From e4001a78c1d0b286b37e19c733cf1bbc18166818 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 18 Jul 2012 17:13:30 +1000 Subject: dsdb: Allocate new OID to allow updates of a read-only replica Normally this would be a very bad idea, but the specific case of fixing the instanceType is the only case where this makes sense. Andrew Bartlett --- source4/dsdb/pydsdb.c | 1 + source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 12 ++++++++---- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 3 ++- source4/dsdb/samdb/samdb.h | 3 +++ source4/setup/schema_samba4.ldif | 1 + 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c index f63d71e2d0..b9e1dd742c 100644 --- a/source4/dsdb/pydsdb.c +++ b/source4/dsdb/pydsdb.c @@ -1269,6 +1269,7 @@ void initdsdb(void) ADD_DSDB_STRING(DSDB_SYNTAX_STRING_DN); ADD_DSDB_STRING(DSDB_SYNTAX_OR_NAME); ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK); + ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA); ADD_DSDB_STRING(DS_GUID_COMPUTERS_CONTAINER); ADD_DSDB_STRING(DS_GUID_DELETED_OBJECTS_CONTAINER); diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index e50c8e2369..c521f332ae 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -408,10 +408,14 @@ static int attr_handler2(struct oc_context *ac) found = str_list_check(harmless_attrs, attr->lDAPDisplayName); } if (!found) { - ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' does not exist in the specified objectclasses!", - msg->elements[i].name, - ldb_dn_get_linearized(msg->dn)); - return LDB_ERR_OBJECT_CLASS_VIOLATION; + /* we allow this for dbcheck to fix the rest of this broken entry */ + if (!ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK) || + ac->req->operation == LDB_ADD) { + ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' does not exist in the specified objectclasses!", + msg->elements[i].name, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } } } diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 1dc7ea057c..6f26299c6a 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -1391,7 +1391,8 @@ static int replmd_update_rpmd(struct ldb_module *module, struct ldb_message_element *el; /*if we are RODC and this is a DRSR update then its ok*/ - if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID) + && !ldb_request_get_control(req, DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA)) { unsigned instanceType; ret = samdb_rodc(ldb, rodc); diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 5422218059..c4cb3bdb48 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -122,6 +122,9 @@ struct dsdb_control_password_change { /* passed when we want special behaviour for dbcheck */ #define DSDB_CONTROL_DBCHECK "1.3.6.1.4.1.7165.4.3.19" +/* passed when dbcheck wants to modify a read only replica (very special case) */ +#define DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA "1.3.6.1.4.1.7165.4.3.19.1" + /* passed when importing plain text password on upgrades */ #define DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.20" diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index 3d004c5ab1..0c5c7872e3 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -194,6 +194,7 @@ #Allocated: DSDB_CONTROL_NO_GLOBAL_CATALOG 1.3.6.1.4.1.7165.4.3.17 #Allocated: DSDB_CONTROL_PARTIAL_REPLICA 1.3.6.1.4.1.7165.4.3.18 #Allocated: DSDB_CONTROL_DBCHECK 1.3.6.1.4.1.7165.4.3.19 +#Allocated: DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA 1.3.6.1.4.1.7165.4.3.19.1 #Allocated: DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID 1.3.6.1.4.1.7165.4.3.20 # Extended 1.3.6.1.4.1.7165.4.4.x -- cgit