Bug 15701 - More possible replication loops against Azure AD
Summary: More possible replication loops against Azure AD
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.20.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-08-28 04:14 UTC by Douglas Bagnall
Modified: 2025-01-13 01:02 UTC (History)
2 users (show)

See Also:

Attachments
patch for 4.21 (22.55 KB, patch)
2024-12-17 22:18 UTC, Douglas Bagnall 		abartlet: review+
dbagnall: ci-passed+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2024-08-28 04:14:57 UTC 
During replication cycles the client and server exchange highwatermark objects, one member of which is reserved_usn, which the Samba server uses as a sort of auxiliary cookie to ensure each highwatermark is unique. It expects the client (normally another DC) to use a request highwatermark with the reserved_usn unchanged.

Unfortunately what Entra ID Connect does is set reserved_usn to zero, which Samba sometimes interprets as a request to start again from the beginning, causing an eternal loop. It used to be much easier to get into this loop, prior to the fixes for fixes for https://bugzilla.samba.org/show_bug.cgi?id=15401 (in particular 79ca6ef2).

In https://gitlab.com/samba-team/samba/-/merge_requests/3757 we have patches that cover off the final case where there are a lot of links and other parts of the highwatermark might not change. Effectively the logic is changed to accept (reserved_usn == the_expected_value || reserved_usn == 0).

This bug is to facilitate backport.
Comment 1 Samba QA Contact 2024-08-28 05:40:11 UTC 
This bug was referenced in samba master:

4b4a7c3fd465267c43d9586ab79ca8f84c0cad24
796e92a530004406dcb3fea33f54833c722480a0
67c7609ab755291de27c620120a1c71b557452e4
2e1ccb35239fc6fe129c943bb7305bd4612d72d7
5ef27019033fd73decd111f9426e7f8982cbb806
7a623d8d5626b4e6c88ffb85e36f0934d89ed830
44a478038b6ec78aaec832d9dbde7fa6b2cdd639
7dac035896b368bf3a86acf58260eef39d195d19
Comment 2 Douglas Bagnall 2024-12-17 22:18:00 UTC 
Created attachment 18512 [details]
patch for 4.21
Comment 3 Andrew Bartlett 2024-12-19 04:50:11 UTC 
Comment on attachment 18512 [details]
patch for 4.21

Looks good, I didn't get to see this when it went for first review into master, but I really like both the code fix and the testing approach.
Comment 4 Andrew Bartlett 2024-12-19 04:50:48 UTC 
Assigning to Jule for 4.21
Comment 5 Jule Anger 2024-12-19 08:42:29 UTC 
Pushed to autobuild-v4-21-test.
Comment 6 Samba QA Contact 2024-12-19 10:14:20 UTC 
This bug was referenced in samba v4-21-test:

9b7f1ce151ba24804f337d24de71965c6b8eccc7
ec6263a3f0e5cd1c50f460aea9a85562d6e9e500
b43b7a9ac1bc2a75064c0261b81fc18275bfd482
9954fd8994ff72c4c3f0dd7bb8b8aab93c1e23e7
6c66d01c6df1010a85ea96e5d7a41cc4965b581b
28626e763eef4642d02024d0d28b2235a2cba826
5842ec1d0565f62b28c66534606823731c73d33e
884500cb316c80c9a530756e6aa73ff77b8973a3
Comment 7 Jule Anger 2024-12-19 10:37:59 UTC 
Closing out bug report.

Thanks!
Comment 8 Samba QA Contact 2025-01-06 15:34:11 UTC 
This bug was referenced in samba v4-21-stable (Release samba-4.21.3):

9b7f1ce151ba24804f337d24de71965c6b8eccc7
ec6263a3f0e5cd1c50f460aea9a85562d6e9e500
b43b7a9ac1bc2a75064c0261b81fc18275bfd482
9954fd8994ff72c4c3f0dd7bb8b8aab93c1e23e7
6c66d01c6df1010a85ea96e5d7a41cc4965b581b
28626e763eef4642d02024d0d28b2235a2cba826
5842ec1d0565f62b28c66534606823731c73d33e
884500cb316c80c9a530756e6aa73ff77b8973a3