kcc: Prevent the KCC from doing work on the RODC

This should never have done any real work, new code or not. This just removes
the initial KCC calls and bails out in the KCC if we actually ran it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index c3e92b7cbfd60e5d4b7455b00b8d4ea803162652..e56021f66a6e53c66522ef3d01b3214e91c408a1 100644 (file)
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -486,7 +486,12 @@ class KCC(object):
 
         mydsa = self.my_dsa
 
-        self._ensure_connections_are_loaded(mydsa.connect_table.values())
+        try:
+            self._ensure_connections_are_loaded(mydsa.connect_table.values())
+        except KCCError:
+            # RODC never actually added any connections to begin with
+            if mydsa.is_ro():
+                return
 
         local_connections = []
 
@@ -518,6 +523,11 @@ class KCC(object):
 
         :return: None
         """
+        # TODO Figure out how best to handle the RODC case
+        # The RODC is ITSG, but shouldn't act on anyone's behalf.
+        if self.my_dsa.is_ro():
+            return
+
         # Find the intersite connections
         local_dsas = self.my_site.dsa_table
         connections_and_dsas = []
@@ -840,9 +850,13 @@ class KCC(object):
         """
         count = 0
 
+        ro = False
         if current_dsa is None:
             current_dsa = self.my_dsa
 
+        if current_dsa.is_ro():
+            ro = True
+
         if current_dsa.is_translate_ntdsconn_disabled():
             DEBUG_FN("skipping translate_ntdsconn() "
                      "because disabling flag is set")
@@ -978,7 +992,7 @@ class KCC(object):
                 if t_repsFrom.is_modified():
                     n_rep.rep_repsFrom.append(t_repsFrom)
 
-            if self.readonly:
+            if self.readonly or ro:
                 # Display any to be deleted or modified repsFrom
                 text = n_rep.dumpstr_to_be_deleted()
                 if text:
@@ -1770,7 +1784,9 @@ class KCC(object):
         DEBUG_FN("intersite(): exit all_connected=%d" % all_connected)
         return all_connected
 
-    def update_rodc_connection(self):
+    # This function currently does no actions. The reason being that we cannot
+    # perform modifies in this way on the RODC.
+    def update_rodc_connection(self, ro=True):
         """Updates the RODC NTFRS connection object.
 
         If the local DSA is not an RODC, this does nothing.
@@ -1804,7 +1820,7 @@ class KCC(object):
                 con.schedule = cn2.schedule
                 con.to_be_modified = True
 
-            self.my_dsa.commit_connections(self.samdb, ro=self.readonly)
+            self.my_dsa.commit_connections(self.samdb, ro=ro)
 
     def intrasite_max_node_edges(self, node_count):
         """Find the maximum number of edges directed to an intrasite node

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 64e1985ee377ca292774acf1e30781df806fee59..b09bb662515d1095d2a31bef4ab9fb570299b40c 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2283,31 +2283,8 @@ sub setup_rodc($$$)
            return undef;
        }
 
-       # force source and replicated DC to update repsTo/repsFrom
-       # for vampired partitions
        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
        my $cmd = "";
-       $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
-       $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
-       $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
-       $cmd .= " $env->{CONFIGURATION}";
-       $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
-       unless (system($cmd) == 0) {
-           warn("Failed to exec kcc\n$cmd");
-           return undef;
-       }
-
-       my $samba_tool =  Samba::bindir_path($self, "samba-tool");
-       my $cmd = "";
-       $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
-       $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
-       $cmd .= " $samba_tool drs kcc -k no $env->{SERVER}";
-       $cmd .= " $env->{CONFIGURATION}";
-       $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
-       unless (system($cmd) == 0) {
-           warn("Failed to exec kcc\n$cmd");
-           return undef;
-       }
 
        my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
        $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";