Fix Domain Trust creation with Windows 2008 (and many other tools)

A dITConentRules attribute (unlike objectClasses) must not contain a
'SUP'.

The ADSI layer in Windows would download the whole schema, and
validate it.  Thanks to the team at Microsoft for very long debugging
session to find this.

Andrew Bartlett

diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c
index 6884c5284e4d74614279fb64c84fd0bad5685f05..e152f44b9751d7785d19ed54e32938d94fa6431a 100644 (file)
--- a/source4/dsdb/schema/schema_description.c
+++ b/source4/dsdb/schema/schema_description.c
@@ -309,7 +309,11 @@ char *schema_class_to_dITContentRule(TALLOC_CTX *mem_ctx, const struct dsdb_clas
                                           class->lDAPDisplayName,
                                           (const char **)aux_class_list,
                                           NULL, 
-                                          class->subClassOf,
+                                          NULL, /* Must not specify a
+                                                 * SUP (subclass) in
+                                                 * ditContentRules
+                                                 * per MS-ADTS
+                                                 * 3.1.1.3.1.1.1 */
                                           -1, must_attr_list, may_attr_list);
        talloc_free(tmp_ctx);
        return schema_description;