dsdb: Refuse to return an all-zero invocationID

This could cause an all-zero GUID to be entered into the
replPropertyMetaData, which will then fail to be replicated to other
DCs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4022d8632cc092f4f43fae69cc3cfb58d0d000dd)

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 55bd73e424996043b84228146918c2bd43ebe156..904ca1dcc9aac7bd886722ff6e4d67172d7aaf44 100644 (file)
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1326,6 +1326,14 @@ const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
        }
 
        *invocation_id = samdb_result_guid(res->msgs[0], "invocationId");
+       if (GUID_all_zero(invocation_id)) {
+               if (ldb_msg_find_ldb_val(res->msgs[0], "invocationId")) {
+                       DEBUG(0, ("Failed to find our own NTDS Settings invocationId in the ldb!\n"));  
+               } else {
+                       DEBUG(0, ("Failed to find parse own NTDS Settings invocationId from the ldb!\n"));
+               }
+               goto failed;
+       }
 
        /* cache the domain_sid in the ldb */
        if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id) != LDB_SUCCESS) {