repl_md: Avoid dropping cross-partition links

Cross-partition links could still be dropped if GET_TGT was already
previously set for the replication.

This was due to a slight error in the order of logic. We never want to
ignore cross-partition links (regardless of whether the TARGETS_UPTODATE
/GET_TGT flag is set). We should only be returning early in the
GET_TGT case if the objects are both in the same partition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14022
RN: When the AD domain contained a linked attribute that spanned
partitions, DRS replication could drop the link. This dropped link could
then result in subtle differences in behaviour between DCs, as some DCs
would have the link and others wouldn't. When this issue occurred, the
dropped link would be logged in a warning message:
 "<target-dn> is Unknown but up to date. Ignoring link from <source-dn>"
This issue would not always occur - it depended a lot on the database
contents. Typically, it would only potentially occur when joining a new
DC to the domain (doing an ldapcmp after the join would also highlight
the problem, if it occurred). This issue has now been resolved.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/getncchanges b/selftest/knownfail.d/getncchanges
index 1a32482c462aca82c85d5c822e5871421532949c..df6464e0156741a8087b6aa8760bc1d90e245b2b 100644 (file)
--- a/selftest/knownfail.d/getncchanges
+++ b/selftest/knownfail.d/getncchanges
@@ -12,5 +12,4 @@ samba4.drs.getncchanges.python\(promoted_dc\).python2.getncchanges.DrsReplicaSyn
 samba4.drs.getncchanges.python\(promoted_dc\).python2.getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_chain\(promoted_dc\)
 samba4.drs.getncchanges.python\(promoted_dc\).python2.getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_and_anc\(promoted_dc\)
 samba4.drs.getncchanges.python\(promoted_dc\).python2.getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_multivalued_links\(promoted_dc\)
-# this fails due to a bug
-samba4.drs.getncchanges.python.*.getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_integrity_cross_partition_links_with_tgt
+

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 5202c41a7bfebfe48123359ec938ac18a98e60ff..9dd354743ff9ba084489739e5eaa5aa126bee5c5 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -7433,27 +7433,28 @@ static int replmd_allow_missing_target(struct ldb_module *module,
                return LDB_SUCCESS;
        }
 
-       if (dsdb_repl_flags & DSDB_REPL_FLAG_TARGETS_UPTODATE) {
+       is_in_same_nc = dsdb_objects_have_same_nc(ldb,
+                                                 mem_ctx,
+                                                 source_dn,
+                                                 target_dn);
+       if (is_in_same_nc) {
 
                /*
-                * target should already be up-to-date so there's no point in
+                * if the target is already be up-to-date there's no point in
                 * retrying. This could be due to bad timing, or if a target
                 * on a one-way link was deleted. We ignore the link rather
                 * than failing the replication cycle completely
                 */
-               *ignore_link = true;
-               DBG_WARNING("%s is %s but up to date. Ignoring link from %s\n",
-                           ldb_dn_get_linearized(target_dn), missing_str,
-                           ldb_dn_get_linearized(source_dn));
-               return LDB_SUCCESS;
-       }
-       
-       is_in_same_nc = dsdb_objects_have_same_nc(ldb,
-                                                 mem_ctx,
-                                                 source_dn,
-                                                 target_dn);
-       if (is_in_same_nc) {
-               /* fail the replication and retry with GET_TGT */
+               if (dsdb_repl_flags & DSDB_REPL_FLAG_TARGETS_UPTODATE) {
+                       *ignore_link = true;
+                       DBG_WARNING("%s is %s "
+                                   "but up to date. Ignoring link from %s\n",
+                                   ldb_dn_get_linearized(target_dn), missing_str,
+                                   ldb_dn_get_linearized(source_dn));
+                       return LDB_SUCCESS;
+               }
+
+               /* otherwise fail the replication and retry with GET_TGT */
                ldb_asprintf_errstring(ldb, "%s target %s GUID %s linked from %s\n",
                                       missing_str,
                                       ldb_dn_get_linearized(target_dn),