Bug 12399 - replmd_update_rpmd_rdn_attr doesn't normalize rdn attribute name
Summary: replmd_update_rpmd_rdn_attr doesn't normalize rdn attribute name
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
: 12302 (view as bug list)
Depends on:
Reported: 2016-10-30 22:53 UTC by Stefan Metzmacher
Modified: 2018-01-26 16:20 UTC (History)
6 users (show)

See Also:

Part1 patch for master (1.52 KB, text/plain)
2016-10-30 23:26 UTC, Stefan Metzmacher
no flags Details
Work in progress patches including dbcheck support (untested!) (33.32 KB, patch)
2016-11-11 15:02 UTC, Stefan Metzmacher
no flags Details
Patch for v4-5-test (1.72 KB, patch)
2017-01-27 09:47 UTC, Stefan Metzmacher
slow: review+
metze: review? (abartlet)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-10-30 22:53:21 UTC
Incoming replicated object are missing an explicit rdn attribute,
so the receiving server needs to generate the attribute, using
the dn and name attribute.

The following commit was meant to fix that:

commit 374a01119dac8d1b04f8d43caf6e119be654e2dc
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Wed May 25 14:49:31 2016 +1200

    dsdb: Fix rename and RDN handling for replPropertyMetaData
    This matches Windows 2012R2, which both has the RDN not sorted last and has it updated with the local
    invocation_id and a local version.
    The RDN attribute, unlike name, is not replicated over DRS, so the impact for interopability extends only to
    the incorrect RDN values that we were finding with dbcheck (values that did not match the name values).
    Finally, we always force the RDN to match the name attribute, which avoids issues
    in dbcheck where these diverge.  As such, we can finally remove dbcheck as a
    flapping test, last re-added in e4bab3a8282d263eb2391bc7e8a6fd64ae068935
    Signed-off-by: Andrew Bartlett <abartlet@samba.org>
    Reviewed-by: Garming Sam <garming@catalyst.net.nz>

But it uses the raw RDN attribute name from the dn.

For CN=Users,DC=example,DC=com it will
add "CN: Users", but it should normalize the name
via the schema and add 'cn: Users' instead.

We'll need a code change and some dbcheck magic to fix broken databases.
Comment 1 Stefan Metzmacher 2016-10-30 23:26:57 UTC
Created attachment 12611 [details]
Part1 patch for master
Comment 2 Andrew Bartlett 2016-10-30 23:46:09 UTC
(In reply to Stefan Metzmacher from comment #1)

This looks like a very reasonable way to fix that.
Comment 3 Stefan Metzmacher 2016-11-11 07:04:09 UTC
*** Bug 12302 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Metzmacher 2016-11-11 15:02:40 UTC
Created attachment 12655 [details]
Work in progress patches including dbcheck support (untested!)

For now use "Part1 patch for master" on production systems to avoid
the problem in the first place.
Comment 5 Andrew Bartlett 2016-12-01 18:31:20 UTC
(In reply to Stefan Metzmacher from comment #4)
Is the primary issue here the lack of tests for the dbcheck work, or is this otherwise still a WIP?

I may be able to help with dbcheck testing, as I've done a fair bit of that recently.
Comment 6 Stefan Metzmacher 2016-12-01 18:58:36 UTC
(In reply to Andrew Bartlett from comment #5)

It's work in progress it misses this:

TODO: we should do this fix up after a possible rename
     via self.err_wrong_dn(), that rename is more important
     and may already fix the problem...
Comment 7 Andrew Bartlett 2016-12-09 08:40:52 UTC
Attachment #12611 [details] (Part1 patch for master) I pushed to autobuild and it is in master as ec0297bbd0110f8bfddda2e21d94a882094d1c11.
Comment 8 Stefan Metzmacher 2017-01-27 09:47:33 UTC
Created attachment 12853 [details]
Patch for v4-5-test
Comment 9 Ralph Böhme 2017-01-27 09:52:14 UTC
Reassigning to Karolin for inclusion in 4.5.

Please resassing to metze after pushing to 4.5, so he can pursue with the dbcheck fixes.
Comment 10 Stefan Metzmacher 2017-01-27 09:52:40 UTC
(In reply to Ralph Böhme from comment #9)

Pushed to autobuild-v4-5-test
Comment 11 Karolin Seeger 2017-02-01 11:31:52 UTC
(In reply to Stefan Metzmacher from comment #10)
Pushed to v4-5-test.
Closing out bug report.

Comment 12 Ralph Böhme 2018-01-26 16:20:31 UTC
Reopening and assigning to metze as per my comment #9.