \
 	if (!py_check_dcerpc_type(py_ldb_dn, "ldb", "Dn")) { \
-		PyErr_SetString(py_ldb_get_exception(), "ldb Dn object required"); \
+		PyErr_SetString(PyExc_TypeError, "ldb Dn object required"); \
 		return NULL; \
 	} \
 	dn = pyldb_Dn_AsDn(py_ldb_dn);
-- 
1.9.1


From 146344468aa7c824fd8758c51b2fee25beab69ad Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 29 Aug 2016 18:20:18 +1200
Subject: [PATCH 03/34] ldb-samba: Add new extended match rule
 DSDB_MATCH_FOR_EXPUNGE

This allows us to find links that need to be expunged
without passing the whole DB up in the search response.

While each message still needs to be examined, this code
only has to do memory allocation for entries with links

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit eb1cb175980a87b8a7cbd765783af33e4a7d6017)
---
 lib/ldb-samba/ldb_matching_rules.c | 133 ++++++++++++++++++++++++++++++++++++-
 lib/ldb-samba/ldb_matching_rules.h |   1 +
 source4/setup/schema_samba4.ldif   |   1 +
 3 files changed, 134 insertions(+), 1 deletion(-)

diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c
index 637858f..aa86979 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -4,6 +4,7 @@
    ldb database library - Extended match rules
 
    Copyright (C) 2014 Samuel Cabrero <samuelcabrero@kernevil.me>
+   Copyright (C) Andrew Bartlett <abartlet@samba.org>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -23,6 +24,8 @@
 #include <ldb_module.h>
 #include "dsdb/samdb/samdb.h"
 #include "ldb_matching_rules.h"
+#include "libcli/security/security.h"
+#include "dsdb/common/util.h"
 
 static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx,
 					     struct ldb_context *ldb,
@@ -324,9 +327,128 @@ static int ldb_comparator_trans(struct ldb_context *ldb,
 }
 
 
+/*
+ * This rule provides match of a link attribute against a 'should be expunged' criteria
+ *
+ * This allows a search filter such as:
+ *
+ * member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000
+ *
+ * This searches the member attribute, but also any member attributes
+ * that are deleted and should be expunged after the specified NTTIME
+ * time.
+ *
+ */
+static int dsdb_match_for_expunge(struct ldb_context *ldb,
+				  const char *oid,
+				  const struct ldb_message *msg,
+				  const char *attribute_to_match,
+				  const struct ldb_val *value_to_match,
+				  bool *matched)
+{
+	const struct dsdb_schema *schema;
+	const struct dsdb_attribute *schema_attr;
+	TALLOC_CTX *tmp_ctx;
+	unsigned int i;
+	struct ldb_message_element *el;
+	struct auth_session_info *session_info;
+	uint64_t tombstone_time;
+	*matched = false;
+
+	el = ldb_msg_find_element(msg, attribute_to_match);
+	if (el == NULL) {
+		return LDB_SUCCESS;
+	}
+
+	session_info
+		= talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
+				  struct auth_session_info);
+	if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
+		return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+	}
+
+	/*
+	 * If the target attribute to match is not a linked attribute, then
+	 * the filter evaluates to undefined
+	 */
+	schema = dsdb_get_schema(ldb, NULL);
+	if (schema == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* TODO this is O(log n) per attribute */
+	schema_attr = dsdb_attribute_by_lDAPDisplayName(schema, attribute_to_match);
+	if (schema_attr == NULL) {
+		return LDB_ERR_NO_SUCH_ATTRIBUTE;
+	}
+
+	/*
+	 * This extended match filter is only valid for forward linked attributes.
+	 */
+	if (schema_attr->linkID == 0 || (schema_attr->linkID & 1) == 1) {
+		return LDB_ERR_NO_SUCH_ATTRIBUTE;
+	}
+
+	/* Just check we don't allow the caller to fill our stack */
+	if (value_to_match->length >=64) {
+		return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+	} else {
+		char *p = NULL;
+		char s[value_to_match->length+1];
+		memcpy(s, value_to_match->data, value_to_match->length);
+		s[value_to_match->length] = 0;
+		if (s[0] == '\0' || s[0] == '-') {
+			return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+		}
+		tombstone_time = strtoull(s, &p, 10);
+		if (p == NULL || p == s || *p != '\0' || tombstone_time == ULLONG_MAX) {
+			return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+		}
+	}
+
+	tmp_ctx = talloc_new(ldb);
+	if (tmp_ctx == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	for (i = 0; i < el->num_values; i++) {
+		NTSTATUS status;
+		struct dsdb_dn *dn;
+		uint64_t rmd_changetime;
+		if (dsdb_dn_is_deleted_val(&el->values[i]) == false) {
+			continue;
+		}
+
+		dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i],
+				   schema_attr->syntax->ldap_oid);
+		if (dn == NULL) {
+			DEBUG(1, ("Error: Failed to parse linked attribute blob of %s.\n", el->name));
+			continue;
+		}
+
+		status = dsdb_get_extended_dn_uint64(dn->dn, &rmd_changetime,
+						     "RMD_CHANGETIME");
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("Error: RMD_CHANGETIME is missing on a forward link.\n"));
+			continue;
+		}
+
+		if (rmd_changetime > tombstone_time) {
+			continue;
+		}
+
+		*matched = true;
+		break;
+	}
+	talloc_free(tmp_ctx);
+	return LDB_SUCCESS;
+}
+
+
 int ldb_register_samba_matching_rules(struct ldb_context *ldb)
 {
-	struct ldb_extended_match_rule *transitive_eval;
+	struct ldb_extended_match_rule *transitive_eval = NULL,
+		*match_for_expunge = NULL;
 	int ret;
 
 	transitive_eval = talloc_zero(ldb, struct ldb_extended_match_rule);
@@ -338,5 +460,14 @@ int ldb_register_samba_matching_rules(struct ldb_context *ldb)
 		return ret;
 	}
 
+	match_for_expunge = talloc_zero(ldb, struct ldb_extended_match_rule);
+	match_for_expunge->oid = DSDB_MATCH_FOR_EXPUNGE;
+	match_for_expunge->callback = dsdb_match_for_expunge;
+	ret = ldb_register_extended_match_rule(ldb, match_for_expunge);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(match_for_expunge);
+		return ret;
+	}
+
 	return LDB_SUCCESS;
 }
diff --git a/lib/ldb-samba/ldb_matching_rules.h b/lib/ldb-samba/ldb_matching_rules.h
index e969b3d..421e1ce 100644
--- a/lib/ldb-samba/ldb_matching_rules.h
+++ b/lib/ldb-samba/ldb_matching_rules.h
@@ -24,5 +24,6 @@
 
 /* This rule provides recursive search of a link attribute */
 #define SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL	"1.2.840.113556.1.4.1941"
+#define DSDB_MATCH_FOR_EXPUNGE	"1.3.6.1.4.1.7165.4.5.2"
 
 #endif /* _LDB_MATCHING_RULES_H_ */
diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif
index 9e3ff91..2e4c16d 100644
--- a/source4/setup/schema_samba4.ldif
+++ b/source4/setup/schema_samba4.ldif
@@ -231,6 +231,7 @@
 ############
 # ldap extended matches
 #Allocated: SAMBA_LDAP_MATCH_ALWAYS_FALSE 1.3.6.1.4.1.7165.4.5.1
+#Allocated: DSDB_MATCH_FOR_EXPUNGE 1.3.6.1.4.1.7165.4.5.2
 
 
 #Allocated: (middleName) attributeID: 1.3.6.1.4.1.7165.4.255.1
-- 
1.9.1


From 147651d82ceaca79d7d652a9e6a3c3912ed51b28 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 29 Aug 2016 18:20:45 +1200
Subject: [PATCH 04/34] ldb: Fix comment on ldb_register_extended_match_rule

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit cf6bc40578c5de7e2eca0174d2be7aaa25e6b44e)
---
 lib/ldb/common/ldb_match.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index e83ad63..1415fac 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -693,9 +693,7 @@ _PRIVATE_ int ldb_register_extended_match_rules(struct ldb_context *ldb)
 }
 
 /*
-  register a new ldb backend
-
-  if override is true, then override any existing backend for this prefix
+  register a new ldb extended matching rule
 */
 int ldb_register_extended_match_rule(struct ldb_context *ldb,
 				     const struct ldb_extended_match_rule *rule)
-- 
1.9.1


From 8988ac90625360c2882e4502742f510da0d7d1a6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 18 Jul 2016 11:53:50 +1200
Subject: [PATCH 05/34] kcc: Move kcc/kcc_deleted.c into
 kcc/garbage_collect_tombstones.c

This is in preperation for a python binding for this function

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 9221ce3a3237a8ded78e371fef2b8e4f03722b63)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 146 ++++++++++++++++++++++++++
 source4/dsdb/kcc/kcc_deleted.c                | 146 --------------------------
 source4/dsdb/kcc/kcc_service.h                |   2 +
 source4/dsdb/wscript_build                    |   8 +-
 4 files changed, 154 insertions(+), 148 deletions(-)
 create mode 100644 source4/dsdb/kcc/garbage_collect_tombstones.c
 delete mode 100644 source4/dsdb/kcc/kcc_deleted.c

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
new file mode 100644
index 0000000..8b9e921
--- /dev/null
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -0,0 +1,146 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   handle removal of deleted objects
+
+   Copyright (C) 2009 Andrew Tridgell
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#include "includes.h"
+#include "lib/events/events.h"
+#include "dsdb/samdb/samdb.h"
+#include "auth/auth.h"
+#include "smbd/service.h"
+#include "lib/messaging/irpc.h"
+#include "dsdb/kcc/kcc_connection.h"
+#include "dsdb/kcc/kcc_service.h"
+#include <ldb_errors.h>
+#include "../lib/util/dlinklist.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "param/param.h"
+#include "dsdb/common/util.h"
+
+/*
+  check to see if any deleted objects need scavenging
+ */
+NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
+{
+	struct kccsrv_partition *part;
+	int ret;
+	uint32_t tombstoneLifetime;
+	bool do_fs = false;
+
+	time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
+						    "check_deleted_full_scan_interval", 86400);
+	time_t t = time(NULL);
+
+	if (t - s->last_deleted_check < lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
+						    "check_deleted_interval", 600)) {
+		return NT_STATUS_OK;
+	}
+	s->last_deleted_check = t;
+
+	ret = dsdb_tombstone_lifetime(s->samdb, &tombstoneLifetime);
+	if (ret != LDB_SUCCESS) {
+		DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	if (s->last_full_scan_deleted_check > 0 && ((t - s->last_full_scan_deleted_check) > interval )) {
+		do_fs = true;
+		s->last_full_scan_deleted_check = t;
+	}
+
+	if (s->last_full_scan_deleted_check == 0) {
+		/*
+		 * If we never made a full scan set the last full scan event to be in the past
+		 * and that 9/10 of the full scan interval has already passed.
+		 * This is done to avoid the full scan to fire just at the begining of samba
+		 * or a couple of minutes after the start.
+		 * With this "setup" and default values of interval, the full scan will fire
+		 * 2.4 hours after the start of samba
+		 */
+		s->last_full_scan_deleted_check = t - ((9 * interval) / 10);
+	}
+
+	for (part=s->partitions; part; part=part->next) {
+		struct ldb_dn *do_dn;
+		struct ldb_result *res;
+		const char *attrs[] = { "whenChanged", NULL };
+		unsigned int i;
+		TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+		if (!tmp_ctx) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn);
+		if (ret != LDB_SUCCESS) {
+			TALLOC_FREE(tmp_ctx);
+			/* some partitions have no Deleted Objects
+			   container */
+			continue;
+		}
+
+		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
+			ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
+					DSDB_SEARCH_SHOW_RECYCLED, NULL);
+		} else {
+			if (do_fs) {
+				DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
+						ldb_dn_get_linearized(part->dn)));
+			}
+			ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
+					DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
+		}
+
+		if (ret != LDB_SUCCESS) {
+			DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
+				 ldb_dn_get_linearized(do_dn)));
+			TALLOC_FREE(tmp_ctx);
+			continue;
+		}
+
+		for (i=0; i<res->count; i++) {
+			const char *tstring;
+			time_t whenChanged = 0;
+
+			if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
+				/* Skip the Deleted Object Container */
+				continue;
+			}
+			tstring = ldb_msg_find_attr_as_string(res->msgs[i], "whenChanged", NULL);
+			if (tstring) {
+				whenChanged = ldb_string_to_time(tstring);
+			}
+			if (t - whenChanged > tombstoneLifetime*60*60*24) {
+				ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
+				if (ret != LDB_SUCCESS) {
+					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
+						 ldb_dn_get_linearized(res->msgs[i]->dn)));
+				} else {
+					DEBUG(4,("Removed deleted object %s\n",
+						 ldb_dn_get_linearized(res->msgs[i]->dn)));
+				}
+			}
+		}
+
+		TALLOC_FREE(tmp_ctx);
+	}
+
+	return NT_STATUS_OK;
+}
diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
deleted file mode 100644
index 93d74ca..0000000
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-
-   handle removal of deleted objects
-
-   Copyright (C) 2009 Andrew Tridgell
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-*/
-
-#include "includes.h"
-#include "lib/events/events.h"
-#include "dsdb/samdb/samdb.h"
-#include "auth/auth.h"
-#include "smbd/service.h"
-#include "lib/messaging/irpc.h"
-#include "dsdb/kcc/kcc_connection.h"
-#include "dsdb/kcc/kcc_service.h"
-#include <ldb_errors.h>
-#include "../lib/util/dlinklist.h"
-#include "librpc/gen_ndr/ndr_misc.h"
-#include "librpc/gen_ndr/ndr_drsuapi.h"
-#include "librpc/gen_ndr/ndr_drsblobs.h"
-#include "param/param.h"
-#include "dsdb/common/util.h"
-
-/*
-  check to see if any deleted objects need scavenging
- */
-NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
-{
-	struct kccsrv_partition *part;
-	int ret;
-	uint32_t tombstoneLifetime;
-	bool do_fs = false;
-
-	time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
-						    "check_deleted_full_scan_interval", 86400);
-	time_t t = time(NULL);
-
-	if (t - s->last_deleted_check < lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
-						    "check_deleted_interval", 600)) {
-		return NT_STATUS_OK;
-	}
-	s->last_deleted_check = t;
-
-	ret = dsdb_tombstone_lifetime(s->samdb, &tombstoneLifetime);
-	if (ret != LDB_SUCCESS) {
-		DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-	if (s->last_full_scan_deleted_check > 0 && ((t - s->last_full_scan_deleted_check) > interval )) {
-		do_fs = true;
-		s->last_full_scan_deleted_check = t;
-	}
-
-	if (s->last_full_scan_deleted_check == 0) {
-		/*
-		 * If we never made a full scan set the last full scan event to be in the past
-		 * and that 9/10 of the full scan interval has already passed.
-		 * This is done to avoid the full scan to fire just at the begining of samba
-		 * or a couple of minutes after the start.
-		 * With this "setup" and default values of interval, the full scan will fire
-		 * 2.4 hours after the start of samba
-		 */
-		s->last_full_scan_deleted_check = t - ((9 * interval) / 10);
-	}
-
-	for (part=s->partitions; part; part=part->next) {
-		struct ldb_dn *do_dn;
-		struct ldb_result *res;
-		const char *attrs[] = { "whenChanged", NULL };
-		unsigned int i;
-		TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-		if (!tmp_ctx) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
-		ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn);
-		if (ret != LDB_SUCCESS) {
-			TALLOC_FREE(tmp_ctx);
-			/* some partitions have no Deleted Objects
-			   container */
-			continue;
-		}
-
-		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
-			ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
-					DSDB_SEARCH_SHOW_RECYCLED, NULL);
-		} else {
-			if (do_fs) {
-				DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
-						ldb_dn_get_linearized(part->dn)));
-			}
-			ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
-					DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
-		}
-
-		if (ret != LDB_SUCCESS) {
-			DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
-				 ldb_dn_get_linearized(do_dn)));	
-			TALLOC_FREE(tmp_ctx);
-			continue;
-		}
-
-		for (i=0; i<res->count; i++) {
-			const char *tstring;
-			time_t whenChanged = 0;
-
-			if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
-				/* Skip the Deleted Object Container */
-				continue;
-			}
-			tstring = ldb_msg_find_attr_as_string(res->msgs[i], "whenChanged", NULL);
-			if (tstring) {
-				whenChanged = ldb_string_to_time(tstring);
-			}
-			if (t - whenChanged > tombstoneLifetime*60*60*24) {
-				ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
-				if (ret != LDB_SUCCESS) {
-					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
-						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-				} else {
-					DEBUG(4,("Removed deleted object %s\n",
-						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-				}
-			}
-		}
-
-		TALLOC_FREE(tmp_ctx);
-	}
-
-	return NT_STATUS_OK;
-}
diff --git a/source4/dsdb/kcc/kcc_service.h b/source4/dsdb/kcc/kcc_service.h
index b3ba226..451347e 100644
--- a/source4/dsdb/kcc/kcc_service.h
+++ b/source4/dsdb/kcc/kcc_service.h
@@ -98,6 +98,8 @@ struct kccsrv_service {
 
 struct kcc_connection_list;
 
+NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx);
+
 #include "dsdb/kcc/kcc_service_proto.h"
 
 #endif /* _DSDB_REPL_KCC_SERVICE_H_ */
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index 991f9d3..aea8fa4 100755
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -37,13 +37,17 @@ bld.SAMBA_MODULE('service_drepl',
 	enabled=bld.AD_DC_BUILD_IS_ENABLED()
 	)
 
+bld.SAMBA_LIBRARY('dsdb_garbage_collect_tombstones',
+                  source='kcc/garbage_collect_tombstones.c',
+                  deps='samdb param RPC_NDR_DRSUAPI',
+                  private_library=True)
 
 bld.SAMBA_MODULE('service_kcc',
-	source='kcc/kcc_service.c kcc/kcc_connection.c kcc/kcc_topology.c kcc/kcc_deleted.c kcc/kcc_periodic.c kcc/kcc_drs_replica_info.c',
+	source='kcc/kcc_service.c kcc/kcc_connection.c kcc/kcc_topology.c kcc/kcc_periodic.c kcc/kcc_drs_replica_info.c',
 	autoproto='kcc/kcc_service_proto.h',
 	subsystem='service',
 	init_function='server_service_kcc_init',
-	deps='samdb process_model RPC_NDR_IRPC RPC_NDR_DRSUAPI UTIL_RUNCMD',
+	deps='samdb process_model RPC_NDR_IRPC RPC_NDR_DRSUAPI UTIL_RUNCMD dsdb_garbage_collect_tombstones',
 	internal_module=False,
 	enabled=bld.AD_DC_BUILD_IS_ENABLED()
 	)
-- 
1.9.1


From 92ef5f571ff3879527fad08ddc8b7f0d7aa07dbc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 18 Jul 2016 13:10:23 +1200
Subject: [PATCH 06/34] dsdb: Rework kcc_deleted() into
 dsdb_garbage_collect_tombstones()

This is so that in a future commit, we can wrap this in python and allow it to be called
from outside the samba server processs.

This requires that we rework the callers and internals to avoid reference to
private data structures of the KCC service.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 4e0ac09ef6c6fadd67718f7b5aca7283fb8086b1)
---
 source4/dsdb/common/util.h                    | 10 +++++
 source4/dsdb/kcc/garbage_collect_tombstones.c | 59 ++++++++++++---------------
 source4/dsdb/kcc/garbage_collect_tombstones.h | 31 ++++++++++++++
 source4/dsdb/kcc/kcc_periodic.c               | 21 +++++++---
 source4/dsdb/kcc/kcc_service.c                |  5 +--
 source4/dsdb/kcc/kcc_service.h                | 15 ++-----
 source4/dsdb/wscript_build                    |  2 +-
 7 files changed, 90 insertions(+), 53 deletions(-)
 create mode 100644 source4/dsdb/kcc/garbage_collect_tombstones.h

diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h
index f2867a2..ede6d8b 100644
--- a/source4/dsdb/common/util.h
+++ b/source4/dsdb/common/util.h
@@ -80,4 +80,14 @@ int dsdb_werror_at(struct ldb_context *ldb, int ldb_ecode, WERROR werr,
 	dsdb_werror_at(ldb_module_get_ctx(module), ldb_ecode, werr, \
 		       __location__, __func__, reason)
 
+
+struct dsdb_ldb_dn_list_node {
+	struct dsdb_ldb_dn_list_node *prev, *next;
+
+	/* the dn of the partition */
+	struct ldb_dn *dn;
+};
+
+
+
 #endif /* __DSDB_COMMON_UTIL_H__ */
diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 8b9e921..825cfe2 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -21,52 +21,47 @@
 */
 
 #include "includes.h"
-#include "lib/events/events.h"
-#include "dsdb/samdb/samdb.h"
-#include "auth/auth.h"
-#include "smbd/service.h"
-#include "lib/messaging/irpc.h"
-#include "dsdb/kcc/kcc_connection.h"
-#include "dsdb/kcc/kcc_service.h"
 #include <ldb_errors.h>
 #include "../lib/util/dlinklist.h"
 #include "librpc/gen_ndr/ndr_misc.h"
 #include "librpc/gen_ndr/ndr_drsuapi.h"
 #include "librpc/gen_ndr/ndr_drsblobs.h"
 #include "param/param.h"
-#include "dsdb/common/util.h"
+#include "lib/util/dlinklist.h"
+#include "ldb.h"
+#include "dsdb/kcc/garbage_collect_tombstones.h"
 
-/*
-  check to see if any deleted objects need scavenging
- */
-NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
+
+NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+					 struct ldb_context *samdb,
+					 struct dsdb_ldb_dn_list_node *part,
+					 time_t current_time, time_t *last_deleted_check,
+					 time_t *last_full_scan_deleted_check)
 {
-	struct kccsrv_partition *part;
 	int ret;
 	uint32_t tombstoneLifetime;
 	bool do_fs = false;
 
-	time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
-						    "check_deleted_full_scan_interval", 86400);
-	time_t t = time(NULL);
+	time_t interval = lpcfg_parm_int(lp_ctx, NULL, "kccsrv",
+					 "check_deleted_full_scan_interval", 86400);
 
-	if (t - s->last_deleted_check < lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
-						    "check_deleted_interval", 600)) {
+	if (current_time - *last_deleted_check < lpcfg_parm_int(lp_ctx, NULL, "kccsrv",
+								  "check_deleted_interval", 600)) {
 		return NT_STATUS_OK;
 	}
-	s->last_deleted_check = t;
+	*last_deleted_check = current_time;
 
-	ret = dsdb_tombstone_lifetime(s->samdb, &tombstoneLifetime);
+	ret = dsdb_tombstone_lifetime(samdb, &tombstoneLifetime);
 	if (ret != LDB_SUCCESS) {
 		DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
-	if (s->last_full_scan_deleted_check > 0 && ((t - s->last_full_scan_deleted_check) > interval )) {
+	if (*last_full_scan_deleted_check > 0 && ((current_time - *last_full_scan_deleted_check) > interval )) {
 		do_fs = true;
-		s->last_full_scan_deleted_check = t;
+		*last_full_scan_deleted_check = current_time;
 	}
 
-	if (s->last_full_scan_deleted_check == 0) {
+	if (*last_full_scan_deleted_check == 0) {
 		/*
 		 * If we never made a full scan set the last full scan event to be in the past
 		 * and that 9/10 of the full scan interval has already passed.
@@ -75,10 +70,10 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 		 * With this "setup" and default values of interval, the full scan will fire
 		 * 2.4 hours after the start of samba
 		 */
-		s->last_full_scan_deleted_check = t - ((9 * interval) / 10);
+		*last_full_scan_deleted_check = current_time - ((9 * interval) / 10);
 	}
 
-	for (part=s->partitions; part; part=part->next) {
+	for (; part != NULL; part = part->next) {
 		struct ldb_dn *do_dn;
 		struct ldb_result *res;
 		const char *attrs[] = { "whenChanged", NULL };
@@ -88,7 +83,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn);
+		ret = dsdb_get_deleted_objects_dn(samdb, tmp_ctx, part->dn, &do_dn);
 		if (ret != LDB_SUCCESS) {
 			TALLOC_FREE(tmp_ctx);
 			/* some partitions have no Deleted Objects
@@ -96,16 +91,16 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 			continue;
 		}
 
-		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
-			ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
+		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(samdb), part->dn)) {
+			ret = dsdb_search(samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
 					DSDB_SEARCH_SHOW_RECYCLED, NULL);
 		} else {
 			if (do_fs) {
 				DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
 						ldb_dn_get_linearized(part->dn)));
 			}
-			ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
-					DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
+			ret = dsdb_search(samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
+					DSDB_SEARCH_SHOW_RECYCLED, "(|(isDeleted=TRUE))");
 		}
 
 		if (ret != LDB_SUCCESS) {
@@ -127,8 +122,8 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 			if (tstring) {
 				whenChanged = ldb_string_to_time(tstring);
 			}
-			if (t - whenChanged > tombstoneLifetime*60*60*24) {
-				ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
+			if (current_time - whenChanged > tombstoneLifetime*60*60*24) {
+				ret = dsdb_delete(samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
 				if (ret != LDB_SUCCESS) {
 					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
 						 ldb_dn_get_linearized(res->msgs[i]->dn)));
diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.h b/source4/dsdb/kcc/garbage_collect_tombstones.h
new file mode 100644
index 0000000..b41bc9d
--- /dev/null
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.h
@@ -0,0 +1,31 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   handle removal of deleted objects
+
+   Copyright (C) 2009 Andrew Tridgell
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+#include "param/param.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
+
+
+NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+					 struct ldb_context *samdb,
+					 struct dsdb_ldb_dn_list_node *part,
+					 time_t current_time, time_t *last_deleted_check,
+					 time_t *last_full_scan_deleted_check);
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index 7fdbea7..ef114fd 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -64,7 +64,7 @@ static bool reps_in_list(struct repsFromToBlob *r, struct repsFromToBlob *reps,
   make sure we only add repsFrom entries for DCs who are masters for
   the partition
  */
-static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
+static bool check_MasterNC(struct kccsrv_service *service, struct dsdb_ldb_dn_list_node *p, struct repsFromToBlob *r,
 			   struct ldb_result *res)
 {
 	struct repsFromTo1 *r1 = &r->ctr.ctr1;
@@ -99,7 +99,7 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
 			}
 		}
 		for (j=0; j<el->num_values; j++) {
-			dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]);
+			dn = ldb_dn_from_ldb_val(tmp_ctx, service->samdb, &el->values[j]);
 			if (!ldb_dn_validate(dn)) {
 				talloc_free(dn);
 				continue;
@@ -194,7 +194,7 @@ NTSTATUS kccsrv_add_repsFrom(struct kccsrv_service *s, TALLOC_CTX *mem_ctx,
 			    struct repsFromToBlob *reps, uint32_t count,
 			    struct ldb_result *res)
 {
-	struct kccsrv_partition *p;
+	struct dsdb_ldb_dn_list_node *p;
 	bool notify_dreplsrv = false;
 	uint32_t replica_flags = kccsrv_replica_flags(s);
 
@@ -233,7 +233,7 @@ NTSTATUS kccsrv_add_repsFrom(struct kccsrv_service *s, TALLOC_CTX *mem_ctx,
 				/* we don't have the new one - add it
 				 * if it is a master
 				 */
-				if (res && !check_MasterNC(p, &reps[i], res)) {
+				if (res && !check_MasterNC(s, p, &reps[i], res)) {
 					/* its not a master, we don't
 					   want to pull from it */
 					continue;
@@ -253,7 +253,7 @@ NTSTATUS kccsrv_add_repsFrom(struct kccsrv_service *s, TALLOC_CTX *mem_ctx,
 		/* remove any stale ones */
 		for (i=0; i<our_count; i++) {
 			if (!reps_in_list(&our_reps[i], reps, count) ||
-			    (res && !check_MasterNC(p, &our_reps[i], res))) {
+			    (res && !check_MasterNC(s, p, &our_reps[i], res))) {
 				DEBUG(4,(__location__ ": Removed repsFrom for %s\n",
 					 our_reps[i].ctr.ctr1.other_info->dns_name));
 				memmove(&our_reps[i], &our_reps[i+1], (our_count-(i+1))*sizeof(our_reps[0]));
@@ -596,6 +596,17 @@ WERROR kccsrv_periodic_schedule(struct kccsrv_service *service, uint32_t next_in
 	return WERR_OK;
 }
 
+/*
+  check to see if any deleted objects need scavenging
+ */
+static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
+{
+	time_t current = time(NULL);
+	return dsdb_garbage_collect_tombstones(mem_ctx, s->task->lp_ctx, s->samdb,
+					       s->partitions, current, &s->last_deleted_check,
+					       &s->last_full_scan_deleted_check);
+}
+
 static void kccsrv_periodic_run(struct kccsrv_service *service)
 {
 	TALLOC_CTX *mem_ctx;
diff --git a/source4/dsdb/kcc/kcc_service.c b/source4/dsdb/kcc/kcc_service.c
index ccc252c..090cf1b 100644
--- a/source4/dsdb/kcc/kcc_service.c
+++ b/source4/dsdb/kcc/kcc_service.c
@@ -110,18 +110,17 @@ static WERROR kccsrv_load_partitions(struct kccsrv_service *s)
 	for (i=0; i < el->num_values; i++) {
 		const char *v = (const char *)el->values[i].data;
 		struct ldb_dn *pdn;
-		struct kccsrv_partition *p;
+		struct dsdb_ldb_dn_list_node *p;
 
 		pdn = ldb_dn_new(s, s->samdb, v);
 		if (!ldb_dn_validate(pdn)) {
 			return WERR_FOOBAR;
 		}
 
-		p = talloc_zero(s, struct kccsrv_partition);
+		p = talloc_zero(s, struct dsdb_ldb_dn_list_node);
 		W_ERROR_HAVE_NO_MEMORY(p);
 
 		p->dn = talloc_steal(p, pdn);
-		p->service = s;
 
 		DLIST_ADD(s->partitions, p);
 
diff --git a/source4/dsdb/kcc/kcc_service.h b/source4/dsdb/kcc/kcc_service.h
index 451347e..b62fb12 100644
--- a/source4/dsdb/kcc/kcc_service.h
+++ b/source4/dsdb/kcc/kcc_service.h
@@ -25,15 +25,7 @@
 #define _DSDB_REPL_KCC_SERVICE_H_
 
 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
-
-struct kccsrv_partition {
-	struct kccsrv_partition *prev, *next;
-	struct kccsrv_service *service;
-
-	/* the dn of the partition */
-	struct ldb_dn *dn;
-};
-
+#include "dsdb/common/util.h"
 
 struct kccsrv_service {
 	/* the whole kcc service is in one task */
@@ -52,7 +44,7 @@ struct kccsrv_service {
 	struct auth_session_info *system_session_info;
 
 	/* list of local partitions */
-	struct kccsrv_partition *partitions;
+	struct dsdb_ldb_dn_list_node *partitions;
 
 	/*
 	 * a connection to the local samdb
@@ -98,8 +90,7 @@ struct kccsrv_service {
 
 struct kcc_connection_list;
 
-NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx);
-
+#include "dsdb/kcc/garbage_collect_tombstones.h"
 #include "dsdb/kcc/kcc_service_proto.h"
 
 #endif /* _DSDB_REPL_KCC_SERVICE_H_ */
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index aea8fa4..7ea9e27 100755
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -67,6 +67,6 @@ bld.SAMBA_PYTHON('python_dsdb',
 	# the dependency on dcerpc here is because gensec
 	# depends on dcerpc but the waf circular dependency finder
 	# removes it so we end up with unresolved symbols.
-	deps='samdb pyldb-util dcerpc com_err pyrpc_util',
+	deps='samdb pyldb-util dcerpc com_err pyrpc_util pyparam_util',
 	realname='samba/dsdb.so'
 	)
-- 
1.9.1


From 2537da48fc5641421b7bd93778d5139c3954cdd5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 29 Aug 2016 18:56:10 +1200
Subject: [PATCH 07/34] dsdb: Rework more KCC service-specific details out of
 dsdb_garbage_collect_tombstones()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit d894f08ba95ae994dd1603af28bd74943bfdec9f)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 30 ++-------------------------
 source4/dsdb/kcc/garbage_collect_tombstones.h |  4 ++--
 source4/dsdb/kcc/kcc_periodic.c               | 30 +++++++++++++++++++++++++--
 3 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 825cfe2..80b30eb 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -35,43 +35,17 @@
 NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
-					 time_t current_time, time_t *last_deleted_check,
-					 time_t *last_full_scan_deleted_check)
+					 time_t current_time,
+					 bool do_fs)
 {
 	int ret;
 	uint32_t tombstoneLifetime;
-	bool do_fs = false;
-
-	time_t interval = lpcfg_parm_int(lp_ctx, NULL, "kccsrv",
-					 "check_deleted_full_scan_interval", 86400);
-
-	if (current_time - *last_deleted_check < lpcfg_parm_int(lp_ctx, NULL, "kccsrv",
-								  "check_deleted_interval", 600)) {
-		return NT_STATUS_OK;
-	}
-	*last_deleted_check = current_time;
 
 	ret = dsdb_tombstone_lifetime(samdb, &tombstoneLifetime);
 	if (ret != LDB_SUCCESS) {
 		DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
-	if (*last_full_scan_deleted_check > 0 && ((current_time - *last_full_scan_deleted_check) > interval )) {
-		do_fs = true;
-		*last_full_scan_deleted_check = current_time;
-	}
-
-	if (*last_full_scan_deleted_check == 0) {
-		/*
-		 * If we never made a full scan set the last full scan event to be in the past
-		 * and that 9/10 of the full scan interval has already passed.
-		 * This is done to avoid the full scan to fire just at the begining of samba
-		 * or a couple of minutes after the start.
-		 * With this "setup" and default values of interval, the full scan will fire
-		 * 2.4 hours after the start of samba
-		 */
-		*last_full_scan_deleted_check = current_time - ((9 * interval) / 10);
-	}
 
 	for (; part != NULL; part = part->next) {
 		struct ldb_dn *do_dn;
diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.h b/source4/dsdb/kcc/garbage_collect_tombstones.h
index b41bc9d..445c7b3 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.h
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.h
@@ -27,5 +27,5 @@
 NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
-					 time_t current_time, time_t *last_deleted_check,
-					 time_t *last_full_scan_deleted_check);
+					 time_t current_time,
+					 bool do_fs);
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index ef114fd..5b5d36e 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -601,10 +601,36 @@ WERROR kccsrv_periodic_schedule(struct kccsrv_service *service, uint32_t next_in
  */
 static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 {
+	bool do_fs = false;
 	time_t current = time(NULL);
+	time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
+					 "check_deleted_full_scan_interval", 86400);
+
+	if (current - s->last_deleted_check < lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
+								  "check_deleted_interval", 600)) {
+		return NT_STATUS_OK;
+	}
+	s->last_deleted_check = current;
+
+	if (s->last_full_scan_deleted_check > 0 && ((current - s->last_full_scan_deleted_check) > interval )) {
+		do_fs = true;
+		s->last_full_scan_deleted_check = current;
+	}
+
+	if (s->last_full_scan_deleted_check == 0) {
+		/*
+		 * If we never made a full scan set the last full scan event to be in the past
+		 * and that 9/10 of the full scan interval has already passed.
+		 * This is done to avoid the full scan to fire just at the begining of samba
+		 * or a couple of minutes after the start.
+		 * With this "setup" and default values of interval, the full scan will fire
+		 * 2.4 hours after the start of samba
+		 */
+		s->last_full_scan_deleted_check = current - ((9 * interval) / 10);
+	}
+
 	return dsdb_garbage_collect_tombstones(mem_ctx, s->task->lp_ctx, s->samdb,
-					       s->partitions, current, &s->last_deleted_check,
-					       &s->last_full_scan_deleted_check);
+					       s->partitions, current, do_fs);
 }
 
 static void kccsrv_periodic_run(struct kccsrv_service *service)
-- 
1.9.1


From 2239b4b18c122f098fc101be65767eb26c79c2d9 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 29 Aug 2016 19:02:39 +1200
Subject: [PATCH 08/34] dsdb: move tombstone lifetime calculation out of
 dsdb_garbage_collect_tombstones()

This will allow it to be specified by the caller when we add python bindings

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 824220e9bd7ffb9457ffc5a5bf0b5d279146f85c)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 10 ++--------
 source4/dsdb/kcc/garbage_collect_tombstones.h |  3 ++-
 source4/dsdb/kcc/kcc_periodic.c               | 11 ++++++++++-
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 80b30eb..99d949e 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -36,16 +36,10 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_co
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
 					 time_t current_time,
-					 bool do_fs)
+					 bool do_fs,
+					 uint32_t tombstoneLifetime)
 {
 	int ret;
-	uint32_t tombstoneLifetime;
-
-	ret = dsdb_tombstone_lifetime(samdb, &tombstoneLifetime);
-	if (ret != LDB_SUCCESS) {
-		DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
 
 	for (; part != NULL; part = part->next) {
 		struct ldb_dn *do_dn;
diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.h b/source4/dsdb/kcc/garbage_collect_tombstones.h
index 445c7b3..f5eceeb 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.h
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.h
@@ -28,4 +28,5 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_co
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
 					 time_t current_time,
-					 bool do_fs);
+					 bool do_fs,
+					 uint32_t tombstoneLifetime);
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index 5b5d36e..eefc83f 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -601,7 +601,9 @@ WERROR kccsrv_periodic_schedule(struct kccsrv_service *service, uint32_t next_in
  */
 static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 {
+	int ret;
 	bool do_fs = false;
+	uint32_t tombstoneLifetime;
 	time_t current = time(NULL);
 	time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
 					 "check_deleted_full_scan_interval", 86400);
@@ -629,8 +631,15 @@ static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_c
 		s->last_full_scan_deleted_check = current - ((9 * interval) / 10);
 	}
 
+	ret = dsdb_tombstone_lifetime(s->samdb, &tombstoneLifetime);
+	if (ret != LDB_SUCCESS) {
+		DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
 	return dsdb_garbage_collect_tombstones(mem_ctx, s->task->lp_ctx, s->samdb,
-					       s->partitions, current, do_fs);
+					       s->partitions, current, do_fs,
+					       tombstoneLifetime);
 }
 
 static void kccsrv_periodic_run(struct kccsrv_service *service)
-- 
1.9.1


From a9a065570cfcce39b5a6eaf0fec5d29c0379c8f6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 18 Jul 2016 13:17:52 +1200
Subject: [PATCH 09/34] dsdb: Expand garbage_collect_tombstones to expunge
 links also

This requires a significant rework, as we can no longer
do a one-level search and hope to find most of the deleted
objects.  Therefore we fall back to a full scan, but less often.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 1c636532874da6cf998538027f088c1da019f15d)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 209 ++++++++++++++++++++++----
 source4/dsdb/kcc/garbage_collect_tombstones.h |   7 +-
 source4/dsdb/kcc/kcc_periodic.c               |  56 +++----
 3 files changed, 214 insertions(+), 58 deletions(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 99d949e..7c3d354 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -30,22 +30,85 @@
 #include "lib/util/dlinklist.h"
 #include "ldb.h"
 #include "dsdb/kcc/garbage_collect_tombstones.h"
+#include "lib/ldb-samba/ldb_matching_rules.h"
+#include "lib/util/time.h"
 
 
-NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
 					 time_t current_time,
-					 bool do_fs,
-					 uint32_t tombstoneLifetime)
+					 uint32_t tombstoneLifetime,
+					 unsigned int *num_objects_removed,
+					 unsigned int *num_links_removed)
 {
 	int ret;
 
+	const char **attrs = NULL;
+	char *filter = NULL;
+
+	unsigned int i;
+	struct dsdb_attribute *next_attr;
+	unsigned int num_link_attrs;
+	struct dsdb_schema *schema = dsdb_get_schema(samdb, mem_ctx);
+	unsigned long long expunge_time = current_time - tombstoneLifetime*60*60*24;
+	NTTIME expunge_time_nttime;
+	unix_to_nt_time(&expunge_time_nttime, expunge_time);
+
+	*num_objects_removed = 0;
+	*num_links_removed = 0;
+
+	num_link_attrs = 0;
+
+	/*
+	 * This filter is a bit strange, but the idea is to filter for
+	 * objects that need to have tombstones expunged without
+	 * bringing a potentially large databse all into memory.  To
+	 * do that, we could use callbacks, but instead we use a
+	 * custom match rule to triage the objects during the search,
+	 * and ideally avoid memory allocation for most of the
+	 * un-matched objects.
+	 *
+	 * The parameter to DSDB_MATCH_FOR_EXPUNGE is the NTTIME, we
+	 * return records with deleted links deleted before this time.
+	 *
+	 * We also return all isDeleted records
+	 *
+	 * TODO: Add date-comparison to LDB and use < on then
+	 * whenChanged for the isDeleted case.
+	 */
+
+	filter = talloc_asprintf(mem_ctx, "(|");
+	for (next_attr = schema->attributes; next_attr != NULL; next_attr = next_attr->next) {
+		if (next_attr->linkID != 0 && ((next_attr->linkID & 1) == 0)) {
+			num_link_attrs++;
+			filter = talloc_asprintf_append(filter,
+							"(%s:" DSDB_MATCH_FOR_EXPUNGE ":=%llu)",
+							next_attr->lDAPDisplayName,
+							(unsigned long long)expunge_time_nttime);
+		}
+	}
+
+	attrs = talloc_array(mem_ctx, const char *, num_link_attrs + 3);
+	i = 0;
+	for (next_attr = schema->attributes; next_attr != NULL; next_attr = next_attr->next) {
+		if (next_attr->linkID != 0 && ((next_attr->linkID & 1) == 0)) {
+			attrs[i++] = next_attr->lDAPDisplayName;
+		}
+	}
+	attrs[i] = "isDeleted";
+	attrs[i+1] = "whenChanged";
+	attrs[i+2] = NULL;
+
+	filter = talloc_asprintf_append(filter, "(isDeleted=TRUE))");
+
+	schema = dsdb_get_schema(samdb, mem_ctx);
+
 	for (; part != NULL; part = part->next) {
 		struct ldb_dn *do_dn;
 		struct ldb_result *res;
-		const char *attrs[] = { "whenChanged", NULL };
-		unsigned int i;
+		unsigned int j, k;
+		uint32_t flags;
 		TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 		if (!tmp_ctx) {
 			return NT_STATUS_NO_MEMORY;
@@ -59,50 +122,142 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_co
 			continue;
 		}
 
-		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(samdb), part->dn)) {
-			ret = dsdb_search(samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
-					DSDB_SEARCH_SHOW_RECYCLED, NULL);
-		} else {
-			if (do_fs) {
-				DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
-						ldb_dn_get_linearized(part->dn)));
-			}
-			ret = dsdb_search(samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
-					DSDB_SEARCH_SHOW_RECYCLED, "(|(isDeleted=TRUE))");
-		}
+		DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
+			  ldb_dn_get_linearized(part->dn)));
+
+		flags = DSDB_SEARCH_SHOW_RECYCLED |
+			DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
+			DSDB_SEARCH_REVEAL_INTERNALS;
+		ret = dsdb_search(samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE,
+				  attrs, flags, filter);
 
 		if (ret != LDB_SUCCESS) {
 			DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
 				 ldb_dn_get_linearized(do_dn)));
 			TALLOC_FREE(tmp_ctx);
-			continue;
+			return NT_STATUS_INTERNAL_ERROR;
 		}
 
 		for (i=0; i<res->count; i++) {
-			const char *tstring;
-			time_t whenChanged = 0;
+			struct ldb_message *cleanup_msg = NULL;
+			unsigned int num_modified = 0;
+
+			bool isDeleted = ldb_msg_find_attr_as_bool(res->msgs[i], "isDeleted", false);
+			if (isDeleted) {
+				const char *tstring;
+				time_t whenChanged = 0;
+
+				if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
+					/* Skip the Deleted Object Container */
+					continue;
+				}
 
-			if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
-				/* Skip the Deleted Object Container */
+				tstring = ldb_msg_find_attr_as_string(res->msgs[i], "whenChanged", NULL);
+				whenChanged = ldb_string_to_time(tstring);
+
+				if (whenChanged != 0 && whenChanged < expunge_time) {
+					ret = dsdb_delete(samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
+					if (ret != LDB_SUCCESS) {
+						DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
+							 ldb_dn_get_linearized(res->msgs[i]->dn)));
+					} else {
+						DEBUG(4,("Removed deleted object %s\n",
+							 ldb_dn_get_linearized(res->msgs[i]->dn)));
+						(*num_objects_removed)++;
+					}
+				}
 				continue;
 			}
-			tstring = ldb_msg_find_attr_as_string(res->msgs[i], "whenChanged", NULL);
-			if (tstring) {
-				whenChanged = ldb_string_to_time(tstring);
+
+			/* This must have a linked attribute */
+			for (j=0; j < res->msgs[i]->num_elements; j++) {
+				struct ldb_message_element *element = &res->msgs[i]->elements[j];
+				/* TODO this is O(log n) per attribute with deleted values */
+				const struct dsdb_attribute *attrib
+					= dsdb_attribute_by_lDAPDisplayName(schema, element->name);
+
+				for (k = 0; k < element->num_values; k++) {
+					struct ldb_val *value = &element->values[k];
+					uint64_t whenChanged = 0;
+					NTSTATUS status;
+					struct dsdb_dn *dn;
+					struct ldb_message_element *cleanup_elem = NULL;
+					char *guid_search_str = NULL, *guid_buf_str = NULL;
+					struct ldb_val cleanup_val;
+					struct GUID_txt_buf buf_guid;
+					struct GUID guid;
+					const struct ldb_val *guid_blob;
+
+					if (dsdb_dn_is_deleted_val(value) == false) {
+						continue;
+					}
+
+					dn = dsdb_dn_parse(tmp_ctx, samdb, &element->values[k],
+							   attrib->syntax->ldap_oid);
+					if (dn == NULL) {
+						DEBUG(1, ("Failed to parse linked attribute blob of %s on %s while expunging expired links\n", element->name,
+							  ldb_dn_get_linearized(res->msgs[i]->dn)));
+						continue;
+					}
+
+					status = dsdb_get_extended_dn_uint64(dn->dn, &whenChanged, "RMD_CHANGETIME");
+					if (!NT_STATUS_IS_OK(status)) {
+						DEBUG(1, ("Error: RMD_CHANGETIME is missing on a forward link.\n"));
+						talloc_free(dn);
+						continue;
+					}
+
+					if (whenChanged >= expunge_time_nttime) {
+						talloc_free(dn);
+						continue;
+					}
+
+					guid_blob = ldb_dn_get_extended_component(dn->dn, "GUID");
+					status = GUID_from_ndr_blob(guid_blob, &guid);
+					if (!NT_STATUS_IS_OK(status)) {
+						DEBUG(1, ("Error: Invalid GUID on link target.\n"));
+						talloc_free(dn);
+						continue;
+					}
+
+					guid_buf_str = GUID_buf_string(&guid, &buf_guid);
+					guid_search_str = talloc_asprintf(mem_ctx, "<GUID=%s>", guid_buf_str);
+					cleanup_val = data_blob_string_const(guid_search_str);
+
+					talloc_free(dn);
+
+					if (cleanup_msg == NULL) {
+						cleanup_msg = ldb_msg_new(mem_ctx);
+						if (cleanup_msg == NULL) {
+							return NT_STATUS_NO_MEMORY;
+						}
+						cleanup_msg->dn = res->msgs[i]->dn;
+					}
+
+					ret = ldb_msg_add_value(cleanup_msg, element->name, &cleanup_val, &cleanup_elem);
+					if (ret != LDB_SUCCESS) {
+						return NT_STATUS_NO_MEMORY;
+					}
+					cleanup_elem->flags = LDB_FLAG_MOD_DELETE;
+					num_modified++;
+				}
 			}
-			if (current_time - whenChanged > tombstoneLifetime*60*60*24) {
-				ret = dsdb_delete(samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
+
+			if (num_modified > 0) {
+				ret = dsdb_modify(samdb, cleanup_msg, DSDB_REPLMD_VANISH_LINKS);
 				if (ret != LDB_SUCCESS) {
 					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
 						 ldb_dn_get_linearized(res->msgs[i]->dn)));
 				} else {
 					DEBUG(4,("Removed deleted object %s\n",
 						 ldb_dn_get_linearized(res->msgs[i]->dn)));
+					*num_links_removed = *num_links_removed + num_modified;
 				}
+
 			}
 		}
-
 		TALLOC_FREE(tmp_ctx);
+
 	}
 
 	return NT_STATUS_OK;
diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.h b/source4/dsdb/kcc/garbage_collect_tombstones.h
index f5eceeb..a921909 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.h
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.h
@@ -24,9 +24,10 @@
 #include "dsdb/common/util.h"
 
 
-NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
 					 time_t current_time,
-					 bool do_fs,
-					 uint32_t tombstoneLifetime);
+					 uint32_t tombstoneLifetime,
+					 unsigned int *num_objects_removed,
+					 unsigned int *num_links_removed);
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index eefc83f..fd759f5 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -601,35 +601,18 @@ WERROR kccsrv_periodic_schedule(struct kccsrv_service *service, uint32_t next_in
  */
 static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 {
-	int ret;
-	bool do_fs = false;
-	uint32_t tombstoneLifetime;
-	time_t current = time(NULL);
+	time_t current_time = time(NULL);
 	time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
-					 "check_deleted_full_scan_interval", 86400);
+					 "check_deleted_interval", 86400);
+	uint32_t tombstoneLifetime;
+	int ret;
+	unsigned int num_objects_removed = 0;
+	unsigned int num_links_removed = 0;
+	NTSTATUS status;
 
-	if (current - s->last_deleted_check < lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
-								  "check_deleted_interval", 600)) {
+	if (current_time - s->last_deleted_check < interval) {
 		return NT_STATUS_OK;
 	}
-	s->last_deleted_check = current;
-
-	if (s->last_full_scan_deleted_check > 0 && ((current - s->last_full_scan_deleted_check) > interval )) {
-		do_fs = true;
-		s->last_full_scan_deleted_check = current;
-	}
-
-	if (s->last_full_scan_deleted_check == 0) {
-		/*
-		 * If we never made a full scan set the last full scan event to be in the past
-		 * and that 9/10 of the full scan interval has already passed.
-		 * This is done to avoid the full scan to fire just at the begining of samba
-		 * or a couple of minutes after the start.
-		 * With this "setup" and default values of interval, the full scan will fire
-		 * 2.4 hours after the start of samba
-		 */
-		s->last_full_scan_deleted_check = current - ((9 * interval) / 10);
-	}
 
 	ret = dsdb_tombstone_lifetime(s->samdb, &tombstoneLifetime);
 	if (ret != LDB_SUCCESS) {
@@ -637,9 +620,26 @@ static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_c
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
-	return dsdb_garbage_collect_tombstones(mem_ctx, s->task->lp_ctx, s->samdb,
-					       s->partitions, current, do_fs,
-					       tombstoneLifetime);
+	s->last_deleted_check = current_time;
+
+	status = dsdb_garbage_collect_tombstones(mem_ctx, s->samdb,
+						 s->partitions,
+						 current_time, tombstoneLifetime,
+						 &num_objects_removed,
+						 &num_links_removed);
+
+	if (NT_STATUS_IS_OK(status)) {
+		DEBUG(5, ("garbage_collect_tombstones: Removed %u tombstone objects "
+			  "and %u tombstone links successfully\n",
+			  num_objects_removed, num_links_removed));
+	} else {
+		DEBUG(2, ("garbage_collect_tombstones: Failure removing tombstone "
+			  "objects and links after removing %u tombstone objects "
+			  "and %u tombstone links successfully: %s\n",
+			  num_objects_removed, num_links_removed,
+			  nt_errstr(status)));
+	}
+	return status;
 }
 
 static void kccsrv_periodic_run(struct kccsrv_service *service)
-- 
1.9.1


From a078c56b5566914105cdaa5647e6845efd7f7ca0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 18 Jul 2016 13:11:10 +1200
Subject: [PATCH 10/34] python: Add binding for
 dsdb_garbage_collect_tombstones()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 02d82af06f3f13bdfd7497d168ba06f1092ede12)
---
 python/samba/samdb.py      | 14 +++++++
 source4/dsdb/pydsdb.c      | 97 ++++++++++++++++++++++++++++++++++++++++++++++
 source4/dsdb/wscript_build |  2 +-
 3 files changed, 112 insertions(+), 1 deletion(-)

diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index e12465d..3d7ea3e 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -949,3 +949,17 @@ accountExpires: %u
         is removed, this routine will put a tombstone in the record.
         '''
         return dsdb_dns.replace_by_dn(self, dn, new_records)
+
+    def garbage_collect_tombstones(self, dn, current_time,
+                                   tombstone_lifetime=None):
+        '''garbage_collect_tombstones(lp, samdb, [dn], current_time, tombstone_lifetime)
+        -> (num_objects_expunged, num_links_expunged)'''
+
+
+        if tombstone_lifetime is None:
+            return dsdb._dsdb_garbage_collect_tombstones(self, dn,
+                                                         current_time)
+        else:
+            return dsdb._dsdb_garbage_collect_tombstones(self, dn,
+                                                         current_time,
+                                                         tombstone_lifetime)
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 1fe8c13..0df52ad 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -28,6 +28,9 @@
 #include "auth/kerberos/kerberos.h"
 #include "librpc/rpc/pyrpc_util.h"
 #include "lib/policy/policy.h"
+#include "param/pyparam.h"
+#include "lib/util/dlinklist.h"
+#include "dsdb/kcc/garbage_collect_tombstones.h"
 
 void initdsdb(void);
 
@@ -1075,6 +1078,97 @@ static PyObject *py_dsdb_am_pdc(PyObject *self, PyObject *args)
 	return PyBool_FromLong(am_pdc);
 }
 
+static PyObject *py_dsdb_garbage_collect_tombstones(PyObject *self, PyObject *args)
+{
+	PyObject *py_ldb, *py_list_dn;
+	struct ldb_context *ldb = NULL;
+        Py_ssize_t i;
+        Py_ssize_t length;
+	long long _current_time, _tombstone_lifetime = LLONG_MAX;
+	uint32_t tombstone_lifetime32;
+	struct dsdb_ldb_dn_list_node *part = NULL;
+	time_t current_time, tombstone_lifetime;
+	TALLOC_CTX *mem_ctx = NULL;
+	NTSTATUS status;
+	unsigned int num_objects_removed = 0;
+	unsigned int num_links_removed = 0;
+
+	if (!PyArg_ParseTuple(args, "OOL|L", &py_ldb,
+			      &py_list_dn, &_current_time, &_tombstone_lifetime)) {
+		return NULL;
+	}
+
+
+	PyErr_LDB_OR_RAISE(py_ldb, ldb);
+
+	mem_ctx = talloc_new(ldb);
+	if (mem_ctx == NULL) {
+		return PyErr_NoMemory();
+	}
+
+	current_time = _current_time;
+
+	if (_tombstone_lifetime == LLONG_MAX) {
+		int ret = dsdb_tombstone_lifetime(ldb, &tombstone_lifetime32);
+		if (ret != LDB_SUCCESS) {
+			PyErr_Format(PyExc_RuntimeError,
+				     "Failed to get tombstone lifetime: %s",
+				     ldb_errstring(ldb));
+			TALLOC_FREE(mem_ctx);
+			return NULL;
+		}
+		tombstone_lifetime = tombstone_lifetime32;
+	} else {
+		tombstone_lifetime = _tombstone_lifetime;
+	}
+
+	if (!PyList_Check(py_list_dn)) {
+		PyErr_SetString(PyExc_TypeError, "A list of DNs were expected");
+		TALLOC_FREE(mem_ctx);
+		return NULL;
+	}
+
+	length = PyList_GET_SIZE(py_list_dn);
+
+	for (i = 0; i < length; i++) {
+		char *part_str = PyString_AsString(PyList_GetItem(py_list_dn, i));
+		struct ldb_dn *p;
+		struct dsdb_ldb_dn_list_node *node;
+
+		if (part_str == NULL) {
+			TALLOC_FREE(mem_ctx);
+			return PyErr_NoMemory();
+		}
+
+		p = ldb_dn_new(mem_ctx, ldb, part_str);
+		if (p == NULL) {
+			PyErr_Format(PyExc_RuntimeError, "Failed to parse DN %s", part_str);
+			TALLOC_FREE(mem_ctx);
+			return NULL;
+		}
+		node = talloc_zero(mem_ctx, struct dsdb_ldb_dn_list_node);
+		node->dn = p;
+
+		DLIST_ADD_END(part, node);
+	}
+
+	status = dsdb_garbage_collect_tombstones(mem_ctx, ldb,
+						 part, current_time,
+						 tombstone_lifetime,
+						 &num_objects_removed,
+						 &num_links_removed);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		PyErr_SetNTSTATUS(status);
+		return NULL;
+	}
+
+	TALLOC_FREE(mem_ctx);
+
+	return Py_BuildValue("(II)", num_objects_removed,
+			    num_links_removed);
+}
+
 
 static PyMethodDef py_dsdb_methods[] = {
 	{ "_samdb_server_site_name", (PyCFunction)py_samdb_server_site_name,
@@ -1141,6 +1235,9 @@ static PyMethodDef py_dsdb_methods[] = {
 	{ "_dsdb_get_wellknown_dn", (PyCFunction)py_dsdb_get_wellknown_dn, METH_VARARGS, NULL },
 	{ "_dsdb_DsReplicaAttribute", (PyCFunction)py_dsdb_DsReplicaAttribute, METH_VARARGS, NULL },
 	{ "_dsdb_normalise_attributes", (PyCFunction)py_dsdb_normalise_attributes, METH_VARARGS, NULL },
+	{ "_dsdb_garbage_collect_tombstones", (PyCFunction)py_dsdb_garbage_collect_tombstones, METH_VARARGS,
+		"_dsdb_kcc_check_deleted(samdb, [dn], current_time, tombstone_lifetime)"
+		" -> (num_objects_expunged, num_links_expunged)" },
 	{ NULL }
 };
 
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index 7ea9e27..d569ea6 100755
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -67,6 +67,6 @@ bld.SAMBA_PYTHON('python_dsdb',
 	# the dependency on dcerpc here is because gensec
 	# depends on dcerpc but the waf circular dependency finder
 	# removes it so we end up with unresolved symbols.
-	deps='samdb pyldb-util dcerpc com_err pyrpc_util pyparam_util',
+	deps='samdb pyldb-util dcerpc com_err pyrpc_util pyparam_util dsdb_garbage_collect_tombstones',
 	realname='samba/dsdb.so'
 	)
-- 
1.9.1


From 4495f65a2d6e4b136fb25a072870c981119156a8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 29 Aug 2016 18:36:19 +1200
Subject: [PATCH 11/34] samba-tool: Add command-line tool to trigger tombstone
 expunge

This allows us to carefully test the garbage collection of tombstoned objects
without running the full server and waiting for the timer to expire

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 55b9b9a969b0e7ef6590710fda85265fc3146159)
---
 python/samba/netcmd/domain.py | 74 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index fd26d93..dc1356d 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -32,6 +32,7 @@ import random
 import tempfile
 import logging
 import subprocess
+import time
 from getpass import getpass
 from samba.net import Net, LIBNET_JOIN_AUTOMATIC
 import samba.ntacls
@@ -3747,6 +3748,72 @@ class cmd_domain_trust_namespaces(DomainTrustCommand):
                                      tln=local_tdo_info.domain_name.string)
         return
 
+class cmd_domain_tombstones_expunge(Command):
+    """Expunge tombstones from the database.
+
+This command expunges tombstones from the database."""
+    synopsis = "%prog NC [NC [...]] [options]"
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+                metavar="URL", dest="H"),
+        Option("--current-time",
+                help="The current time to evaluate the tombstone lifetime from, expressed as YYYY-MM-DD",
+                type=str),
+        Option("--tombstone-lifetime", help="Number of days a tombstone should be preserved for", type=int),
+    ]
+
+    takes_args = ["nc*"]
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+        }
+
+    def run(self, *ncs, **kwargs):
+        sambaopts = kwargs.get("sambaopts")
+        credopts = kwargs.get("credopts")
+        versionpts = kwargs.get("versionopts")
+        H = kwargs.get("H")
+        current_time_string = kwargs.get("current_time")
+        tombstone_lifetime = kwargs.get("tombstone_lifetime")
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+        samdb = SamDB(url=H, session_info=system_session(),
+                      credentials=creds, lp=lp)
+
+        if current_time_string is not None:
+            current_time_obj = time.strptime(current_time_string, "%Y-%m-%d")
+            current_time = long(time.mktime(current_time_obj))
+
+        else:
+            current_time = long(time.time())
+
+        if len(ncs) == 0:
+            res = samdb.search(expression="", base="", scope=ldb.SCOPE_BASE,
+                         attrs=["namingContexts"])
+
+            ncs = []
+            for nc in res[0]["namingContexts"]:
+                ncs.append(str(nc))
+        else:
+            ncs = list(ncs)
+
+        try:
+            (removed_objects,
+             removed_links) = samdb.garbage_collect_tombstones(ncs,
+                                                               current_time=current_time,
+                                                               tombstone_lifetime=tombstone_lifetime)
+
+        except Exception, err:
+            raise CommandError("Failed to expunge / garbage collect tombstones", err)
+
+        self.outf.write("Removed %d objects and %d links successfully\n"
+                        % (removed_objects, removed_links))
+
+
+
 class cmd_domain_trust(SuperCommand):
     """Domain and forest trust management."""
 
@@ -3758,6 +3825,12 @@ class cmd_domain_trust(SuperCommand):
     subcommands["validate"] = cmd_domain_trust_validate()
     subcommands["namespaces"] = cmd_domain_trust_namespaces()
 
+class cmd_domain_tombstones(SuperCommand):
+    """Domain tombstone and recycled object management."""
+
+    subcommands = {}
+    subcommands["expunge"] = cmd_domain_tombstones_expunge()
+
 class cmd_domain(SuperCommand):
     """Domain management."""
 
@@ -3774,3 +3847,4 @@ class cmd_domain(SuperCommand):
     subcommands["classicupgrade"] = cmd_domain_classicupgrade()
     subcommands["samba3upgrade"] = cmd_domain_samba3upgrade()
     subcommands["trust"] = cmd_domain_trust()
+    subcommands["tombstones"] = cmd_domain_tombstones()
-- 
1.9.1


From 0e81d554a934267f0a5bbe75ec1c78747e410938 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 30 Aug 2016 10:22:47 +1200
Subject: [PATCH 12/34] dsdb: Expose ldb error string to
 dsdb_garbage_collect_tombstones() callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 240038979d748b830b788753b38c3cd576eafe30)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 10 ++++++----
 source4/dsdb/kcc/garbage_collect_tombstones.h |  3 ++-
 source4/dsdb/kcc/kcc_periodic.c               |  6 ++++--
 source4/dsdb/pydsdb.c                         | 11 +++++++++--
 4 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 7c3d354..a04f5f5 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -40,7 +40,8 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 					 time_t current_time,
 					 uint32_t tombstoneLifetime,
 					 unsigned int *num_objects_removed,
-					 unsigned int *num_links_removed)
+					 unsigned int *num_links_removed,
+					 char **error_string)
 {
 	int ret;
 
@@ -57,7 +58,7 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 
 	*num_objects_removed = 0;
 	*num_links_removed = 0;
-
+	*error_string = NULL;
 	num_link_attrs = 0;
 
 	/*
@@ -132,8 +133,9 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 				  attrs, flags, filter);
 
 		if (ret != LDB_SUCCESS) {
-			DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
-				 ldb_dn_get_linearized(do_dn)));
+			*error_string = talloc_asprintf(mem_ctx, "Failed to search for deleted objects in %s: %s",
+							ldb_dn_get_linearized(do_dn),
+							ldb_errstring(samdb));
 			TALLOC_FREE(tmp_ctx);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.h b/source4/dsdb/kcc/garbage_collect_tombstones.h
index a921909..ce62f5d 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.h
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.h
@@ -30,4 +30,5 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 					 time_t current_time,
 					 uint32_t tombstoneLifetime,
 					 unsigned int *num_objects_removed,
-					 unsigned int *num_links_removed);
+					 unsigned int *num_links_removed,
+					 char **error_string);
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index fd759f5..8c4b70a 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -609,6 +609,7 @@ static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_c
 	unsigned int num_objects_removed = 0;
 	unsigned int num_links_removed = 0;
 	NTSTATUS status;
+	char *error_string = NULL;
 
 	if (current_time - s->last_deleted_check < interval) {
 		return NT_STATUS_OK;
@@ -626,7 +627,8 @@ static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_c
 						 s->partitions,
 						 current_time, tombstoneLifetime,
 						 &num_objects_removed,
-						 &num_links_removed);
+						 &num_links_removed,
+						 &error_string);
 
 	if (NT_STATUS_IS_OK(status)) {
 		DEBUG(5, ("garbage_collect_tombstones: Removed %u tombstone objects "
@@ -637,7 +639,7 @@ static NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_c
 			  "objects and links after removing %u tombstone objects "
 			  "and %u tombstone links successfully: %s\n",
 			  num_objects_removed, num_links_removed,
-			  nt_errstr(status)));
+			  error_string ? error_string : nt_errstr(status)));
 	}
 	return status;
 }
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 0df52ad..e53a245 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -1092,6 +1092,7 @@ static PyObject *py_dsdb_garbage_collect_tombstones(PyObject *self, PyObject *ar
 	NTSTATUS status;
 	unsigned int num_objects_removed = 0;
 	unsigned int num_links_removed = 0;
+	char *error_string = NULL;
 
 	if (!PyArg_ParseTuple(args, "OOL|L", &py_ldb,
 			      &py_list_dn, &_current_time, &_tombstone_lifetime)) {
@@ -1156,10 +1157,16 @@ static PyObject *py_dsdb_garbage_collect_tombstones(PyObject *self, PyObject *ar
 						 part, current_time,
 						 tombstone_lifetime,
 						 &num_objects_removed,
-						 &num_links_removed);
+						 &num_links_removed,
+						 &error_string);
 
 	if (!NT_STATUS_IS_OK(status)) {
-		PyErr_SetNTSTATUS(status);
+		if (error_string) {
+			PyErr_Format(PyExc_RuntimeError, "%s", error_string);
+		} else {
+			PyErr_SetNTSTATUS(status);
+		}
+		TALLOC_FREE(mem_ctx);
 		return NULL;
 	}
 
-- 
1.9.1


From 6b44c7996c08462fe99d148020836b027fe45597 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 30 Aug 2016 10:30:51 +1200
Subject: [PATCH 13/34] dsdb: Use a date comparison in the search to avoid
 returning all deleted objects

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit d66deaabc6faca769e9e18098eef4729f3dad379)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 44 ++++++++++++---------------
 1 file changed, 20 insertions(+), 24 deletions(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index a04f5f5..a1ecbb0 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -53,6 +53,7 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 	unsigned int num_link_attrs;
 	struct dsdb_schema *schema = dsdb_get_schema(samdb, mem_ctx);
 	unsigned long long expunge_time = current_time - tombstoneLifetime*60*60*24;
+	char *expunge_time_string = ldb_timestring_utc(mem_ctx, expunge_time);
 	NTTIME expunge_time_nttime;
 	unix_to_nt_time(&expunge_time_nttime, expunge_time);
 
@@ -73,10 +74,8 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 	 * The parameter to DSDB_MATCH_FOR_EXPUNGE is the NTTIME, we
 	 * return records with deleted links deleted before this time.
 	 *
-	 * We also return all isDeleted records
-	 *
-	 * TODO: Add date-comparison to LDB and use < on then
-	 * whenChanged for the isDeleted case.
+	 * We use a date comparison on whenChanged to avoid returning
+	 * all isDeleted records
 	 */
 
 	filter = talloc_asprintf(mem_ctx, "(|");
@@ -87,10 +86,13 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 							"(%s:" DSDB_MATCH_FOR_EXPUNGE ":=%llu)",
 							next_attr->lDAPDisplayName,
 							(unsigned long long)expunge_time_nttime);
+			if (filter == NULL) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 	}
 
-	attrs = talloc_array(mem_ctx, const char *, num_link_attrs + 3);
+	attrs = talloc_array(mem_ctx, const char *, num_link_attrs + 2);
 	i = 0;
 	for (next_attr = schema->attributes; next_attr != NULL; next_attr = next_attr->next) {
 		if (next_attr->linkID != 0 && ((next_attr->linkID & 1) == 0)) {
@@ -98,10 +100,12 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 		}
 	}
 	attrs[i] = "isDeleted";
-	attrs[i+1] = "whenChanged";
-	attrs[i+2] = NULL;
+	attrs[i+1] = NULL;
 
-	filter = talloc_asprintf_append(filter, "(isDeleted=TRUE))");
+	filter = talloc_asprintf_append(filter, "(&(isDeleted=TRUE)(whenChanged<=%s)))", expunge_time_string);
+	if (filter == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
 
 	schema = dsdb_get_schema(samdb, mem_ctx);
 
@@ -146,27 +150,19 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 
 			bool isDeleted = ldb_msg_find_attr_as_bool(res->msgs[i], "isDeleted", false);
 			if (isDeleted) {
-				const char *tstring;
-				time_t whenChanged = 0;
-
 				if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
 					/* Skip the Deleted Object Container */
 					continue;
 				}
 
-				tstring = ldb_msg_find_attr_as_string(res->msgs[i], "whenChanged", NULL);
-				whenChanged = ldb_string_to_time(tstring);
-
-				if (whenChanged != 0 && whenChanged < expunge_time) {
-					ret = dsdb_delete(samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
-					if (ret != LDB_SUCCESS) {
-						DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
-							 ldb_dn_get_linearized(res->msgs[i]->dn)));
-					} else {
-						DEBUG(4,("Removed deleted object %s\n",
-							 ldb_dn_get_linearized(res->msgs[i]->dn)));
-						(*num_objects_removed)++;
-					}
+				ret = dsdb_delete(samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
+				if (ret != LDB_SUCCESS) {
+					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
+						 ldb_dn_get_linearized(res->msgs[i]->dn)));
+				} else {
+					DEBUG(4,("Removed deleted object %s\n",
+						 ldb_dn_get_linearized(res->msgs[i]->dn)));
+					(*num_objects_removed)++;
 				}
 				continue;
 			}
-- 
1.9.1


From 9ca52009b2eebd67776e38ff8f18dae5ad259b2b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 31 Aug 2016 17:07:29 +1200
Subject: [PATCH 14/34] selftest: Add test for 'samba-tool tombstones expunge'

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit a999e8c0cbbfcb59caf4732c952e3e9856ea7577)
---
 selftest/tests.py                                  |   5 +
 .../release-4-5-0-pre1/add-four-more-links.ldif    |  15 +++
 .../release-4-5-0-pre1/add-two-more-users.ldif     |  15 +++
 .../expected-deleted-links-after-expunge.ldif      |  23 ++++
 .../release-4-5-0-pre1/expected-expunge-output.txt |   1 +
 .../expected-links-after-expunge.ldif              |  22 ++++
 .../expected-objects-after-expunge.ldif            |   2 +
 .../release-4-5-0-pre1/remove-one-more-link.ldif   |   5 +
 .../release-4-5-0-pre1/remove-one-more-user.ldif   |   3 +
 testprogs/blackbox/tombstones-expunge.sh           | 144 +++++++++++++++++++++
 10 files changed, 235 insertions(+)
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-four-more-links.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-two-more-users.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-deleted-links-after-expunge.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-expunge-output.txt
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-expunge.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-objects-after-expunge.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-link.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-user.ldif
 create mode 100755 testprogs/blackbox/tombstones-expunge.sh

diff --git a/selftest/tests.py b/selftest/tests.py
index 21f2096..019784c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -104,6 +104,11 @@ plantestsuite(
     ["PYTHON=%s" % python,
      os.path.join(bbdir, "upgradeprovision-oldrelease.sh"),
      '$PREFIX_ABS/provision', 'release-4-0-0', configuration])
+plantestsuite(
+    "samba4.blackbox.tombstones-expunge.release-4-5-0-pre1", "none",
+    ["PYTHON=%s" % python,
+     os.path.join(bbdir, "tombstones-expunge.sh"),
+     '$PREFIX_ABS/provision', 'release-4-5-0-pre1', configuration])
 planpythontestsuite("none", "samba.tests.upgradeprovision")
 planpythontestsuite("none", "samba.tests.xattr")
 planpythontestsuite("none", "samba.tests.ntacls")
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/add-four-more-links.ldif b/source4/selftest/provisions/release-4-5-0-pre1/add-four-more-links.ldif
new file mode 100644
index 0000000..6039f0d
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/add-four-more-links.ldif
@@ -0,0 +1,15 @@
+dn: cn=swimmers,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: modify
+add: member
+member: cn=user1,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: cn=user2,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+dn: cn=helpers,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: modify
+add: member
+member: cn=user1,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+dn: cn=leaders,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: modify
+add: member
+member: cn=user2,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/add-two-more-users.ldif b/source4/selftest/provisions/release-4-5-0-pre1/add-two-more-users.ldif
new file mode 100644
index 0000000..ca1c3ca
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/add-two-more-users.ldif
@@ -0,0 +1,15 @@
+dn: CN=user1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectclass: user
+samaccountname: user1
+
+dn: CN=user2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectclass: user
+samaccountname: user2
+
+dn: CN=helpers,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectclass: group
+samaccountname: helpers
+
+dn: CN=leaders,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectclass: group
+samaccountname: leaders
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-deleted-links-after-expunge.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-deleted-links-after-expunge.ldif
new file mode 100644
index 0000000..c8163a6
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-deleted-links-after-expunge.ldif
@@ -0,0 +1,23 @@
+# record 1
+dn: CN=helpers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=user1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 2
+dn: CN=leaders,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 3
+dn: CN=swimmers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=user1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=DomainDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=ForestDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# returned 6 records
+# 3 entries
+# 3 referrals
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-expunge-output.txt b/source4/selftest/provisions/release-4-5-0-pre1/expected-expunge-output.txt
new file mode 100644
index 0000000..bcc5955
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-expunge-output.txt
@@ -0,0 +1 @@
+Removed 7 objects and 1 links successfully
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-expunge.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-expunge.ldif
new file mode 100644
index 0000000..c69501b
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-expunge.ldif
@@ -0,0 +1,22 @@
+# record 1
+dn: CN=helpers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 2
+dn: CN=leaders,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 3
+dn: CN=swimmers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=user1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=DomainDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=ForestDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# returned 6 records
+# 3 entries
+# 3 referrals
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-objects-after-expunge.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-objects-after-expunge.ldif
new file mode 100644
index 0000000..2668ac4
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-objects-after-expunge.ldif
@@ -0,0 +1,2 @@
+sAMAccountName: user1
+sAMAccountName: user2
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-link.ldif b/source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-link.ldif
new file mode 100644
index 0000000..9c4edb2
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-link.ldif
@@ -0,0 +1,5 @@
+dn: cn=helpers,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: modify
+delete: member
+member: cn=user1,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+-
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-user.ldif b/source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-user.ldif
new file mode 100644
index 0000000..e44f221
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/remove-one-more-user.ldif
@@ -0,0 +1,3 @@
+dn: cn=user2,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: delete
+-
diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh
new file mode 100755
index 0000000..2c88f95
--- /dev/null
+++ b/testprogs/blackbox/tombstones-expunge.sh
@@ -0,0 +1,144 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: tombstones-expunge.sh PREFIX RELEASE
+EOF
+exit 1;
+fi
+
+PREFIX_ABS="$1"
+RELEASE="$2"
+shift 2
+
+. `dirname $0`/subunit.sh
+
+release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE
+
+ldbadd="ldbadd"
+if [ -x "$BINDIR/ldbadd" ]; then
+    ldbadd="$BINDIR/ldbadd"
+fi
+
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+    ldbmodify="$BINDIR/ldbmodify"
+fi
+
+ldbdel="ldbdel"
+if [ -x "$BINDIR/ldbdel" ]; then
+    ldbdel="$BINDIR/ldbdel"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$BINDIR/ldbsearch" ]; then
+    ldbsearch="$BINDIR/ldbsearch"
+fi
+
+undump() {
+       if test -x $BINDIR/tdbrestore;
+       then
+	`dirname $0`/../../source4/selftest/provisions/undump.sh $release_dir $PREFIX_ABS/$RELEASE $BINDIR/tdbrestore
+       else
+	`dirname $0`/../../source4/selftest/provisions/undump.sh $release_dir $PREFIX_ABS/$RELEASE
+       fi
+}
+
+tombstones_expunge() {
+    tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt
+    $PYTHON $BINDIR/samba-tool domain tombstones expunge -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --current-time=2016-07-30 --tombstone-lifetime=4 > $tmpfile
+    if [ "$?" != "0" ]; then
+	return $?
+    fi
+    diff $tmpfile $release_dir/expected-expunge-output.txt
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+add_two_more_users() {
+    ldif=$release_dir/add-two-more-users.ldif
+    TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+add_four_more_links() {
+    ldif=$release_dir/add-four-more-links.ldif
+    TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+remove_one_link() {
+    ldif=$release_dir/remove-one-more-link.ldif
+    TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+remove_one_user() {
+    ldif=$release_dir/remove-one-more-user.ldif
+    TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+check_expected_after_links() {
+    tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-expunge.ldif.tmp
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member > $tmpldif
+    diff $tmpldif $release_dir/expected-links-after-expunge.ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+check_expected_after_deleted_links() {
+    tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-expunge.ldif.tmp
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif
+    diff $tmpldif $release_dir/expected-deleted-links-after-expunge.ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+check_expected_after_objects() {
+    tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-expunge.ldif.tmp
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user2))' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName > $tmpldif
+    diff $tmpldif $release_dir/expected-objects-after-expunge.ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+if [ -d $release_dir ]; then
+    testit $RELEASE undump
+    testit "add_two_more_users" add_two_more_users
+    testit "add_four_more_links" add_four_more_links
+    testit "remove_one_link" remove_one_link
+    testit "remove_one_user" remove_one_user
+    testit "tombstones_expunge" tombstones_expunge
+    testit "check_expected_after_deleted_links" check_expected_after_deleted_links
+    testit "check_expected_after_links" check_expected_after_links
+    testit "check_expected_after_objects" check_expected_after_objects
+else
+    subunit_start_test $RELEASE
+    subunit_skip_test $RELEASE <<EOF
+no test provision
+EOF
+
+    subunit_start_test "tombstones_expunge"
+    subunit_skip_test "tombstones_expunge" <<EOF
+no test provision
+EOF
+fi
+
+if [ -d $PREFIX_ABS/${RELEASE} ]; then
+    rm -fr $PREFIX_ABS/${RELEASE}
+fi
+
+exit $failed
-- 
1.9.1


From 0edf6692ed91c337c92b0d97071e46d6ad23d7b5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 1 Sep 2016 12:13:40 +1200
Subject: [PATCH 15/34] samba-tool: Run samba-tool domain tombstones expunge in
 a transaction

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 5620616968bd68b80d872079ad3bbb97ac1e7a8a)
---
 python/samba/netcmd/domain.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index dc1356d..cfdd9a4 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -3800,15 +3800,22 @@ This command expunges tombstones from the database."""
         else:
             ncs = list(ncs)
 
+        started_transaction = False
         try:
+            samdb.transaction_start()
+            started_transaction = True
             (removed_objects,
              removed_links) = samdb.garbage_collect_tombstones(ncs,
                                                                current_time=current_time,
                                                                tombstone_lifetime=tombstone_lifetime)
 
         except Exception, err:
+            if started_transaction:
+                samdb.transaction_cancel()
             raise CommandError("Failed to expunge / garbage collect tombstones", err)
 
+        samdb.transaction_commit()
+
         self.outf.write("Removed %d objects and %d links successfully\n"
                         % (removed_objects, removed_links))
 
-- 
1.9.1


From f280516bddb104bd750a0e600652ab3c9cb10723 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 1 Sep 2016 13:23:11 +1200
Subject: [PATCH 16/34] dsdb: Add comments to dsdb_garbage_collect_tombstones()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit d27673587707f2dc59bd5161cd70ca96118d5ceb)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 30 ++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index a1ecbb0..49d3325 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -33,7 +33,22 @@
 #include "lib/ldb-samba/ldb_matching_rules.h"
 #include "lib/util/time.h"
 
-
+/*
+ * Per MS-ADTS 3.1.1.5.5 Delete Operation
+ *
+ * "Tombstones are a type of deleted object distinguished from
+ *  existing-objects by the presence of the isDeleted attribute with the
+ *  value true."
+ *
+ * "After a time period at least as large as a tombstone lifetime, the
+ *  tombstone is removed from the directory."
+ *
+ * The purpose of this routine is to remove such objects.  It is
+ * called from a timed event in the KCC, and from samba-tool domain
+ * expunge tombstones.
+ *
+ * Additionally, linked attributes have similar properties.
+ */
 NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 					 struct ldb_context *samdb,
 					 struct dsdb_ldb_dn_list_node *part,
@@ -168,6 +183,19 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 			}
 
 			/* This must have a linked attribute */
+
+			/*
+			 * From MS-ADTS 3.1.1.1.9 DCs, usn Counters, and the Originating Update Stamp
+			 *
+			 * "A link value r is deleted, but exists as a
+			 *  tombstone, if r.stamp.timeDeleted ≠ 0. When
+			 *  the current time minus r.stamp.timeDeleted
+			 *  exceeds the tombstone lifetime, the link
+			 *  value r is garbage-collected; that is,
+			 *  removed from its containing forward link
+			 *  attribute. "
+			 */
+
 			for (j=0; j < res->msgs[i]->num_elements; j++) {
 				struct ldb_message_element *element = &res->msgs[i]->elements[j];
 				/* TODO this is O(log n) per attribute with deleted values */
-- 
1.9.1


From a66f94bc62994feefd811cee72dd2e9d703950a3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 1 Sep 2016 13:34:12 +1200
Subject: [PATCH 17/34] lib/ldb-samba: Add test for DSDB_MATCH_FOR_EXPUNGE
 match rule

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 737756b060364c09b62a500ef26eef044230ecac)
---
 .../expected-match-rule-links.ldif                 | 47 ++++++++++++++++++++
 testprogs/blackbox/tombstones-expunge.sh           | 50 ++++++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-match-rule-links.ldif

diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-match-rule-links.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-match-rule-links.ldif
new file mode 100644
index 0000000..2b2f021
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-match-rule-links.ldif
@@ -0,0 +1,47 @@
+# record 1
+dn: CN=swimmers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=fred,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=user1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 2
+dn: CN=ddg\0ADEL:fb8c2fe3-5448-43de-99f9-e1d3b9357cfc,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 3
+dn: CN=dsg\0ADEL:6d66d0ef-cad7-4e5d-b1b6-4a233a21c269,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 4
+dn: CN=gdg\0ADEL:e0f581e7-14ee-4fc2-839c-8f46f581c72a,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 5
+dn: CN=gsg\0ADEL:91aa85cc-fc19-4b8c-9fc7-aaba425439c7,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 6
+dn: CN=udg\0ADEL:7cff5537-51b1-4d26-a295-0225dbea8525,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 7
+dn: CN=usg\0ADEL:d012e8f5-a4bd-40ea-a2a1-68ff2508847d,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=DomainDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=ForestDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# returned 10 records
+# 7 entries
+# 3 referrals
diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh
index 2c88f95..f2826c4 100755
--- a/testprogs/blackbox/tombstones-expunge.sh
+++ b/testprogs/blackbox/tombstones-expunge.sh
@@ -88,6 +88,47 @@ remove_one_user() {
     fi
 }
 
+check_match_rule_links() {
+    tmpldif=$PREFIX_ABS/$RELEASE/expected-match-rule-links.ldif.tmp
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif
+    diff $tmpldif $release_dir/expected-match-rule-links.ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
+check_match_rule_links_negative() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=-131139216000000000)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_overflow() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744073709551617)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_null() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744\073709551617)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_hex() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=abcd)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_hex2() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=0xabcd)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_decimal() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000.00)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_backlink() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(memberOf:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted memberOf
+}
+
+check_match_rule_links_notlink() {
+    $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samAccountName:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName
+}
+
 check_expected_after_links() {
     tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-expunge.ldif.tmp
     TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member > $tmpldif
@@ -121,6 +162,15 @@ if [ -d $release_dir ]; then
     testit "add_four_more_links" add_four_more_links
     testit "remove_one_link" remove_one_link
     testit "remove_one_user" remove_one_user
+    testit "check_match_rule_links" check_match_rule_links
+    testit_expect_failure "check_match_rule_links_negative" check_match_rule_links_negative
+    testit_expect_failure "check_match_rule_links_overflow" check_match_rule_links_overflow
+    testit_expect_failure "check_match_rule_links_null" check_match_rule_links_null
+    testit_expect_failure "check_match_rule_links_hex" check_match_rule_links_hex
+    testit_expect_failure "check_match_rule_links_hex2" check_match_rule_links_hex2
+    testit_expect_failure "check_match_rule_links_decimal" check_match_rule_links_decimal
+    testit_expect_failure "check_match_rule_links_backlink" check_match_rule_links_backlink
+    testit_expect_failure "check_match_rule_links_notlink" check_match_rule_links_notlink
     testit "tombstones_expunge" tombstones_expunge
     testit "check_expected_after_deleted_links" check_expected_after_deleted_links
     testit "check_expected_after_links" check_expected_after_links
-- 
1.9.1


From ae32a6101d47013ba2075a4b77d05c579f278021 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 1 Sep 2016 14:17:27 +1200
Subject: [PATCH 18/34] dsdb: Do not check isDeleted as a possible link

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit b1ed0f4597e5ebd059d33b0a33de4ded96c9386f)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 49d3325..fee56d9 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -202,6 +202,11 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 				const struct dsdb_attribute *attrib
 					= dsdb_attribute_by_lDAPDisplayName(schema, element->name);
 
+				/* This avoids parsing isDeleted as a link */
+				if (attrib->linkID == 0 || ((attrib->linkID & 1) == 1)) {
+					continue;
+				}
+
 				for (k = 0; k < element->num_values; k++) {
 					struct ldb_val *value = &element->values[k];
 					uint64_t whenChanged = 0;
-- 
1.9.1


From ce1ef0f0f09d59c61f92b780fa31b423482c8bbe Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 1 Sep 2016 14:26:53 +1200
Subject: [PATCH 19/34] gc_tombstones: Typo fix

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglasbagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Sep  1 09:38:47 CEST 2016 on sn-devel-144

(cherry picked from commit f479b1b3fd787fd2cbedc6161a4e0eb0af1059e3)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index fee56d9..8d8a51f 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -142,7 +142,7 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 			continue;
 		}
 
-		DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
+		DEBUG(1, ("Doing a full scan on %s and looking for deleted objects\n",
 			  ldb_dn_get_linearized(part->dn)));
 
 		flags = DSDB_SEARCH_SHOW_RECYCLED |
-- 
1.9.1


From 2a2bdc5461575c73ed9b9ccfc9782eb32f8adfff Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 2 Sep 2016 09:17:33 +0200
Subject: [PATCH 20/34] kcc: Fix a -Werror,-Wformat-security error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Sep  2 13:54:45 CEST 2016 on sn-devel-144

(cherry picked from commit a7735bedd5b2111fa036625738e5831651eb2007)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 8d8a51f..8d2ea8b 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -149,7 +149,7 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 			DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
 			DSDB_SEARCH_REVEAL_INTERNALS;
 		ret = dsdb_search(samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE,
-				  attrs, flags, filter);
+				  attrs, flags, "%s", filter);
 
 		if (ret != LDB_SUCCESS) {
 			*error_string = talloc_asprintf(mem_ctx, "Failed to search for deleted objects in %s: %s",
-- 
1.9.1


From c13ddf75b969ff967963ec1ba005cbd0b7ff4940 Mon Sep 17 00:00:00 2001
From: Bob Campbell <bobcampbell@catalyst.net.nz>
Date: Mon, 5 Sep 2016 10:48:13 +1200
Subject: [PATCH 21/34] dsdb: refactor part of garbage_collect_tombstones into
 new function

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2dfedffb740ecfe898945a9fc47b24e3c8328d7e)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 385 +++++++++++++++-----------
 1 file changed, 216 insertions(+), 169 deletions(-)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 8d2ea8b..62e9813 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -33,6 +33,209 @@
 #include "lib/ldb-samba/ldb_matching_rules.h"
 #include "lib/util/time.h"
 
+static NTSTATUS garbage_collect_tombstones_part(TALLOC_CTX *mem_ctx,
+						struct ldb_context *samdb,
+						struct dsdb_ldb_dn_list_node *part,
+						char *filter,
+						unsigned int *num_links_removed,
+						unsigned int *num_objects_removed,
+						struct dsdb_schema *schema,
+						const char **attrs,
+						char **error_string,
+						NTTIME expunge_time_nttime)
+{
+	int ret;
+	struct ldb_dn *do_dn;
+	struct ldb_result *res;
+	unsigned int i, j, k;
+	uint32_t flags;
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	if (!tmp_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = dsdb_get_deleted_objects_dn(samdb, tmp_ctx, part->dn, &do_dn);
+	if (ret != LDB_SUCCESS) {
+		TALLOC_FREE(tmp_ctx);
+		/* some partitions have no Deleted Objects
+		   container */
+		return NT_STATUS_OK;
+	}
+
+	DEBUG(1, ("Doing a full scan on %s and looking for deleted objects\n",
+		  ldb_dn_get_linearized(part->dn)));
+
+	flags = DSDB_SEARCH_SHOW_RECYCLED |
+		DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
+		DSDB_SEARCH_REVEAL_INTERNALS;
+	ret = dsdb_search(samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE,
+			  attrs, flags, "%s", filter);
+
+	if (ret != LDB_SUCCESS) {
+		*error_string = talloc_asprintf(mem_ctx,
+						"Failed to search for deleted "
+						"objects in %s: %s",
+						ldb_dn_get_linearized(do_dn),
+						ldb_errstring(samdb));
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	for (i=0; i<res->count; i++) {
+		struct ldb_message *cleanup_msg = NULL;
+		unsigned int num_modified = 0;
+
+		bool isDeleted = ldb_msg_find_attr_as_bool(res->msgs[i],
+							   "isDeleted", false);
+		if (isDeleted) {
+			if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
+				/* Skip the Deleted Object Container */
+				continue;
+			}
+
+			ret = dsdb_delete(samdb, res->msgs[i]->dn,
+					  DSDB_SEARCH_SHOW_RECYCLED
+					  |DSDB_MODIFY_RELAX);
+			if (ret != LDB_SUCCESS) {
+				DEBUG(1,(__location__ ": Failed to remove "
+					 "deleted object %s\n",
+					 ldb_dn_get_linearized(res->
+							       msgs[i]->dn)));
+			} else {
+				DEBUG(4,("Removed deleted object %s\n",
+					 ldb_dn_get_linearized(res->
+							       msgs[i]->dn)));
+				(*num_objects_removed)++;
+			}
+			continue;
+		}
+
+		/* This must have a linked attribute */
+
+		/*
+		 * From MS-ADTS 3.1.1.1.9 DCs, usn Counters, and
+		 * the Originating Update Stamp
+		 *
+		 * "A link value r is deleted, but exists as a
+		 *  tombstone, if r.stamp.timeDeleted ≠ 0. When
+		 *  the current time minus r.stamp.timeDeleted
+		 *  exceeds the tombstone lifetime, the link
+		 *  value r is garbage-collected; that is,
+		 *  removed from its containing forward link
+		 *  attribute. "
+		 */
+
+		for (j=0; j < res->msgs[i]->num_elements; j++) {
+			struct ldb_message_element *element = NULL;
+			/* TODO this is O(log n) per attribute with deleted values */
+			const struct dsdb_attribute *attrib = NULL;
+
+			element = &res->msgs[i]->elements[j];
+			attrib = dsdb_attribute_by_lDAPDisplayName(schema,
+								   element->name);
+
+			/* This avoids parsing isDeleted as a link */
+			if (attrib->linkID == 0 || ((attrib->linkID & 1) == 1)) {
+				continue;
+			}
+
+			for (k = 0; k < element->num_values; k++) {
+				struct ldb_val *value = &element->values[k];
+				uint64_t whenChanged = 0;
+				NTSTATUS status;
+				struct dsdb_dn *dn;
+				struct ldb_message_element *cleanup_elem = NULL;
+				char *guid_search_str = NULL;
+				char *guid_buf_str = NULL;
+				struct ldb_val cleanup_val;
+				struct GUID_txt_buf buf_guid;
+				struct GUID guid;
+				const struct ldb_val *guid_blob;
+
+				if (dsdb_dn_is_deleted_val(value) == false) {
+					continue;
+				}
+
+				dn = dsdb_dn_parse(tmp_ctx, samdb,
+						   &element->values[k],
+						   attrib->syntax->ldap_oid);
+				if (dn == NULL) {
+					DEBUG(1, ("Failed to parse linked attribute blob of "
+						  "%s on %s while expunging expired links\n",
+						  element->name,
+						  ldb_dn_get_linearized(res->msgs[i]->dn)));
+					continue;
+				}
+
+				status = dsdb_get_extended_dn_uint64(dn->dn,
+								     &whenChanged,
+								     "RMD_CHANGETIME");
+				if (!NT_STATUS_IS_OK(status)) {
+					DEBUG(1, ("Error: RMD_CHANGETIME is missing on a forward link.\n"));
+					talloc_free(dn);
+					continue;
+				}
+
+				if (whenChanged >= expunge_time_nttime) {
+					talloc_free(dn);
+					continue;
+				}
+
+				guid_blob = ldb_dn_get_extended_component(dn->dn, "GUID");
+				status = GUID_from_ndr_blob(guid_blob, &guid);
+				if (!NT_STATUS_IS_OK(status)) {
+					DEBUG(1, ("Error: Invalid GUID on link target.\n"));
+					talloc_free(dn);
+					continue;
+				}
+
+				guid_buf_str = GUID_buf_string(&guid, &buf_guid);
+				guid_search_str = talloc_asprintf(mem_ctx,
+								  "<GUID=%s>",
+								  guid_buf_str);
+				cleanup_val = data_blob_string_const(guid_search_str);
+
+				talloc_free(dn);
+
+				if (cleanup_msg == NULL) {
+					cleanup_msg = ldb_msg_new(mem_ctx);
+					if (cleanup_msg == NULL) {
+						return NT_STATUS_NO_MEMORY;
+					}
+					cleanup_msg->dn = res->msgs[i]->dn;
+				}
+
+				ret = ldb_msg_add_value(cleanup_msg,
+							element->name,
+							&cleanup_val,
+							&cleanup_elem);
+				if (ret != LDB_SUCCESS) {
+					return NT_STATUS_NO_MEMORY;
+				}
+				cleanup_elem->flags = LDB_FLAG_MOD_DELETE;
+				num_modified++;
+			}
+		}
+
+		if (num_modified > 0) {
+			ret = dsdb_modify(samdb, cleanup_msg,
+					  DSDB_REPLMD_VANISH_LINKS);
+			if (ret != LDB_SUCCESS) {
+				DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
+					 ldb_dn_get_linearized(res->msgs[i]->dn)));
+			} else {
+				DEBUG(4,("Removed deleted object %s\n",
+					 ldb_dn_get_linearized(res->msgs[i]->dn)));
+				*num_links_removed = *num_links_removed + num_modified;
+			}
+
+		}
+	}
+
+	TALLOC_FREE(tmp_ctx);
+	return NT_STATUS_OK;
+}
+
 /*
  * Per MS-ADTS 3.1.1.5.5 Delete Operation
  *
@@ -58,11 +261,9 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 					 unsigned int *num_links_removed,
 					 char **error_string)
 {
-	int ret;
-
 	const char **attrs = NULL;
 	char *filter = NULL;
-
+	NTSTATUS status;
 	unsigned int i;
 	struct dsdb_attribute *next_attr;
 	unsigned int num_link_attrs;
@@ -117,178 +318,24 @@ NTSTATUS dsdb_garbage_collect_tombstones(TALLOC_CTX *mem_ctx,
 	attrs[i] = "isDeleted";
 	attrs[i+1] = NULL;
 
-	filter = talloc_asprintf_append(filter, "(&(isDeleted=TRUE)(whenChanged<=%s)))", expunge_time_string);
+	filter = talloc_asprintf_append(filter,
+					"(&(isDeleted=TRUE)(whenChanged<=%s)))",
+					expunge_time_string);
 	if (filter == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	schema = dsdb_get_schema(samdb, mem_ctx);
-
 	for (; part != NULL; part = part->next) {
-		struct ldb_dn *do_dn;
-		struct ldb_result *res;
-		unsigned int j, k;
-		uint32_t flags;
-		TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-		if (!tmp_ctx) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
-		ret = dsdb_get_deleted_objects_dn(samdb, tmp_ctx, part->dn, &do_dn);
-		if (ret != LDB_SUCCESS) {
-			TALLOC_FREE(tmp_ctx);
-			/* some partitions have no Deleted Objects
-			   container */
-			continue;
-		}
-
-		DEBUG(1, ("Doing a full scan on %s and looking for deleted objects\n",
-			  ldb_dn_get_linearized(part->dn)));
-
-		flags = DSDB_SEARCH_SHOW_RECYCLED |
-			DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
-			DSDB_SEARCH_REVEAL_INTERNALS;
-		ret = dsdb_search(samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE,
-				  attrs, flags, "%s", filter);
-
-		if (ret != LDB_SUCCESS) {
-			*error_string = talloc_asprintf(mem_ctx, "Failed to search for deleted objects in %s: %s",
-							ldb_dn_get_linearized(do_dn),
-							ldb_errstring(samdb));
-			TALLOC_FREE(tmp_ctx);
-			return NT_STATUS_INTERNAL_ERROR;
+		status = garbage_collect_tombstones_part(mem_ctx, samdb, part,
+							 filter,
+							 num_links_removed,
+							 num_objects_removed,
+							 schema, attrs,
+							 error_string,
+							 expunge_time_nttime);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
 		}
-
-		for (i=0; i<res->count; i++) {
-			struct ldb_message *cleanup_msg = NULL;
-			unsigned int num_modified = 0;
-
-			bool isDeleted = ldb_msg_find_attr_as_bool(res->msgs[i], "isDeleted", false);
-			if (isDeleted) {
-				if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
-					/* Skip the Deleted Object Container */
-					continue;
-				}
-
-				ret = dsdb_delete(samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
-				if (ret != LDB_SUCCESS) {
-					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
-						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-				} else {
-					DEBUG(4,("Removed deleted object %s\n",
-						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-					(*num_objects_removed)++;
-				}
-				continue;
-			}
-
-			/* This must have a linked attribute */
-
-			/*
-			 * From MS-ADTS 3.1.1.1.9 DCs, usn Counters, and the Originating Update Stamp
-			 *
-			 * "A link value r is deleted, but exists as a
-			 *  tombstone, if r.stamp.timeDeleted ≠ 0. When
-			 *  the current time minus r.stamp.timeDeleted
-			 *  exceeds the tombstone lifetime, the link
-			 *  value r is garbage-collected; that is,
-			 *  removed from its containing forward link
-			 *  attribute. "
-			 */
-
-			for (j=0; j < res->msgs[i]->num_elements; j++) {
-				struct ldb_message_element *element = &res->msgs[i]->elements[j];
-				/* TODO this is O(log n) per attribute with deleted values */
-				const struct dsdb_attribute *attrib
-					= dsdb_attribute_by_lDAPDisplayName(schema, element->name);
-
-				/* This avoids parsing isDeleted as a link */
-				if (attrib->linkID == 0 || ((attrib->linkID & 1) == 1)) {
-					continue;
-				}
-
-				for (k = 0; k < element->num_values; k++) {
-					struct ldb_val *value = &element->values[k];
-					uint64_t whenChanged = 0;
-					NTSTATUS status;
-					struct dsdb_dn *dn;
-					struct ldb_message_element *cleanup_elem = NULL;
-					char *guid_search_str = NULL, *guid_buf_str = NULL;
-					struct ldb_val cleanup_val;
-					struct GUID_txt_buf buf_guid;
-					struct GUID guid;
-					const struct ldb_val *guid_blob;
-
-					if (dsdb_dn_is_deleted_val(value) == false) {
-						continue;
-					}
-
-					dn = dsdb_dn_parse(tmp_ctx, samdb, &element->values[k],
-							   attrib->syntax->ldap_oid);
-					if (dn == NULL) {
-						DEBUG(1, ("Failed to parse linked attribute blob of %s on %s while expunging expired links\n", element->name,
-							  ldb_dn_get_linearized(res->msgs[i]->dn)));
-						continue;
-					}
-
-					status = dsdb_get_extended_dn_uint64(dn->dn, &whenChanged, "RMD_CHANGETIME");
-					if (!NT_STATUS_IS_OK(status)) {
-						DEBUG(1, ("Error: RMD_CHANGETIME is missing on a forward link.\n"));
-						talloc_free(dn);
-						continue;
-					}
-
-					if (whenChanged >= expunge_time_nttime) {
-						talloc_free(dn);
-						continue;
-					}
-
-					guid_blob = ldb_dn_get_extended_component(dn->dn, "GUID");
-					status = GUID_from_ndr_blob(guid_blob, &guid);
-					if (!NT_STATUS_IS_OK(status)) {
-						DEBUG(1, ("Error: Invalid GUID on link target.\n"));
-						talloc_free(dn);
-						continue;
-					}
-
-					guid_buf_str = GUID_buf_string(&guid, &buf_guid);
-					guid_search_str = talloc_asprintf(mem_ctx, "<GUID=%s>", guid_buf_str);
-					cleanup_val = data_blob_string_const(guid_search_str);
-
-					talloc_free(dn);
-
-					if (cleanup_msg == NULL) {
-						cleanup_msg = ldb_msg_new(mem_ctx);
-						if (cleanup_msg == NULL) {
-							return NT_STATUS_NO_MEMORY;
-						}
-						cleanup_msg->dn = res->msgs[i]->dn;
-					}
-
-					ret = ldb_msg_add_value(cleanup_msg, element->name, &cleanup_val, &cleanup_elem);
-					if (ret != LDB_SUCCESS) {
-						return NT_STATUS_NO_MEMORY;
-					}
-					cleanup_elem->flags = LDB_FLAG_MOD_DELETE;
-					num_modified++;
-				}
-			}
-
-			if (num_modified > 0) {
-				ret = dsdb_modify(samdb, cleanup_msg, DSDB_REPLMD_VANISH_LINKS);
-				if (ret != LDB_SUCCESS) {
-					DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
-						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-				} else {
-					DEBUG(4,("Removed deleted object %s\n",
-						 ldb_dn_get_linearized(res->msgs[i]->dn)));
-					*num_links_removed = *num_links_removed + num_modified;
-				}
-
-			}
-		}
-		TALLOC_FREE(tmp_ctx);
-
 	}
 
 	return NT_STATUS_OK;
-- 
1.9.1


From bbde5a8af850b2f7376a85f114aa459ac7bdd3c3 Mon Sep 17 00:00:00 2001
From: Bob Campbell <bobcampbell@catalyst.net.nz>
Date: Mon, 5 Sep 2016 11:24:19 +1200
Subject: [PATCH 22/34] copyright: Add the missing notices for garbage collect
 tombstones

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon Sep  5 08:14:26 CEST 2016 on sn-devel-144

(cherry picked from commit e69715138fe14d8dc51f65cf5986b178c98f40a2)
---
 source4/dsdb/kcc/garbage_collect_tombstones.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source4/dsdb/kcc/garbage_collect_tombstones.c b/source4/dsdb/kcc/garbage_collect_tombstones.c
index 62e9813..ad14d5e 100644
--- a/source4/dsdb/kcc/garbage_collect_tombstones.c
+++ b/source4/dsdb/kcc/garbage_collect_tombstones.c
@@ -4,6 +4,8 @@
    handle removal of deleted objects
 
    Copyright (C) 2009 Andrew Tridgell
+   Copyright (C) 2016 Andrew Bartlett
+   Copyright (C) 2016 Catalyst.NET Ltd
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-- 
1.9.1


From dea2b451b44c4ebeb29f6990391785c0439e764d Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 13:33:11 +1200
Subject: [PATCH 23/34] torture: Remove unnecessary whitespace

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit c0239a9bf6f803e9f932b1a4fd267c614c33a4e8)
---
 source4/torture/drs/python/linked_attributes_drs.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/torture/drs/python/linked_attributes_drs.py b/source4/torture/drs/python/linked_attributes_drs.py
index 04d31c2..a529f3c 100644
--- a/source4/torture/drs/python/linked_attributes_drs.py
+++ b/source4/torture/drs/python/linked_attributes_drs.py
@@ -140,7 +140,7 @@ class LATests(drs_base.DrsBaseTestCase, ExopBaseTest):
             if link.attid == expected_attid:
                 unpacked = ndr_unpack(drsuapi.DsReplicaObjectIdentifier3,
                                       link.value.blob)
-                active = link.flags &  drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
+                active = link.flags & drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
                 links.append((str(unpacked.dn), bool(active)))
 
         return links
-- 
1.9.1


From 670724935fe0186bcc0900acf15eb2c7e9932afb Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 14:46:38 +1200
Subject: [PATCH 24/34] rpmd: Add the ldb error string to a debug

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit b7f363c64f0238daa36d7a79f08d34785c7444f2)
---
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index f3573f6..cc749ce 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -3621,9 +3621,10 @@ static int replmd_delete_internals(struct ldb_module *module, struct ldb_request
 					ldb_asprintf_errstring(ldb,
 							       __location__
 							       ": Failed to remove backlink of "
-							       "%s when deleting %s",
+							       "%s when deleting %s: %s",
 							       el->name,
-							       old_dn_str);
+							       old_dn_str,
+							       ldb_errstring(ldb));
 					talloc_free(tmp_ctx);
 					return LDB_ERR_OPERATIONS_ERROR;
 				}
-- 
1.9.1


From 5c3fde2fbe85be7f3cee84e3f00054ebe68c4a8a Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 14:42:01 +1200
Subject: [PATCH 25/34] rpmd: Remove the seq_num check for skipping additional
 work

We will need this in a later patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit d6a16b4d7f069d8a916c778bc26e6b645722c89b)
---
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index cc749ce..2aae797 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2586,13 +2586,6 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 	const struct dsdb_schema *schema;
 	struct GUID old_guid;
 
-	if (seq_num == 0) {
-		/* there the replmd_update_rpmd code has already
-		 * checked and saw that there are no linked
-		 * attributes */
-		return LDB_SUCCESS;
-	}
-
 	if (dsdb_functional_level(ldb) == DS_DOMAIN_FUNCTION_2000) {
 		/*
 		 * Nothing special is required for modifying or vanishing links
-- 
1.9.1


From c21ae0e7b9a53b4fa4c5f82dae5fbba2bb5147d3 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 14:46:06 +1200
Subject: [PATCH 26/34] rpmd: Add a TODO regarding the additional work
 performed

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 434bf4a5b5899c3390730bbd1f8ffad899a3ff73)
---
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 2aae797..44fbbf4 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2600,6 +2600,16 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 		return LDB_SUCCESS;
 	}
 
+	/*
+	 * TODO:
+	 *
+	 * We should restrict this to the intersection of the list of
+	 * linked attributes in the schema and the list of attributes
+	 * being modified.
+	 *
+	 * This will help performance a little, as otherwise we have
+	 * to allocate the entire object value-by-value.
+	 */
 	ret = dsdb_module_search_dn(module, msg, &res, msg->dn, NULL,
 	                            DSDB_FLAG_NEXT_MODULE |
 	                            DSDB_SEARCH_SHOW_RECYCLED |
-- 
1.9.1


From 298bc05f385097396e1c4cf2228a8fe6c4987c1a Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 14:40:40 +1200
Subject: [PATCH 27/34] rpmd: Skip bump of USN when vanishing forward links

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit ecf237cc3872674d2fbe489b8a1e8449f4063d8b)
---
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 44fbbf4..7a5906e 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -1312,6 +1312,18 @@ static int replmd_update_rpmd_element(struct ldb_context *ldb,
 		} else if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
 			may_skip = true;
 		}
+	} else if (a->linkID != 0 && LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE &&
+		   ldb_request_get_control(req, DSDB_CONTROL_REPLMD_VANISH_LINKS) != NULL) {
+		/*
+		 * We intentionally skip the version bump when attempting to
+		 * vanish links.
+		 *
+		 * The control is set by dbcheck and expunge-tombstones which
+		 * both attempt to be non-replicating. Otherwise, making an
+		 * alteration to the replication state would trigger a
+		 * broadcast of all expunged objects.
+		 */
+		may_skip = true;
 	}
 
 	if (el->flags & DSDB_FLAG_INTERNAL_FORCE_META_DATA) {
-- 
1.9.1


From 25cdffdadb4994f0dd49082a734ecade3e7569b0 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 14:40:08 +1200
Subject: [PATCH 28/34] tests: Assert vanishing links doesn't bump USN

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit a9c6879bb52b7dcfbfd6c329635aa235199e7145)
---
 source4/dsdb/tests/python/linked_attributes.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/source4/dsdb/tests/python/linked_attributes.py b/source4/dsdb/tests/python/linked_attributes.py
index cea3a01..0c46523 100644
--- a/source4/dsdb/tests/python/linked_attributes.py
+++ b/source4/dsdb/tests/python/linked_attributes.py
@@ -306,11 +306,31 @@ class LATests(samba.tests.TestCase):
         self.add_linked_attribute(g2, u1)
         self.add_linked_attribute(g2, u2)
 
+        res = self.samdb.search(g1, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        old_usn1 = int(res[0]['uSNChanged'][0])
+
+        res = self.samdb.search(g2, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        old_usn2 = int(res[0]['uSNChanged'][0])
+
         self.samdb.delete(u1)
 
         self.assert_forward_links(g1, [])
         self.assert_forward_links(g2, [u2])
 
+        res = self.samdb.search(g1, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        new_usn1 = int(res[0]['uSNChanged'][0])
+
+        res = self.samdb.search(g2, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        new_usn2 = int(res[0]['uSNChanged'][0])
+
+        # Assert the USN on the alternate object is unchanged
+        self.assertEqual(old_usn1, new_usn1)
+        self.assertEqual(old_usn2, new_usn2)
+
     def test_la_links_delete_user_reveal(self):
         u1, u2 = self.add_objects(2, 'user', 'u_del_user_reveal')
         g1, g2 = self.add_objects(2, 'group', 'g_del_user_reveal')
-- 
1.9.1


From 70980a6c53a17b45c72a91713c9257b8da088485 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 15:27:42 +1200
Subject: [PATCH 29/34] tombstone-expunge: Assert than an expunge does not bump
 the USN

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit cf587f9aff2638a31463ee6b28430ff7a3efb505)
---
 testprogs/blackbox/tombstones-expunge.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh
index f2826c4..2075d1c 100755
--- a/testprogs/blackbox/tombstones-expunge.sh
+++ b/testprogs/blackbox/tombstones-expunge.sh
@@ -46,6 +46,10 @@ undump() {
 
 tombstones_expunge() {
     tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt
+    tmpldif1=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp1
+
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -s base -b '' | grep highestCommittedUSN > $tmpldif1
+
     $PYTHON $BINDIR/samba-tool domain tombstones expunge -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --current-time=2016-07-30 --tombstone-lifetime=4 > $tmpfile
     if [ "$?" != "0" ]; then
 	return $?
@@ -54,6 +58,14 @@ tombstones_expunge() {
     if [ "$?" != "0" ]; then
 	return 1
     fi
+
+    tmpldif2=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp2
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -s base -b '' | grep highestCommittedUSN > $tmpldif2
+
+    diff $tmpldif1 $tmpldif2
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
 }
 
 add_two_more_users() {
-- 
1.9.1


From cebff39b9e61c7b849c52a43035d4880874c2af7 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 15:29:35 +1200
Subject: [PATCH 30/34] dbcheck: Make it clearer about temporary output

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 974a8da0d996f1396ef5b8e7759f31ee7b92b254)
---
 testprogs/blackbox/tombstones-expunge.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh
index 2075d1c..49a5073 100755
--- a/testprogs/blackbox/tombstones-expunge.sh
+++ b/testprogs/blackbox/tombstones-expunge.sh
@@ -45,7 +45,7 @@ undump() {
 }
 
 tombstones_expunge() {
-    tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt
+    tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt.tmp
     tmpldif1=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp1
 
     TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -s base -b '' | grep highestCommittedUSN > $tmpldif1
-- 
1.9.1


From 4700c04960a72b32cd88b13b52e64b06bad6c479 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 17:04:29 +1200
Subject: [PATCH 31/34] tests: Check that USN bumps when modifying a linked
 attr

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit d5127b75d3582f6dbae203f26284a36ec6e1549d)
---
 source4/dsdb/tests/python/linked_attributes.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/source4/dsdb/tests/python/linked_attributes.py b/source4/dsdb/tests/python/linked_attributes.py
index 0c46523..225ee47 100644
--- a/source4/dsdb/tests/python/linked_attributes.py
+++ b/source4/dsdb/tests/python/linked_attributes.py
@@ -266,12 +266,33 @@ class LATests(samba.tests.TestCase):
         u1, u2 = self.add_objects(2, 'user', 'u_del_link')
         g1, g2 = self.add_objects(2, 'group', 'g_del_link')
 
+        res = self.samdb.search(g1, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        old_usn1 = int(res[0]['uSNChanged'][0])
+
         self.add_linked_attribute(g1, u1)
+
+        res = self.samdb.search(g1, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        new_usn1 = int(res[0]['uSNChanged'][0])
+
+        self.assertNotEqual(old_usn1, new_usn1, "USN should have incremented")
+
         self.add_linked_attribute(g2, u1)
         self.add_linked_attribute(g2, u2)
 
+        res = self.samdb.search(g2, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        old_usn2 = int(res[0]['uSNChanged'][0])
+
         self.remove_linked_attribute(g2, u1)
 
+        res = self.samdb.search(g2, scope=ldb.SCOPE_BASE,
+                                attrs=['uSNChanged'])
+        new_usn2 = int(res[0]['uSNChanged'][0])
+
+        self.assertNotEqual(old_usn2, new_usn2, "USN should have incremented")
+
         self.assert_forward_links(g1, [u1])
         self.assert_forward_links(g2, [u2])
 
-- 
1.9.1


From f9d4d5f434a25f20d0c6ff4f4f61eba9639faf0d Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 15:45:56 +1200
Subject: [PATCH 32/34] tests: Skip a test for reveal internals for passing
 Windows

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
(cherry picked from commit 4a264f6460941e6cc741c3dfd1bba72a076a8267)
---
 source4/dsdb/tests/python/linked_attributes.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/tests/python/linked_attributes.py b/source4/dsdb/tests/python/linked_attributes.py
index 225ee47..9813ea0 100644
--- a/source4/dsdb/tests/python/linked_attributes.py
+++ b/source4/dsdb/tests/python/linked_attributes.py
@@ -303,7 +303,7 @@ class LATests(samba.tests.TestCase):
         self.remove_linked_attribute(g2, u1)
         self.assert_forward_links(g2, [])
 
-    def test_la_links_delete_link_reveal(self):
+    def _test_la_links_delete_link_reveal(self):
         u1, u2 = self.add_objects(2, 'user', 'u_del_link_reveal')
         g1, g2 = self.add_objects(2, 'group', 'g_del_link_reveal')
 
@@ -318,6 +318,11 @@ class LATests(samba.tests.TestCase):
                                   show_deactivated_link=0,
                                   reveal_internals=0
         )
+    def test_la_links_delete_link_reveal(self):
+        if opts.no_reveal_internals:
+            print 'skipping because --no-reveal-internals'
+            return
+        self._test_la_links_delete_link_reveal()
 
     def test_la_links_delete_user(self):
         u1, u2 = self.add_objects(2, 'user', 'u_del_user')
-- 
1.9.1


From 620aaf8e49551404705cb211a7689e98ad65b4fa Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 8 Sep 2016 16:34:51 +1200
Subject: [PATCH 33/34] dbcheck: assert uSNChanged values in release-4-5-0-pre1

This shows that dbcheck doesn't change the replPropertyMetadata when
fixing the links on these objects.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Sep  8 14:39:19 CEST 2016 on sn-devel-144

(cherry picked from commit 0ab32637249fb88917d240e78c0f213b83236027)
---
 .../expected-links-after-dbcheck.ldif              | 217 +++++++++++++++++++++
 .../release-4-5-0-pre1/rootdse-version.final.txt   |   1 +
 .../release-4-5-0-pre1/rootdse-version.initial.txt |   1 +
 testprogs/blackbox/dbcheck-oldrelease.sh           |  18 +-
 4 files changed, 236 insertions(+), 1 deletion(-)
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.initial.txt

diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
index 5054c74..9ac86fc 100644
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
@@ -2,646 +2,775 @@
 dn: CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3586
 
 # record 2
 dn: CN=User,CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3589
 
 # record 3
 dn: CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=ms-DFSR-Content,CN=Schema,CN=Configuration,DC=release-4-5-0
  -pre1,DC=samba,DC=corp
+uSNChanged: 3394
 
 # record 4
 dn: CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3587
 
 # record 5
 dn: CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3590
 
 # record 6
 dn: CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=ms-DFSR-Topology,CN=Schema,CN=Configuration,DC=release-4-5-
  0-pre1,DC=samba,DC=corp
+uSNChanged: 3395
 
 # record 7
 dn: CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3453
 
 # record 8
 dn: CN=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3405
 
 # record 9
 dn: CN=10b3ad2a-6883-4fa7-90fc-6377cbdc1b26,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3409
 
 # record 10
 dn: CN=13d15cf0-e6c8-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3450
 
 # record 11
 dn: CN=231fb90b-c92a-40c9-9379-bacfc313a3e3,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3454
 
 # record 12
 dn: CN=2416c60a-fe15-4d7a-a61e-dffd5df864d3,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3402
 
 # record 13
 dn: CN=293f0798-ea5c-4455-9f5d-45f33a30703b,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3416
 
 # record 14
 dn: CN=2951353e-d102-4ea5-906c-54247eeec741,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3455
 
 # record 15
 dn: CN=3051c66f-b332-4a73-9a20-2d6a7d6e6a1c,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3447
 
 # record 16
 dn: CN=3c784009-1f57-4e2a-9b04-6915c9e71961,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3424
 
 # record 17
 dn: CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3448
 
 # record 18
 dn: CN=446f24ea-cfd5-4c52-8346-96e170bcb912,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3414
 
 # record 19
 dn: CN=4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3456
 
 # record 20
 dn: CN=4c93ad42-178a-4275-8600-16811d28f3aa,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3457
 
 # record 21
 dn: CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3419
 
 # record 22
 dn: CN=51cba88b-99cf-4e16-bef2-c427b38d0767,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3415
 
 # record 23
 dn: CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3458
 
 # record 24
 dn: CN=5c82b233-75fc-41b3-ac71-c69592e6bf15,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3417
 
 # record 25
 dn: CN=61b34cb0-55ee-4be9-b595-97810b92b017,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3459
 
 # record 26
 dn: CN=6ada9ff7-c9df-45c1-908e-9fef2fab008a,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3408
 
 # record 27
 dn: CN=6bcd5678-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3425
 
 # record 28
 dn: CN=6bcd5679-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3426
 
 # record 29
 dn: CN=6bcd567a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3427
 
 # record 30
 dn: CN=6bcd567b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3428
 
 # record 31
 dn: CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3429
 
 # record 32
 dn: CN=6bcd567d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3430
 
 # record 33
 dn: CN=6bcd567e-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3431
 
 # record 34
 dn: CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3432
 
 # record 35
 dn: CN=6bcd5680-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3433
 
 # record 36
 dn: CN=6bcd5681-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3434
 
 # record 37
 dn: CN=6bcd5682-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3435
 
 # record 38
 dn: CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3436
 
 # record 39
 dn: CN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3437
 
 # record 40
 dn: CN=6bcd5685-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3438
 
 # record 41
 dn: CN=6bcd5686-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3439
 
 # record 42
 dn: CN=6bcd5687-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3440
 
 # record 43
 dn: CN=6bcd5688-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3441
 
 # record 44
 dn: CN=6bcd5689-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3442
 
 # record 45
 dn: CN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3443
 
 # record 46
 dn: CN=6bcd568b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3444
 
 # record 47
 dn: CN=6bcd568c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3445
 
 # record 48
 dn: CN=6bcd568d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3446
 
 # record 49
 dn: CN=6E157EDF-4E72-4052-A82A-EC3F91021A22,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3452
 
 # record 50
 dn: CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3413
 
 # record 51
 dn: CN=71482d49-8870-4cb3-a438-b6fc9ec35d70,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3460
 
 # record 52
 dn: CN=7868d4c8-ac41-4e05-b401-776280e8e9f1,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3403
 
 # record 53
 dn: CN=7cfb016c-4f87-4406-8166-bd9df943947f,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3421
 
 # record 54
 dn: CN=7ffef925-405b-440a-8d58-35e8cd6e98c3,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3418
 
 # record 55
 dn: CN=8437C3D8-7689-4200-BF38-79E4AC33DFA0,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3420
 
 # record 56
 dn: CN=860c36ed-5241-4c62-a18b-cf6ff9994173,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3404
 
 # record 57
 dn: CN=8ca38317-13a4-4bd4-806f-ebed6acb5d0c,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3423
 
 # record 58
 dn: CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3451
 
 # record 59
 dn: CN=9738c400-7795-4d6e-b19d-c16cd6486166,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3461
 
 # record 60
 dn: CN=98de1d3e-6611-443b-8b4e-f4337f1ded0b,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3410
 
 # record 61
 dn: CN=9cac1f66-2167-47ad-a472-2a13251310e4,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3412
 
 # record 62
 dn: CN=a1789bfb-e0a2-4739-8cc0-e77d892d080a,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3462
 
 # record 63
 dn: CN=a3dac986-80e7-4e59-a059-54cb1ab43cb9,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3463
 
 # record 64
 dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3406
 
 # record 65
 dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3399
 
 # record 66
 dn: CN=aed72870-bf16-4788-8ac7-22299c8207f1,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3464
 
 # record 67
 dn: CN=b96ed344-545a-4172-aa0c-68118202f125,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3465
 
 # record 68
 dn: CN=bab5f54d-06c8-48de-9b87-d78b796564e4,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3400
 
 # record 69
 dn: CN=c4f17608-e611-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3449
 
 # record 70
 dn: CN=c88227bc-fcca-4b58-8d8a-cd3d64528a02,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3466
 
 # record 71
 dn: CN=d85c0bfd-094f-4cad-a2b5-82ac9268475d,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3407
 
 # record 72
 dn: CN=dda1d01d-4bd7-4c49-a184-46f9241b560e,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3467
 
 # record 73
 dn: CN=de10d491-909f-4fb0-9abb-4b7865c0fe80,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3468
 
 # record 74
 dn: CN=ebad865a-d649-416f-9922-456b53bbb5b8,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3469
 
 # record 75
 dn: CN=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3401
 
 # record 76
 dn: CN=f58300d1-b71a-4DB6-88a1-a8b9538beaca,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3470
 
 # record 77
 dn: CN=f607fd87-80cf-45e2-890b-6cf97ec0e284,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3411
 
 # record 78
 dn: CN=f7ed4553-d82b-49ef-a839-2f38a36bb069,CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3422
 
 # record 79
 dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3606
 
 # record 80
 dn: DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3616
 
 # record 81
 dn: DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3609
 
 # record 82
 dn: DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3618
 
 # record 83
 dn: DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3614
 
 # record 84
 dn: DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3613
 
 # record 85
 dn: DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3608
 
 # record 86
 dn: DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3617
 
 # record 87
 dn: DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3607
 
 # record 88
 dn: DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3612
 
 # record 89
 dn: DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3619
 
 # record 90
 dn: DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3615
 
 # record 91
 dn: DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3611
 
 # record 92
 dn: DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3610
 
 # record 93
 dn: CN=SOM,CN=WMIPolicy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3510
 
 # record 94
 dn: CN=WMIGPO,CN=WMIPolicy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3511
 
 # record 95
 dn: CN=RID Set,CN=DOUGLASB-DESKTO,OU=Domain Controllers,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC
  =samba,DC=corp
+uSNChanged: 3584
 
 # record 96
 dn: CN=Operations,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3398
 
 # record 97
 dn: CN=PolicyType,CN=WMIPolicy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3509
 
 # record 98
 dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Link-Track-Volume-Table,CN=Schema,CN=Configuration,DC=relea
  se-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3475
 
 # record 99
 dn: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Class-Store,CN=Schema,CN=Configuration,DC=release-4-5-0-pre
  1,DC=samba,DC=corp
+uSNChanged: 3390
 
 # record 100
 dn: CN=PolicyTemplate,CN=WMIPolicy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3508
 
 # record 101
 dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Link-Track-Object-Move-Table,CN=Schema,CN=Configuration,DC=
  release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3474
 
 # record 102
 dn: CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3471
 
 # record 103
 dn: CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=ms-DFSR-ReplicationGroup,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3393
 
 # record 104
 dn: CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3397
 
 # record 105
 dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=releas
  e-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3585
 
 # record 106
 dn: CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=releas
  e-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3588
 
 # record 107
 dn: CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3692
 
 # record 108
 dn: CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3709
 
 # record 109
 dn: CN=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3703
 
 # record 110
 dn: CN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3694
 
 # record 111
 dn: CN=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3495
 
 # record 112
 dn: CN=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3498
 
 # record 113
 dn: CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3691
 
 # record 114
 dn: CN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3708
 
 # record 115
 dn: CN=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Filter,CN=Schema,CN=Configuration,DC=release-4-5-0-pr
  e1,DC=samba,DC=corp
+uSNChanged: 3700
 
 # record 116
 dn: CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Filter,CN=Schema,CN=Configuration,DC=release-4-5-0-pr
  e1,DC=samba,DC=corp
+uSNChanged: 3696
 
 # record 117
 dn: CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Policy,CN=Schema,CN=Configuration,DC=release-4-5-0-pr
  e1,DC=samba,DC=corp
+uSNChanged: 3689
 
 # record 118
 dn: CN=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Policy,CN=Schema,CN=Configuration,DC=release-4-5-0-pr
  e1,DC=samba,DC=corp
+uSNChanged: 3702
 
 # record 119
 dn: CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Policy,CN=Schema,CN=Configuration,DC=release-4-5-0-pr
  e1,DC=samba,DC=corp
+uSNChanged: 3707
 
 # record 120
 dn: CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-ISAKMP-Policy,CN=Schema,CN=Configuration,DC=release-4
  -5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3478
 
 # record 121
 dn: CN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-ISAKMP-Policy,CN=Schema,CN=Configuration,DC=release-4
  -5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3488
 
 # record 122
 dn: CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-ISAKMP-Policy,CN=Schema,CN=Configuration,DC=release-4
  -5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3492
 
 # record 123
 dn: CN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3484
 
 # record 124
 dn: CN=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3497
 
 # record 125
 dn: CN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3490
 
 # record 126
 dn: CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3482
 
 # record 127
 dn: CN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3698
 
 # record 128
 dn: CN=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3496
 
 # record 129
 dn: DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
+uSNChanged: 3605
 
 # record 130
 dn: CN=Guest,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -649,6 +778,7 @@ memberOf: CN=Guests,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=
  samba,DC=corp
 sAMAccountType: 805306368
+uSNChanged: 3546
 
 # record 131
 dn: CN=Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -660,6 +790,7 @@ member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samb
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3563
 
 # record 132
 dn: CN=Guests,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -668,6 +799,7 @@ member: CN=Guest,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3564
 
 # record 133
 dn: CN=krbtgt,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -676,17 +808,20 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=
  samba,DC=corp
 sAMAccountType: 805306368
+uSNChanged: 3547
 
 # record 134
 dn: CN=Server,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Sam-Server,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1
  ,DC=samba,DC=corp
+uSNChanged: 3505
 
 # record 135
 dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp
 memberOf: CN=Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=re
  lease-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3558
 
 # record 136
 dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -694,16 +829,19 @@ memberOf: CN=Windows Authorization Access Group,CN=Builtin,DC=release-4-5-0-pr
  e1,DC=samba,DC=corp
 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=re
  lease-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3559
 
 # record 137
 dn: CN=Meetings,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3499
 
 # record 138
 dn: CN=Policies,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3501
 
 # record 139
 dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -712,29 +850,34 @@ memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=release-4-5-0-pr
 memberOf: CN=Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=re
  lease-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3560
 
 # record 140
 dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp
 memberOf: CN=IIS_IUSRS,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=re
  lease-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3561
 
 # record 141
 dn: CN=swimmers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3745
 
 # record 142
 dn: CN=DnsAdmins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3602
 
 # record 143
 dn: CN=FileLinks,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=File-Link-Tracking,CN=Schema,CN=Configuration,DC=release-4-
  5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3473
 
 # record 144
 dn: CN=IIS_IUSRS,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -743,32 +886,38 @@ member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samb
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3579
 
 # record 145
 dn: CN=Microsoft,CN=Program Data,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3384
 
 # record 146
 dn: CN=WMIPolicy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3507
 
 # record 147
 dn: CN=Replicator,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3569
 
 # record 148
 dn: CN=IP Security,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3476
 
 # record 149
 dn: CN=RpcServices,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Rpc-Container,CN=Schema,CN=Configuration,DC=release-4-5-0-p
  re1,DC=samba,DC=corp
+uSNChanged: 3504
 
 # record 150
 dn: CN=Domain Users,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -776,16 +925,19 @@ memberOf: CN=Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3541
 
 # record 151
 dn: CN=MicrosoftDNS,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3604
 
 # record 152
 dn: CN=RID Manager$,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=RID-Manager,CN=Schema,CN=Configuration,DC=release-4-5-0-pre
  1,DC=samba,DC=corp
+uSNChanged: 3598
 
 # record 153
 dn: CN=Administrator,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -798,16 +950,19 @@ memberOf: CN=Domain Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=
  samba,DC=corp
 sAMAccountType: 805306368
+uSNChanged: 3545
 
 # record 154
 dn: CN=AdminSDHolder,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3386
 
 # record 155
 dn: CN=ComPartitions,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3387
 
 # record 156
 dn: CN=Domain Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -818,6 +973,7 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3549
 
 # record 157
 dn: CN=Domain Guests,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -825,11 +981,13 @@ memberOf: CN=Guests,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3542
 
 # record 158
 dn: CN=DomainUpdates,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3396
 
 # record 159
 dn: CN=Schema Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -839,6 +997,7 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3551
 
 # record 160
 dn: CN=Administrators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -848,12 +1007,14 @@ member: CN=Administrator,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3562
 
 # record 161
 dn: CN=DnsUpdateProxy,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3603
 
 # record 162
 dn: CN=Cert Publishers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -862,69 +1023,81 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3550
 
 # record 163
 dn: CN=DOUGLASB-DESKTO,OU=Domain Controllers,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,D
  C=samba,DC=corp
 sAMAccountType: 805306369
+uSNChanged: 3601
 
 # record 164
 dn: CN=Print Operators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3567
 
 # record 165
 dn: CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=
  samba,DC=corp
 sAMAccountType: 805306368
+uSNChanged: 3712
 
 # record 166
 dn: CN=WinsockServices,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3506
 
 # record 167
 dn: CN=Backup Operators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3568
 
 # record 168
 dn: CN=ComPartitionSets,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3388
 
 # record 169
 dn: CN=Domain Computers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3543
 
 # record 170
 dn: CN=Server Operators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3566
 
 # record 171
 dn: CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=
  samba,DC=corp
 sAMAccountType: 805306368
+uSNChanged: 3715
 
 # record 172
 dn: CN=Account Operators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3565
 
 # record 173
 dn: CN=Dfs-Configuration,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Dfs-Configuration,CN=Schema,CN=Configuration,DC=release-4-5
  -0-pre1,DC=samba,DC=corp
+uSNChanged: 3391
 
 # record 174
 dn: CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -935,12 +1108,14 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3552
 
 # record 175
 dn: CN=Event Log Readers,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3581
 
 # record 176
 dn: CN=Domain Controllers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -949,57 +1124,67 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3544
 
 # record 177
 dn: CN=DFSR-GlobalSettings,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=ms-DFSR-GlobalSettings,CN=Schema,CN=Configuration,DC=releas
  e-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3392
 
 # record 178
 dn: CN=RAS and IAS Servers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3555
 
 # record 179
 dn: CN=Remote Desktop Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3571
 
 # record 180
 dn: CN=Default Domain Policy,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Domain-Policy,CN=Schema,CN=Configuration,DC=release-4-5-0-p
  re1,DC=samba,DC=corp
+uSNChanged: 3389
 
 # record 181
 dn: CN=Distributed COM Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3578
 
 # record 182
 dn: CN=Performance Log Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3575
 
 # record 183
 dn: CN=Cryptographic Operators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3580
 
 # record 184
 dn: CN=File Replication Service,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=NTFRS-Settings,CN=Schema,CN=Configuration,DC=release-4-5-0-
  pre1,DC=samba,DC=corp
+uSNChanged: 3472
 
 # record 185
 dn: CN=Performance Monitor Users,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3574
 
 # record 186
 dn: CN=Group Policy Creator Owners,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -1009,11 +1194,13 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3553
 
 # record 187
 dn: CN=Password Settings Container,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=ms-DS-Password-Settings-Container,CN=Schema,CN=Configuratio
  n,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3500
 
 # record 188
 dn: CN=Read-only Domain Controllers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -1022,35 +1209,41 @@ memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3554
 
 # record 189
 dn: CN=Incoming Forest Trust Builders,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3573
 
 # record 190
 dn: CN=Certificate Service DCOM Access,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3582
 
 # record 191
 dn: CN=Network Configuration Operators,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3572
 
 # record 192
 dn: CN=Terminal Server License Servers,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3577
 
 # record 193
 dn: CN=RAS and IAS Servers Access Check,CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3502
 
 # record 194
 dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -1059,6 +1252,7 @@ member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samb
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3570
 
 # record 195
 dn: CN=Windows Authorization Access Group,CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -1067,6 +1261,7 @@ member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3576
 
 # record 196
 dn: CN=Denied RODC Password Replication Group,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
@@ -1083,106 +1278,128 @@ member: CN=krbtgt,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3557
 
 # record 197
 dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 536870912
+uSNChanged: 3556
 
 # record 198
 dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,DC=s
  amba,DC=corp
 sAMAccountType: 268435456
+uSNChanged: 3548
 
 # record 199
 dn: CN=ddg\0ADEL:fb8c2fe3-5448-43de-99f9-e1d3b9357cfc,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3737
 
 # record 200
 dn: CN=dsg\0ADEL:6d66d0ef-cad7-4e5d-b1b6-4a233a21c269,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3734
 
 # record 201
 dn: CN=gdg\0ADEL:e0f581e7-14ee-4fc2-839c-8f46f581c72a,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3738
 
 # record 202
 dn: CN=gsg\0ADEL:91aa85cc-fc19-4b8c-9fc7-aaba425439c7,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3735
 
 # record 203
 dn: CN=udg\0ADEL:7cff5537-51b1-4d26-a295-0225dbea8525,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3739
 
 # record 204
 dn: CN=usg\0ADEL:d012e8f5-a4bd-40ea-a2a1-68ff2508847d,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3736
 
 # record 205
 dn: CN=fred\0ADEL:2301a64c-5b42-4ca8-851e-12d4a711cfb4,CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 lastKnownParent: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3746
 
 # record 206
 dn: CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3373
 
 # record 207
 dn: CN=System,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3385
 
 # record 208
 dn: CN=Builtin,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Builtin-Domain,CN=Schema,CN=Configuration,DC=release-4-5-0-
  pre1,DC=samba,DC=corp
+uSNChanged: 3376
 
 # record 209
 dn: CN=Computers,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3375
 
 # record 210
 dn: CN=NTDS Quotas,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=ms-DS-Quota-Container,CN=Schema,CN=Configuration,DC=release
  -4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3382
 
 # record 211
 dn: CN=LostAndFound,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Lost-And-Found,CN=Schema,CN=Configuration,DC=release-4-5-0-
  pre1,DC=samba,DC=corp
+uSNChanged: 3381
 
 # record 212
 dn: CN=Program Data,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3383
 
 # record 213
 dn: CN=Infrastructure,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=release
  -4-5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3597
 
 # record 214
 dn: CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3377
 
 # record 215
 dn: CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
  DC=samba,DC=corp
+uSNChanged: 3379
 
 # record 216
 dn: OU=Domain Controllers,DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=release-4
  -5-0-pre1,DC=samba,DC=corp
+uSNChanged: 3378
 
 # record 217
 dn: DC=release-4-5-0-pre1,DC=samba,DC=corp
 objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1
  ,DC=samba,DC=corp
+uSNChanged: 3596
 wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=rele
  ase-4-5-0-pre1,DC=samba,DC=corp
 wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt
new file mode 100644
index 0000000..0028f9b
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt
@@ -0,0 +1 @@
+highestCommittedUSN: 3746
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.initial.txt b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.initial.txt
new file mode 100644
index 0000000..0028f9b
--- /dev/null
+++ b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.initial.txt
@@ -0,0 +1 @@
+highestCommittedUSN: 3746
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index dd176cf..ecab003 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -181,6 +181,13 @@ check_expected_before_values() {
 	if [ "$?" != "0" ]; then
 	    return 1
 	fi
+    elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then
+        tmpldif=$PREFIX_ABS/$RELEASE/rootdse-version.initial.txt.tmp
+        TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -s base -b '' | grep highestCommittedUSN > $tmpldif
+        diff $tmpldif $release_dir/rootdse-version.initial.txt
+        if [ "$?" != "0" ]; then
+            return 1
+        fi
     fi
     return 0
 }
@@ -233,11 +240,20 @@ check_expected_after_values() {
     elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then
         echo  $RELEASE  checking after values
 	tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-dbcheck.ldif.tmp
-        $BINDIR/ldbsearch -H  tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted  --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN  sAMAccountType --sorted > $tmpldif
+        $BINDIR/ldbsearch -H  tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted  --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN  sAMAccountType uSNChanged --sorted > $tmpldif
 	diff $tmpldif $release_dir/expected-links-after-dbcheck.ldif
 	if [ "$?" != "0" ]; then
 	    return 1
 	fi
+
+	# If in the future dbcheck has to make a change recorded in replPropertyMetadata,
+	# this test will fail and can be removed.
+        tmpversion=$PREFIX_ABS/$RELEASE/rootdse-version.final.txt.tmp
+        TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -s base -b '' | grep highestCommittedUSN > $tmpversion
+        diff $tmpversion $release_dir/rootdse-version.final.txt
+        if [ "$?" != "0" ]; then
+            return 1
+        fi
     fi
     return 0
 }
-- 
1.9.1


From 107b5b3a82e4bb79197b566979aee359bba20458 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Fri, 14 Oct 2016 16:57:42 +1300
Subject: [PATCH 34/34] dbcheck: Give a more helpful error message on dangling
 links

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12382
---
 python/samba/dbchecker.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 9b0784b..3c73a66 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -497,7 +497,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
         # check if its a backlink
         linkID, _ = self.get_attr_linkID_and_reverse_name(attrname)
         if (linkID & 1 == 0) and str(dsdb_dn).find('\\0ADEL') == -1:
-            self.report("Not removing dangling forward link")
+            to_expunge = ''
+            rmd_flags = int(dsdb_dn.dn.get_extended_component("RMD_FLAGS"))
+            if rmd_flags & 1 != 0:
+                to_expunge = 'Try running "samba-tool domain tombstones expunge".'
+            self.report("Not removing dangling forward link. %s" % to_expunge)
             return
         self.err_deleted_dn(dn, attrname, val, dsdb_dn, dsdb_dn, False)
 
-- 
1.9.1