From a0e7815ea398a08e36564110c5f6be149673cd25 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 23 Feb 2019 00:14:31 +0100 Subject: [PATCH 1/5] drsuapi.idl: add DRSUAPI_ATTID_schemaInfo BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 140a6733a458d0afa20237a09ef4ee2546a83a8f) --- librpc/idl/drsuapi.idl | 1 + 1 file changed, 1 insertion(+) diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl index cd90500faf57..448a58bcd1f5 100644 --- a/librpc/idl/drsuapi.idl +++ b/librpc/idl/drsuapi.idl @@ -548,6 +548,7 @@ interface drsuapi DRSUAPI_ATTID_objectCategory = 0x0009030e, DRSUAPI_ATTID_gPLink = 0x0009037b, DRSUAPI_ATTID_transportAddressAttribute = 0x0009037f, + DRSUAPI_ATTID_schemaInfo = 0x0009054e, DRSUAPI_ATTID_msDS_Behavior_Version = 0x000905b3, DRSUAPI_ATTID_msDS_KeyVersionNumber = 0x000906f6, DRSUAPI_ATTID_msDS_NonMembers = 0x00090701, -- 2.17.1 From 0c7b3e8b7abb46977986eb3b2a55442b120a08c1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 21 Feb 2019 09:20:48 +0100 Subject: [PATCH 2/5] ldapcmp: ignore 'schemaInfo' if two domains are compared BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit b5b572d5f71e2b9783ddb25c21ac32904fbfd661) --- python/samba/netcmd/ldapcmp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/netcmd/ldapcmp.py b/python/samba/netcmd/ldapcmp.py index 4e5abad7cfed..aa8aa7c7558b 100644 --- a/python/samba/netcmd/ldapcmp.py +++ b/python/samba/netcmd/ldapcmp.py @@ -465,7 +465,7 @@ class LDAPObject(object): "msDs-masteredBy", "lastSetTime", "ipsecNegotiationPolicyReference", "subRefs", "gPCFileSysPath", "accountExpires", "invocationId", "operatingSystemVersion", - "oEMInformation", + "oEMInformation", "schemaInfo", # After Exchange preps "targetAddress", "msExchMailboxGuid", "siteFolderGUID"] # -- 2.17.1 From 9e8431fec38e600f5c2e471c8eccb4148a51b08b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Mar 2019 11:27:14 +0100 Subject: [PATCH 3/5] s4:provision: split out provision_self_join_modify_schema.ldif BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 5ea84af2d69e0b3a2a801ea0cc3f4ffc66bf1764) --- python/samba/provision/__init__.py | 7 ++++++- source4/setup/provision_self_join_modify_config.ldif | 5 ----- source4/setup/provision_self_join_modify_schema.ldif | 4 ++++ 3 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 source4/setup/provision_self_join_modify_schema.ldif diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 066411ab8d74..492ce6809f6e 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1182,7 +1182,12 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass, "DOMAIN_CONTROLLER_FUNCTIONALITY": str( domainControllerFunctionality)}) - # Setup fSMORoleOwner entries to point at the newly created DC entry + # Setup fSMORoleOwner entries to point at the newly created DC entry + setup_modify_ldif(samdb, + setup_path("provision_self_join_modify_schema.ldif"), { + "SCHEMADN": names.schemadn, + "SERVERDN": names.serverdn, + }) setup_modify_ldif(samdb, setup_path("provision_self_join_modify_config.ldif"), { "CONFIGDN": names.configdn, diff --git a/source4/setup/provision_self_join_modify_config.ldif b/source4/setup/provision_self_join_modify_config.ldif index 48a70924b89e..2d8e4c929449 100644 --- a/source4/setup/provision_self_join_modify_config.ldif +++ b/source4/setup/provision_self_join_modify_config.ldif @@ -1,8 +1,3 @@ -dn: ${SCHEMADN} -changetype: modify -replace: fSMORoleOwner -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} - dn: CN=Partitions,${CONFIGDN} changetype: modify replace: fSMORoleOwner diff --git a/source4/setup/provision_self_join_modify_schema.ldif b/source4/setup/provision_self_join_modify_schema.ldif new file mode 100644 index 000000000000..edb06204e5bd --- /dev/null +++ b/source4/setup/provision_self_join_modify_schema.ldif @@ -0,0 +1,4 @@ +dn: ${SCHEMADN} +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -- 2.17.1 From 109bc76a09a64c1f35ed1b1ca2ca8b7bfb2bb175 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Mar 2019 11:28:42 +0100 Subject: [PATCH 4/5] python/provision: use provision and relax controls for schema provision BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 7652439fa1aab92945f5540a43fc49568d446917) --- python/samba/provision/__init__.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 492ce6809f6e..d71f5e1ce30a 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1187,7 +1187,8 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass, setup_path("provision_self_join_modify_schema.ldif"), { "SCHEMADN": names.schemadn, "SERVERDN": names.serverdn, - }) + }, + controls=["provision:0", "relax:0"]) setup_modify_ldif(samdb, setup_path("provision_self_join_modify_config.ldif"), { "CONFIGDN": names.configdn, @@ -1406,16 +1407,20 @@ def fill_samdb(samdb, lp, names, logger, policyguid, # The LDIF here was created when the Schema object was constructed ignore_checks_oid = "local_oid:%s:0" % samba.dsdb.DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID + schema_controls = [ + "provision:0", + "relax:0", + ignore_checks_oid + ] + logger.info("Setting up sam.ldb schema") - samdb.add_ldif(schema.schema_dn_add, - controls=["relax:0", ignore_checks_oid]) - samdb.modify_ldif(schema.schema_dn_modify, - controls=[ignore_checks_oid]) + samdb.add_ldif(schema.schema_dn_add, controls=schema_controls) + samdb.modify_ldif(schema.schema_dn_modify, controls=schema_controls) samdb.write_prefixes_from_schema() - samdb.add_ldif(schema.schema_data, controls=["relax:0", ignore_checks_oid]) + samdb.add_ldif(schema.schema_data, controls=schema_controls) setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), {"SCHEMADN": names.schemadn}, - controls=["relax:0", ignore_checks_oid]) + controls=schema_controls) # Now register this container in the root of the forest msg = ldb.Message(ldb.Dn(samdb, names.domaindn)) -- 2.17.1 From b16a8fef8e57d4390456e7173c732492b55e90a7 Mon Sep 17 00:00:00 2001 From: Aaron Haslett Date: Wed, 3 Apr 2019 16:34:42 +1300 Subject: [PATCH 5/5] dsdb:samdb: schemainfo update with relax control Currently schema info's revision field isn't incremented if relax control is present. This is so that no increment is done during provision, but we need the relax control in other situations where the increment is desired, so we should use the provision control instead to disable schema info update. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Aaron Haslett Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit b7c1752754da1e8a83a53670cf4a410ec6e9d7b7) --- source4/dsdb/samdb/ldb_modules/samldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index e69228c32c75..02eb2fa90494 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1333,7 +1333,7 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) } /* do not update schemaInfo during provisioning */ - if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID)) { return LDB_SUCCESS; } -- 2.17.1