From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 13 Oct 2015 02:26:20 +0000 (+1300)
Subject: samba-tool domain demote: Refuse to remove ourself
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=e432c1b6826ecafeb355bd1d06e33f2eb67e58b8;p=garming%2Fsamba.git

samba-tool domain demote: Refuse to remove ourself

This ensures that a different server is the one being demoted from the local database

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---

diff --git a/python/samba/remove_dc.py b/python/samba/remove_dc.py
index ded7f00f6b..89502121ad 100644
--- a/python/samba/remove_dc.py
+++ b/python/samba/remove_dc.py
@@ -127,9 +127,12 @@ def offline_remove_ntds_dc(samdb, ntds_dn,
     res = samdb.search("",
                        scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
     assert len(res) == 1
-    my_serviceName = res[0]["dsServiceName"][0]
+    my_serviceName = ldb.Dn(samdb, res[0]["dsServiceName"][0])
     server_dn = ntds_dn.parent()
 
+    if my_serviceName == ntds_dn:
+        raise DemoteException("Refusing to demote our own DSA: %s " % my_serviceName)
+
     try:
         msgs = samdb.search(base=ntds_dn, expression="objectClass=ntdsDSA",
                         attrs=["objectGUID"], scope=ldb.SCOPE_BASE)
@@ -191,7 +194,8 @@ def offline_remove_ntds_dc(samdb, ntds_dn,
 
 def remove_dc(samdb, dc_name):
 
-    # TODO: Check if this is the last server
+    # TODO: Check if this is the last server (covered mostly by
+    # refusing to remove our own name)
 
     samdb.transaction_start()
 
diff --git a/python/samba/tests/blackbox/samba_tool_drs.py b/python/samba/tests/blackbox/samba_tool_drs.py
index b65f5af0f0..13678f5a07 100644
--- a/python/samba/tests/blackbox/samba_tool_drs.py
+++ b/python/samba/tests/blackbox/samba_tool_drs.py
@@ -163,6 +163,13 @@ class SambaToolDrsTests(samba.tests.BlackboxTestCase):
         self.assertEqual(ds_name, server_ds_name)
         self.assertEqual(ldap_service_name, server_ldap_service_name)
 
+        def demote_self():
+            # While we have this cloned, try demoting the other server on the clone
+            out = self.check_output("samba-tool domain demote --remove-other-dead-server=%s -H %s/private/sam.ldb"
+                                % (self.dc1,
+                                   self.tempdir))
+        self.assertRaises(samba.tests.BlackboxProcessError, demote_self)
+
         # While we have this cloned, try demoting the other server on the clone
         out = self.check_output("samba-tool domain demote --remove-other-dead-server=%s -H %s/private/sam.ldb"
                                 % (self.dc2,