As described in the MS-ADTS 3.1.1.3.4.1.12 LDAP_SERVER_SEARCH_OPTIONS_OID http://msdn.microsoft.com/en-us/library/cc223324.aspx we must not search the application NCs, when we use the SERVER_SEARCH_FLAG_PHANTOM_ROOT (--cross-ncs) flag. "For AD DS, instructs the server to search all NC replicas except application NC replicas that are subordinate to the search base, even if the search base is not instantiated on the server. For AD LDS, the behavior is the same except that it also includes application NC replicas in the search. For AD DS and AD LDS, this will cause the search to be executed over all NC replicas (except for application NCs on AD DS DCs) held on the DC that are subordinate to the search base. This enables search bases such as the empty string, which would cause the server to search all of the NC replicas (except for application NCs on AD DS DCs) that it holds."
If we fix this, we will need to add our own control that re-implements the current meaning, and change all the internal callers (and the --cross-ncs parameter) to use that one. In particular, the extended_dn_in module would need this to find a GUID-based DN, even if it is in the application partition.
Any news on this one?
The followin problem and patches are related to this bug: https://lists.samba.org/archive/samba-technical/2015-February/105545.html
*** This bug has been marked as a duplicate of bug 11929 ***
*** This bug has been marked as a duplicate of bug 11292 ***