Denis Cardon | 22 Nov 18:49 2014

ldbedit and backllinked attributes computation

Hi all,

lately I have been doing some more DC/RODC ldap cleansing. In one RODC I 
had one reference to an old DC in the msDS-IsFullReplicaFor on the 
dc=ForestDnsZones,dc=mydomain,dc=local entry (a demoted DC with the 
\0ADEL flag). I saw this discrepancy throught the ldapcmp utility, the 
source DC is clean (after some work), but it seems like it was not 
properly propataged to the RODC for some reasons.

I realise it would be simpler to just re-join the RODC or try a 
--sync-force, but I thought it was a good opportunity to look deeper in 
the subject before doing a full resync.

Since this msDS-IsFullReplicaFor attribute is back link for 
msDS-hasFullReplicaNCs, ApacheDirectoryStudio or ldbedit don't want to 
delete the msDS-IsFullReplicaFor attribute, which if sounds like normal 

If I just delete the \0DEL entry with ldbdel, the backlink is not 
updated, even after a restart. So my question is how and when are 
triggered the backlink computation?




Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
(Continue reading)

Christof Schmitt | 21 Nov 22:52 2014

[PATCH] debug: Print header when logging to stdout

This patch changes the debug code, so that the header is always printed.
I find this useful for debugging interactive commands with -d10. Always
having the debug header in the output would also make the explicit
function name in the debug message obsolete.

I assume that there is a historical reason for the behavior in the debug
code; does anybody know why the debug code behaves differently for
stdout and logging to a file?

From c3f9fcde891dcfb41468292d99f6ee112c149d6c Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs <at>>
Date: Fri, 21 Nov 2014 14:44:38 -0700
Subject: [PATCH] debug: Print header when logging to stdout

Having the source line of the error messages helps debugging interactive

Signed-off-by: Christof Schmitt <cs <at>>
 lib/util/debug.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/lib/util/debug.c b/lib/util/debug.c
index 750ad25..31a203b 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
 <at>  <at>  -969,11 +969,6  <at>  <at>  bool dbghdrclass(int level, int cls, const char *location, const char *func)
(Continue reading)

Jeremy Allison | 21 Nov 19:20 2014

Re: Latest leases patchset - getting there !

On Thu, Nov 20, 2014 at 04:48:23PM -0800, Jeremy Allison wrote:
> On Tue, Nov 18, 2014 at 04:15:02PM -0800, Jeremy Allison wrote:
> > 
> > I tidied up this code. Here is the complete patchset
> > I'm working with that goes on top of master (for
> > OEMs who might be following along :-).
> > 
> > It includes extra tests for dynamic shares,
> > leases+writes and leases+byte range locks.
> > 
> > I'll do full make tests's tomorrow, and I
> > thought you had some more work you wanted
> > to do on and
> >, but other than that
> > I think we need to start merging this into
> > a patchset we can apply on master soon.
> > 
> > After all we don't want to slip 4.2rc3
> > again do we :-) :-).

OK, I'm testing breaking4 by removing
the commented out code, and testing
directly against W2K12.

W2K12 doesn't do what the test expects
it to do so I need to understand what
you're trying to test here. Your code

Create LEASE1(R)		->
(Continue reading)

Jelmer Vernooij | 21 Nov 16:55 2014

[PATCH] Clean up more whitespace.

From: Guy Harris <guy <at>>

Reviewed-By: Jelmer Vernooij <jelmer <at>>
Signed-Off-By: Jelmer Vernooij <jelmer <at>>
 pidl/lib/Parse/Pidl/Wireshark/ | 10 +++++-----
 pidl/tests/                           |  2 +-
 pidl/tests/                 |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/pidl/lib/Parse/Pidl/Wireshark/ b/pidl/lib/Parse/Pidl/Wireshark/
index f658831..b81cf5e 100644
--- a/pidl/lib/Parse/Pidl/Wireshark/
+++ b/pidl/lib/Parse/Pidl/Wireshark/
 <at>  <at>  -59,7 +59,7  <at>  <at>  Register a custom ett field
 =item I<STRIP_PREFIX> prefix

 Remove the specified prefix from all function names (if present).
 =item I<PROTOCOL> longname shortname filtername

 Change the short-, long- and filter-name for the current interface in
 <at>  <at>  -363,11 +363,11  <at>  <at>  sub handle_include

 my %field_handlers = (
 	TYPE => \&handle_type,
-	NOEMIT => \&handle_noemit, 
+	NOEMIT => \&handle_noemit,
 	MANUAL => \&handle_manual,
(Continue reading)

Ralph Böhme | 21 Nov 15:02 2014

[PATCH] two fixes for vfs_streams_xattr

Hi all,

attached are some fixes for vfs_streams_xattr.

0001: I broke it, I fix it (hopefully), see the commit message for
details. :/

0002: should be obvious

0003 adds a check for stream types that was missing which resulted in
a smb2.streams.names failure. The fix was shamelessly stolen from

Please review and push if ok.

We need these in 4.2 too, at least 0001.



SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen,mailto:kontakt <at>
From 6bb7bf107c066378a75c5bcb218cf7877769f90c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow <at>>
Date: Thu, 20 Nov 2014 16:33:22 +0100
(Continue reading)

Amitay Isaacs | 21 Nov 11:31 2014

Re: posix locking on OCFS2

[Changed subject line]

On Fri, Nov 21, 2014 at 1:08 PM, Chan Min Wai <dcmwai <at>> wrote:

> Dear Martin,
> Since we have touch the lock.
> I've some experience with it where I'd lock are define.
> I point the lock to the shared ocfs2 cluster.
> CTDB Will not start and kept on asking for lock.
> Which is something I'm not sure.
> I follow this guide.
> The different is that my ocfs2 are shared storage between the 2 node and
> thus no Drbd.
> Does the lock really work on this scenario?
> Thank you.
> Ps sorry to cut in as such.
> Regards,
> Min Wai, Chan
(Continue reading)

Richard Sharpe | 20 Nov 18:47 2014

Why would ctdb need to be in no-lmaster or no-recmaster modes?

Hi folks,

I am trying to understand ctdb more and wonder why we need those two
flags/capabilities in ctdb.

Richard Sharpe
Andreas Schneider | 20 Nov 10:26 2014

[PATCH 0/4] Build fixes

Here are some patches which fix build errors on my system and correctly
enables some libraries only in the AD DC build.;a=shortlog;h=refs/heads/master-waf

Andreas Schneider (4):
  dfs_server: Only build in case we build an AD DC too.
  dns_server: Only build common library if AD DC is enabled.
  ldb-samba: Only build extensions and ildap if we build the AD DC.
  ntdb: Fix control reaches end of non-void function.

 dfs_server/wscript_build             | 4 ++--
 lib/ldb-samba/wscript_build          | 6 ++++--
 lib/ntdb/test/run-01-new_database.c  | 6 ++++++
 lib/ntdb/test/run-02-expand.c        | 6 ++++++
 lib/ntdb/test/run-05-readonly-open.c | 6 ++++++
 lib/ntdb/test/run-10-simple-store.c  | 6 ++++++
 lib/ntdb/test/run-11-simple-fetch.c  | 6 ++++++
 lib/ntdb/test/run-12-check.c         | 6 ++++++
 lib/ntdb/test/run-35-convert.c       | 6 ++++++
 lib/ntdb/test/run-capabilities.c     | 6 ++++++
 source4/dns_server/wscript_build     | 2 +-
 11 files changed, 55 insertions(+), 5 deletions(-)



Andreas Schneider | 20 Nov 09:50 2014

TEST: samba4.blackbox.dbcheck.release-4-0-0 fails


could someone shed some light on what this test is looking for? This test is 
failing for me on master.

UNEXPECTED(failure): samba4.blackbox.dbcheck.release-4-0-0.ldapcmp(none)
REASON: _StringException: _StringException: 
* Place-holders for 
    ${DOMAIN_DN}      => DC=release-4-0-0,DC=samba,DC=corp
    ${SERVER_NAME}     => ['ARES']
    ${DOMAIN_NAME}    => release-4-0-0.samba.corp

* Place-holders for 
    ${DOMAIN_DN}      => DC=release-4-0-0,DC=samba,DC=corp
    ${SERVER_NAME}     => ['ARES']
    ${DOMAIN_NAME}    => release-4-0-0.samba.corp

* Comparing [DOMAIN] context...

* Objects to be compared: 206

(Continue reading)

Dewayne Geraghty | 20 Nov 08:29 2014

CVE-2014-6324 issued against Microsoft's handling of KDC PAC's.

Does Samba4 handle PAC validation in the same way that Windows 2008/2003
servers, and if so, is samba4/Lorikeet also vulnerable to elevation of
privileges due to the handling of PAC validation of service tickets?

Using this as my starting

I started to look at the code, but if I saw an elephant in the room, I
wouldn't recognise it.


Regards, Dewayne

Günter Kukkukk | 20 Nov 05:32 2014

[Solved] Samba with internal dns server does not replicate DomainDnsZones and ForestDnsZones to win2008r2

Hi all,

some days ago nick "xdexter" on IRC-channel #samba brought this
to my attention:
When a samba server with internal dns server is joined to
a win2008r2 server, DomainDnsZones and ForestDnsZones are *not*
replicated (outbound) from samba to w2008r2.

In the reverse direction all is fine!

I atm have a setup with 3 AD DCs joined to a domain
  - samba with DLZ module
  - samba with internal DNS server
  - w2008r2

I saw the same strange behavior.
All replications were done pretty well in both directions
(inbound / outbound), BUT the samba server with internal dns
server was *not* replicating (outbound) DomainDnsZones and
ForestDnsZones to win2008r2! (only these 2 were missing)

On IRC I talked with ekacnet about this phenomenon and he told
me that DomainDnsZones and ForestDnsZones are special, because
both are "application partitions".
He said, that one can enable those application partitions for
replication and he will have a look, which (python) commands
can be used for that...

Nick "xdexter" posted a solution for this using MS tool ntdsutil.

(Continue reading)