replmd: Set GET_ANC if Windows sends a link with unknown source object

Windows replication can send the linked attribute before it sends the
source object. The MS-DRSR spec says that in this case the client should
resend the GetNCChanges request with the GET_ANC flag set. In my testing
this resolves the problem - Windows will include the source object for the
linked attribute in the same replication chunk.

This problem doesn't happen with Samba-to-Samba replication, because the
source object for the linked attribute is guaranteed to have already been
sent.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12972

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index c04358f58ddb85570442ef3bc0d309e82ebef240..fde9b7265c6800c87242655c852df7576ee50c9d 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -6961,6 +6961,17 @@ static int replmd_verify_linked_attributes(struct replmd_replicated_request *ar)
                ret = replmd_extract_la_entry_details(module, la, tmp_ctx, &attr,
                                                      &src_msg, &tgt_dsdb_dn);
 
+               /*
+                * When we fail to find the source object, the error code we pass
+                * back here is really important. It flags back to the callers to
+                * retry this request with DRSUAPI_DRS_GET_ANC. This case should
+                * never happen if we're replicating from a Samba DC, but it is
+                * needed to talk to a Windows DC
+                */
+               if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+                       ret = replmd_replicated_request_werror(ar, WERR_DS_DRA_MISSING_PARENT);
+               }
+
                if (ret != LDB_SUCCESS) {
                        break;
                }