13004 – objectSID can be not-unique in AD due to conflict resolution

Bug 13004 - objectSID can be not-unique in AD due to conflict resolution

Summary: objectSID can be not-unique in AD due to conflict resolution

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.7.0rc5
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-31 03:55 UTC by Andrew Bartlett
Modified:	2019-07-31 08:54 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
a possible solution (569 bytes, patch) 2017-08-31 03:55 UTC, Andrew Bartlett	no flags	Details
patch for master by Gary (37.33 KB, patch) 2017-11-30 03:36 UTC, Andrew Bartlett	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2017-08-31 03:55:45 UTC

Created attachment 13522 [details]
a possible solution

If there is conflict resolution on a foreignSecurityPrincipal that can cause a unique index constraint on objectSID, as both the original and conflict object exist at the same time.  Deleting the conflict object doesn't help, as the deleted object is still in the index.

Comment 1 Andrew Bartlett 2017-11-30 03:36:41 UTC

Created attachment 13826 [details]
patch for master by Gary

Comment 2 Stefan Metzmacher 2019-07-31 08:54:36 UTC

Fixed as 704bbae25c07c08c051a66ae0a83fb5abda373f1 for 4.8.0