From 6100b2effa9b34ad8dfb0bf9e7508d0d66209ea3 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Mon, 1 Jul 2019 17:06:31 +1200 Subject: [PATCH] s4/libnet: Fix joining a Windows pre-2008R2 DC From v4.8 onwards, Samba may not be able join a DC older than 2008R2 because the Windows DC doesn't support GET_TGT. If the dsdb repl_md code can't resolve a link target it returns an error, and the calling code (e.g. drs_util.py) should retry with GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later, so if you try to join an earlier Windows DC, the join will throw an error that you can't work-around. We can avoid this problem by setting the same DSDB flag that GET_TGT sets to indicate that the link targets are as up-to-date as possible, and so there's no point retrying. Missing targets are still logged, so this at least allows the admin to fix up any problems after the join completed. I've only done this for the join case (problems during periodic replication are probably still worth escalating to an error). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021 RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD DC may not have worked. When this problem occurred, the following message would be displayed: 'Failed to commit objects: DOS code 0x000021bf' This particular issue has now been resolved. Note that there may still be other potential problems that occur when joining an older Windows DC. Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett (cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0) --- source4/libnet/libnet_vampire.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c index 6167493..128d237 100644 --- a/source4/libnet/libnet_vampire.c +++ b/source4/libnet/libnet_vampire.c @@ -660,6 +660,15 @@ WERROR libnet_vampire_cb_store_chunk(void *private_data, return WERR_INVALID_PARAMETER; } + /* + * If the peer DC doesn't support GET_TGT (req v10), then the link + * targets are as up-to-date as they're ever gonna be. (Without this, + * cases where we'd normally retry with GET_TGT cause the join to fail) + */ + if (c->req_level < 10) { + dsdb_repl_flags |= DSDB_REPL_FLAG_TARGETS_UPTODATE; + } + if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY || is_exop) { /* * If we only replicate the critical objects, or this -- 2.7.4