Bug 8495 - fSMORoleOwner validation
Summary: fSMORoleOwner validation
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-27 22:57 UTC by Andrew Bartlett
Modified: 2016-06-01 06:51 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2011-09-27 22:57:28 UTC
The MS-ADTS 3.1.1.5.3.1.2 FSMO Changes has details about what objectClass the fSMORoleOwner attribute can be set on.

We need to restrict setting this attribute to only these objectClasses (essentially, the fixed list of roles that we know about) and we need to ensure that the only DN that we can set it to is the current servers NTDS Settings object.
Comment 1 Andrew Bartlett 2012-04-23 01:44:23 UTC
We also need to ensure that it cannot become empty.
Comment 2 Matthias Dieter Wallnöfer 2015-02-26 17:52:33 UTC
Andrew, I am unsure if something has been done in this direction. I am re-assigning back to the default assignee since I am not active in Samba atm.