Web lists-archives.com

Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED




hi Andrej,

Yes, this is the correct fix:

> diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
> index 6f973ea..46689da 100644
> --- a/python/samba/kcc/__init__.py
> +++ b/python/samba/kcc/__init__.py
> @@ -1498,13 +1498,13 @@ class KCC(object):
>                               dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
>                              cn.options |= \
>                                  dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
>                              cn.set_modified(True)
>  
>                      # Display any modified connection
> -                    if self.readonly:
> +                    if self.readonly or ldsa.is_ro():
>                          if cn.to_be_modified:
>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>  
>                          ldsa.commit_connections(self.samdb, ro=True)
>                      else:
>                          ldsa.commit_connections(self.samdb)
> @@ -1582,13 +1582,13 @@ class KCC(object):
>                              dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE)
>  
>              cn = lbh.new_connection(opt, system_flags, transport,
>                                      rbh.dsa_dnstr, link_sched)
>  
>              # Display any added connection
> -            if self.readonly:
> +            if self.readonly or lbh.is_ro():
>                  if cn.to_be_added:
>                      logger.info("TO BE ADDED:\n%s" % cn)
>  
>                      lbh.commit_connections(self.samdb, ro=True)
>              else:
>                  lbh.commit_connections(self.samdb)
> 

Can you format it as a patch with a Signed-off-by and send it to
samba-technical?

The KCC can't really do much on an RODC (because it is read-only), but
it shouldn't crash here because of the few useful things it can do,
like tidy up the non-replicated repsFrom objects.

Samba has no automatic way of managing the replication links for
RODCs, and we are not really sure how Windows does it.

cheers,
Douglas

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba