mirror of
https://github.com/samba-team/samba.git
synced 2025-12-16 00:23:52 +03:00
python-drs: Add client-side debug and fallback for GET_ANC
Samba 4.5 and earlier will fail to do GET_ANC correctly and will not replicate non-critical parents of objects with isCriticalSystemObject=TRUE when DRSUAPI_DRS_CRITICAL_ONLY is set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett
@@ -968,17 +968,53 @@ class DCJoinContext(object):
|
||||
destination_dsa_guid, rodc=ctx.RODC,
|
||||
replica_flags=ctx.replica_flags)
|
||||
if not ctx.subdomain:
|
||||
# Replicate first the critical object for the basedn
|
||||
if not ctx.domain_replica_flags & drsuapi.DRSUAPI_DRS_CRITICAL_ONLY:
|
||||
print("Replicating critical objects from the base DN of the domain")
|
||||
ctx.domain_replica_flags |= drsuapi.DRSUAPI_DRS_CRITICAL_ONLY
|
||||
# Replicate first the critical objects for the basedn
|
||||
|
||||
# We do this to match Windows. The default case is to
|
||||
# do a critical objects replication, then a second
|
||||
# with all objects.
|
||||
|
||||
print("Replicating critical objects from the base DN of the domain")
|
||||
try:
|
||||
repl.replicate(ctx.base_dn, source_dsa_invocation_id,
|
||||
destination_dsa_guid, rodc=ctx.RODC,
|
||||
replica_flags=ctx.domain_replica_flags)
|
||||
ctx.domain_replica_flags ^= drsuapi.DRSUAPI_DRS_CRITICAL_ONLY
|
||||
repl.replicate(ctx.base_dn, source_dsa_invocation_id,
|
||||
destination_dsa_guid, rodc=ctx.RODC,
|
||||
replica_flags=ctx.domain_replica_flags)
|
||||
replica_flags=ctx.domain_replica_flags | drsuapi.DRSUAPI_DRS_CRITICAL_ONLY)
|
||||
except WERRORError as e:
|
||||
|
||||
if e.args[0] == werror.WERR_DS_DRA_MISSING_PARENT:
|
||||
ctx.logger.warning("First pass of replication with "
|
||||
"DRSUAPI_DRS_CRITICAL_ONLY "
|
||||
"not possible due to a missing parent object. "
|
||||
"This is typical of a Samba "
|
||||
"4.5 or earlier server. "
|
||||
"We will replicate the all objects instead.")
|
||||
else:
|
||||
raise
|
||||
|
||||
# Now replicate all the objects in the domain (unless
|
||||
# we were run with --critical-only).
|
||||
#
|
||||
# Doing the replication of users as a second pass
|
||||
# matches more closely the Windows behaviour, which is
|
||||
# actually to do this on first startup.
|
||||
#
|
||||
# Use --critical-only if you want that (but you don't
|
||||
# really, it is better to see any errors here).
|
||||
if not ctx.domain_replica_flags & drsuapi.DRSUAPI_DRS_CRITICAL_ONLY:
|
||||
try:
|
||||
repl.replicate(ctx.base_dn, source_dsa_invocation_id,
|
||||
destination_dsa_guid, rodc=ctx.RODC,
|
||||
replica_flags=ctx.domain_replica_flags)
|
||||
except WERRORError as e:
|
||||
|
||||
if e.args[0] == werror.WERR_DS_DRA_MISSING_PARENT and \
|
||||
ctx.domain_replica_flags & drsuapi.DRSUAPI_DRS_CRITICAL_ONLY:
|
||||
ctx.logger.warning("Replication with DRSUAPI_DRS_CRITICAL_ONLY "
|
||||
"failed due to a missing parent object. "
|
||||
"This may be a Samba 4.5 or earlier server "
|
||||
"and is not compatible with --critical-only")
|
||||
raise
|
||||
|
||||
print("Done with always replicated NC (base, config, schema)")
|
||||
|
||||
# At this point we should already have an entry in the ForestDNS
|
||||
|
||||
Reference in New Issue
Block a user