1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00

s4:drsuapi:getncchanges: allow 0 reserved_usn reply

Azure AD will set reserved_usn to zero when we expect it to be
the number we gave them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15701

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <josutton@catalyst.net.nz>
This commit is contained in:
Douglas Bagnall 2024-08-07 17:25:30 +12:00 committed by Douglas Bagnall
parent 5ef2701903
commit 7a623d8d56
2 changed files with 61 additions and 15 deletions

View File

@ -1,5 +0,0 @@
^samba4.drs.getncchanges.python\(vampire_dc\).getncchanges.DrsReplicaSyncFakeAzureAdTests.test_repl_get_tgt_multivalued_links\(vampire_dc\)
^samba4.drs.getncchanges.python\(vampire_dc\).getncchanges.DrsReplicaSyncFakeAzureAdTests.test_repl_integrity\(vampire_dc\)
^samba4.drs.getncchanges.python\(vampire_dc\).getncchanges.DrsReplicaSyncFakeAzureAdTests.test_repl_integrity_link_attr\(vampire_dc\)
^samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncFakeAzureAdTests.test_repl_integrity\(promoted_dc\)
^samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncFakeAzureAdTests.test_repl_integrity_link_attr\(promoted_dc\)

View File

@ -3029,6 +3029,56 @@ allowed:
ret = drsuapi_DsReplicaHighWaterMark_cmp(&getnc_state->last_hwm,
&req10->highwatermark);
if (ret != 0) {
if (req10->highwatermark.reserved_usn == 0) {
/*
* Entra ID Connect / Azure AD is known to set
* reserved_usn to zero in replies, when we
* were expecting it to be returned unchanged
* (it is supposed to be an opaque cookie).
*
* If the only difference is in the
* reserved_usn, and it is 0 on the return, we
* assume it is Azure AD and treat the
* highwatermarks as equal.
*/
req10->highwatermark.reserved_usn =
getnc_state->last_hwm.reserved_usn;
ret = drsuapi_DsReplicaHighWaterMark_cmp(
&getnc_state->last_hwm,
&req10->highwatermark);
/* put things as they were */
req10->highwatermark.reserved_usn = 0;
if (ret != 0) {
/* we will start again */
DBG_ERR("DsGetNCChanges 2nd replication "
"on DN %s %s highwatermark "
"(last_dn %s) after Azure AD "
"reserved_usn adjustment\n",
ldb_dn_get_linearized(
getnc_state->ncRoot_dn),
(ret > 0) ? "older" : "newer",
ldb_dn_get_linearized(
getnc_state->last_dn));
TALLOC_FREE(getnc_state);
b_state->getncchanges_full_repl_state =
NULL;
} else {
/* log and continue as normal */
DBG_NOTICE(
"DsGetNCChanges 2nd replication "
"on DN %s: highwatermark "
"matches only after Azure AD "
"reserved_usn adjustment "
"(last_dn %s)\n",
ldb_dn_get_linearized(
getnc_state->ncRoot_dn),
ldb_dn_get_linearized(
getnc_state->last_dn));
}
} else {
DBG_ERR("DsGetNCChanges 2nd replication "
"on DN %s %s highwatermark "
"(last_dn %s)\n",
@ -3041,6 +3091,7 @@ allowed:
b_state->getncchanges_full_repl_state = NULL;
}
}
}
/*
* This is either a new replication cycle, or an extended