KDC not works in configuration with trusted domain

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
Hello,

last week I got a strange problem with not works KDC (samba-4.6.8).
kinit for users works, but when I use this KDC for TGS request I got a
strange error.

[root@samba-dc ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting       Expires              Service principal
08.10.2017 15:54:57  09.10.2017 01:54:57  krbtgt/[hidden email]
        renew until 15.10.2017 15:54:43

[root@samba-dc ~]# smbclient -k -L //samba-dc.adm72.local
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/samba-dc.adm72.local
failed (next[(null)]): NT_STATUS_NO_LOGON_SERVERS
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_NO_LOGON_SERVERS


log.samba during this strange error:

[2017/10/03 17:52:06.314034,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ [hidden email] from ipv4:10.142.170.14:52384
for cifs/[hidden email] [canonicalize]
[2017/10/03 17:52:06.316473,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: target  does not have secrets at this KDC, need to proxy
[2017/10/03 17:52:06.316570,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:10.142.170.14:52384
[2017/10/03 17:52:06.316651,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: proxying requested when not RODC'
[2017/10/03 17:52:06.316719,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: proxying requested when not RODC]

_____________________

Step by step I localize the problem - dsdb_trust_routing_table_load() failed:

[2017/10/07 16:43:28.773650,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: start flags=0010
[2017/10/07 16:43:28.773676,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: set HDB_F_KVNO_SPECIFIED for kvno: 3
[2017/10/07 16:43:28.773689,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: try to hdb_open for 0 config record
[2017/10/07 16:43:28.773706,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: hdb_fetch_kvno flags=0091 (kvno 3)
[2017/10/07 16:43:28.773720,  4] ../source4/kdc/db-glue.c:2321(samba_kdc_fetch)
  samba_kdc_fetch with kvno: 3 (flags=0091)
[2017/10/07 16:43:28.773764,  4]
../source4/kdc/db-glue.c:2091(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm for krbtgt/[hidden email] with 2 components
[2017/10/07 16:43:28.773780,  4] ../source4/kdc/db-glue.c:2331(samba_kdc_fetch)
  samba_kdc_fetch set default ret as 36150275
[2017/10/07 16:43:28.773790,  4] ../source4/kdc/db-glue.c:2350(samba_kdc_fetch)
  samba_kdc_fetch for tgt
[2017/10/07 16:43:28.773805,  4]
../source4/kdc/db-glue.c:1702(samba_kdc_fetch_krbtgt)
  samba_kdc_fetch_krbtgt with kvno: 3
[2017/10/07 16:43:28.773820,  4]
../source4/kdc/db-glue.c:1721(samba_kdc_fetch_krbtgt)
  samba_kdc_fetch_krbtgt with default_realm_dn: DC=adm72,DC=local and
realm_from_princ ADM72.LOCAL
[2017/10/07 16:43:28.773832,  3]
../source4/kdc/db-glue.c:1732(samba_kdc_fetch_krbtgt)
  samba_kdc_fetch_krbtgt: is_my_domain_or_realm!
[2017/10/07 16:43:28.773845,  3]
../source4/kdc/db-glue.c:1751(samba_kdc_fetch_krbtgt)
  samba_kdc_fetch_krbtgt: krbtgt_number = 0
[2017/10/07 16:43:28.773855,  4]
../source4/kdc/db-glue.c:1754(samba_kdc_fetch_krbtgt)
  samba_kdc_fetch_krbtgt: dsdb_search_one LDB_SCOPE_BASE on
CN=krbtgt,CN=Users,DC=adm72,DC=local: "(objectClass=user)"
[2017/10/07 16:43:28.774289,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: hdb_close ret=0
[2017/10/07 16:43:28.774315,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: hdb_fetch_kvno() done
[2017/10/07 16:43:28.774419,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ [hidden email] from ipv4:10.142.170.24:59038
for cifs/[hidden email] [canonicalize]
[2017/10/07 16:43:28.774441,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: tgs_build_reply: _kdc_db_fetch() with HDB_F_GET_SERVER
[2017/10/07 16:43:28.774480,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: start flags=2028
[2017/10/07 16:43:28.774497,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: not kvno specified
[2017/10/07 16:43:28.774514,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: try to hdb_open for 0 config record
[2017/10/07 16:43:28.774530,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: hdb_fetch_kvno flags=2029 (kvno 0)
[2017/10/07 16:43:28.774544,  4] ../source4/kdc/db-glue.c:2321(samba_kdc_fetch)
  samba_kdc_fetch with kvno: 0 (flags=2029)
[2017/10/07 16:43:28.774558,  4]
../source4/kdc/db-glue.c:2091(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm for cifs/[hidden email]
with 2 components
[2017/10/07 16:43:28.774571,  4]
../source4/kdc/db-glue.c:2101(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm with SDB_F_GET_SERVER
[2017/10/07 16:43:28.774581,  4]
../source4/kdc/db-glue.c:2103(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm with SDB_F_FOR_TGS_REQ (check_realm = true)
[2017/10/07 16:43:28.774594,  4]
../source4/kdc/db-glue.c:2119(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm() for realm ADM72.LOCAL
[2017/10/07 16:43:28.774605,  4]
../source4/kdc/db-glue.c:2134(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm() copy the realm.
[2017/10/07 16:43:28.774618,  4]
../source4/kdc/db-glue.c:2185(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm for SDB_F_GET_SERVER
[2017/10/07 16:43:28.774628,  4]
../source4/kdc/db-glue.c:2208(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm for SDB_F_GET_SERVER with 2 components
[2017/10/07 16:43:28.774642,  4]
../source4/kdc/db-glue.c:2216(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm got service_realm samba-dc.adm72.local
[2017/10/07 16:43:28.774652,  4]
../source4/kdc/db-glue.c:2231(samba_kdc_lookup_realm)
  samba_kdc_lookup_realm try dsdb_trust_routing_table_load()
[2017/10/07 16:43:28.776134,  4] ../source4/kdc/db-glue.c:2326(samba_kdc_fetch)
  samba_kdc_fetch: samba_kdc_lookup_realm() failed
[2017/10/07 16:43:28.776229,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: hdb_close ret=36150287
[2017/10/07 16:43:28.776260,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: _kdc_db_fetch: hdb_fetch_kvno() = 36150287
[2017/10/07 16:43:28.776278,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: target cifs/[hidden email] does not have
secrets at this KDC, need to proxy
[2017/10/07 16:43:28.776300,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:10.142.170.24:59038
[2017/10/07 16:43:28.776329,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: proxying requested when not RODC'
[2017/10/07 16:43:28.776345,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: proxying requested when not RODC]

_____________________

Next part of this story - why it failed?
Step by step again I found that problem in
dsdb_trust_xref_forest_info() and looks it in gdb:

[2017/10/09 12:15:15.859384,  5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
  Starting GENSEC mechanism gssapi_krb5
[2017/10/09 12:15:15.860051,  3]
../auth/credentials/credentials_krb5.c:406(cli_credentials_get_named_ccache)
  Ticket in credentials cache for SAMBA-DC$@ADM72.LOCAL will shortly
expire (272 secs), will refresh
[2017/10/09 12:15:15.860122,  5]
../auth/credentials/credentials_krb5.c:417(cli_credentials_get_named_ccache)
  Ticket in credentials cache for SAMBA-DC$@ADM72.LOCAL will expire in 272 secs
[2017/10/09 12:15:18.864288,  5]
../source4/auth/kerberos/krb5_init_context.c:146(smb_krb5_request_timeout)
  Timed out smb_krb5 packet
[2017/10/09 12:15:21.867498,  5]
../source4/auth/kerberos/krb5_init_context.c:146(smb_krb5_request_timeout)
  Timed out smb_krb5 packet
[2017/10/09 12:15:24.868825,  5]
../source4/auth/kerberos/krb5_init_context.c:146(smb_krb5_request_timeout)
  Timed out smb_krb5 packet
[2017/10/09 12:15:24.869059,  4]
../auth/credentials/credentials_krb5.c:585(cli_credentials_get_client_gss_creds)
  Failed to get kerberos credentials: kinit for SAMBA-DC$@ADM72.LOCAL
failed (Cannot contact any KDC for requested realm)

[2017/10/09 12:15:24.869130,  3]
../source4/auth/gensec/gensec_gssapi.c:333(gensec_gssapi_client_creds)
  Cannot reach a KDC we require to contact (null) : kinit for
SAMBA-DC$@ADM72.LOCAL failed (Cannot contact any KDC for requested
realm)

[...]
[2017/10/09 12:17:59.736199,  3]
../source4/dsdb/common/util_trusts.c:936(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info for 0x563e561e8918
[...]

[2017/10/09 12:19:02.333151,  3]
../source4/dsdb/common/util_trusts.c:952(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info with partitions dn
CN=Partitions,CN=Configuration,DC=adm72,DC=local
[2017/10/09 12:19:07.331948,  3]
../source4/dsdb/common/util_trusts.c:961(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info try dsdb_search()
[2017/10/09 12:19:19.898405,  3]
../source4/dsdb/common/util_trusts.c:976(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info sort the domains as trees
[2017/10/09 12:19:19.898499,  3]
../source4/dsdb/common/util_trusts.c:983(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info find uPNSuffixes
[2017/10/09 12:19:19.898516,  3]
../source4/dsdb/common/util_trusts.c:988(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info find msDS-SPNSuffixes
[2017/10/09 12:19:19.898528,  3]
../source4/dsdb/common/util_trusts.c:993(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info try ldb_msg_normalize()
[2017/10/09 12:19:19.898580,  3]
../source4/dsdb/common/util_trusts.c:999(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info find __tln__
[2017/10/09 12:19:19.898624,  3]
../source4/dsdb/common/util_trusts.c:1002(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info sort the domains as trees with tln element
[2017/10/09 12:19:19.898642,  3]
../source4/dsdb/common/util_trusts.c:1010(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info cross2 cycle with 2 counts
[2017/10/09 12:19:19.898662,  3]
../source4/dsdb/common/util_trusts.c:1024(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info cross2 0-th cycle
[2017/10/09 12:19:20.146552,  4]
../source4/dsdb/common/util_trusts.c:1042(dsdb_trust_xref_forest_info)
  dsdb_trust_xref_forest_info cross2 ncName not found
[2017/10/09 12:19:20.146760,  3]
../source4/dsdb/common/util_trusts.c:2873(dsdb_trust_routing_table_load)
  dsdb_trust_routing_table_load dsdb_trust_xref_forest_info() failed:
NT_STATUS_INTERNAL_DB_CORRUPTION

(gdb) backtrace
#0  ldb_dn_validate (dn=dn@entry=0x563e5603b4f0) at ../common/ldb_dn.c:744
#1  0x00007f2fc35fc300 in ldb_dn_add_child (dn=0x563e539d5e00,
child=0x563e5603b4f0) at ../common/ldb_dn.c:1500
#2  0x00007f2fc35fc625 in ldb_dn_add_child_fmt
(dn=dn@entry=0x563e539d5e00, child_fmt=child_fmt@entry=0x7f2fc3c6997a
"CN=Partitions") at ../common/ldb_dn.c:1600
#3  0x00007f2fc3c58fc8 in samdb_partitions_dn
(sam_ctx=sam_ctx@entry=0x563e539a9a00,
mem_ctx=mem_ctx@entry=0x563e552d5e50) at
../source4/dsdb/common/util.c:1160
#4  0x00007f2fc3c624e6 in dsdb_trust_xref_forest_info
(mem_ctx=mem_ctx@entry=0x563e561e8900,
sam_ctx=sam_ctx@entry=0x563e539a9a00,
_info=_info@entry=0x563e561e8918) at
../source4/dsdb/common/util_trusts.c:946
#5  0x00007f2fc3c65c8e in dsdb_trust_routing_table_load
(sam_ctx=0x563e539a9a00, mem_ctx=mem_ctx@entry=0x563e539d5b80,
_table=_table@entry=0x7ffd395d4ff8) at
../source4/dsdb/common/util_trusts.c:2871
#6  0x00007f2fbab6bf0c in samba_kdc_lookup_realm
(kdc_db_ctx=0x563e553eaf90, kdc_db_ctx=0x563e553eaf90,
mem_ctx=0x563e55a706a0, entry_ex=0x7ffd395d5060, flags=8201,
principal=0x563e54c10ab0, context=0x563e56737020)
    at ../source4/kdc/db-glue.c:2232
#7  samba_kdc_fetch (context=context@entry=0x563e56737020,
kdc_db_ctx=0x563e553eaf90, principal=principal@entry=0x563e54c10ab0,
flags=flags@entry=8201, kvno=kvno@entry=0,
entry_ex=entry_ex@entry=0x7ffd395d5060)
    at ../source4/kdc/db-glue.c:2323
#8  0x00007f2fbb192a86 in hdb_samba4_fetch_kvno
(context=0x563e56737020, db=<optimized out>, principal=0x563e54c10ab0,
flags=8201, kvno=0, entry_ex=0x563e54f1cd90) at
../source4/kdc/hdb-samba4.c:98
#9  0x00007f2fbb3aa149 in _kdc_db_fetch
(context=context@entry=0x563e56737020,
config=config@entry=0x563e54c1d970, principal=0x563e54c10ab0,
flags=<optimized out>, flags@entry=8200, kvno_ptr=kvno_ptr@entry=0x0,
db=db@entry=0x0,
    h=0x7ffd395d52b8) at ../source4/heimdal/kdc/misc.c:103
#10 0x00007f2fbb3a2ae1 in tgs_build_reply
(context=context@entry=0x563e56737020,
config=config@entry=0x563e54c1d970, req=req@entry=0x7ffd395d5860,
b=b@entry=0x7ffd395d5870, krbtgt=0x563e540a24e0,
    krbtgt_etype=krbtgt_etype@entry=KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
replykey=0x563e5599a620, rk_is_subkey=1, ticket=0x563e552d5610,
reply=0x7ffd395d59d0, from=0x563e54f1da90 "ipv4:10.142.170.24:46638",
e_text=0x7ffd395d5738,
    auth_data=0x7ffd395d5720, from_addr=0x7ffd395d59e0) at
../source4/heimdal/kdc/krb5tgs.c:1632
#11 0x00007f2fbb3a5d59 in _kdc_tgs_rep
(context=context@entry=0x563e56737020,
config=config@entry=0x563e54c1d970, req=req@entry=0x7ffd395d5860,
data=data@entry=0x7ffd395d59d0, from=from@entry=0x563e54f1da90
"ipv4:10.142.170.24:46638",
    from_addr=from_addr@entry=0x7ffd395d59e0, datagram_reply=0) at
../source4/heimdal/kdc/krb5tgs.c:2386
#12 0x00007f2fbb3aa5a1 in kdc_tgs_req (context=0x563e56737020,
config=0x563e54c1d970, req_buffer=<optimized out>,
reply=0x7ffd395d59d0, from=0x563e54f1da90 "ipv4:10.142.170.24:46638",
addr=0x7ffd395d59e0, datagram_reply=0,
    claim=0x7ffd395d594c) at ../source4/heimdal/kdc/process.c:97
#13 0x00007f2fbb3aa828 in krb5_kdc_process_krb5_request
(context=0x563e56737020, config=config@entry=0x563e54c1d970,
buf=<optimized out>, len=<optimized out>,
reply=reply@entry=0x7ffd395d59d0,
    from=0x563e54f1da90 "ipv4:10.142.170.24:46638",
addr=0x7ffd395d59e0, datagram_reply=0) at
../source4/heimdal/kdc/process.c:242
#14 0x00007f2fbb5ca84e in kdc_process (kdc=0x563e54f10280,
mem_ctx=0x563e53cc1920, input=0x563e53cc1928, reply=0x563e53cc1938,
peer_addr=0x563e53f816f0, my_addr=<optimized out>, datagram_reply=0)
at ../source4/kdc/kdc-heimdal.c:84
#15 0x00007f2fbb5c5318 in kdc_tcp_call_loop (subreq=<optimized out>)
at ../source4/kdc/kdc-server.c:290
#16 0x00007f2fbbdf4cac in tstream_read_pdu_blob_done
(subreq=<optimized out>) at ../libcli/util/tstream.c:117
#17 0x00007f2fc66f9cab in tstream_readv_done (subreq=<optimized out>)
at ../lib/tsocket/tsocket.c:604
#18 0x00007f2fc66fc150 in tstream_bsd_readv_handler
(private_data=<optimized out>) at ../lib/tsocket/tsocket_bsd.c:1877
#19 0x00007f2fc8fbfff3 in epoll_event_loop (tvalp=0x7ffd395d5bc0,
epoll_ev=0x563e5397f440) at ../tevent_epoll.c:728
#20 epoll_event_loop_once (ev=<optimized out>, location=<optimized
out>) at ../tevent_epoll.c:930
#21 0x00007f2fc8fbe407 in std_event_loop_once (ev=0x563e5397f1c0,
location=0x7f2fbdd55378 "../source4/smbd/process_standard.c:364") at
../tevent_standard.c:114
#22 0x00007f2fc8fba1bd in _tevent_loop_once
(ev=ev@entry=0x563e5397f1c0, location=location@entry=0x7f2fbdd55378
"../source4/smbd/process_standard.c:364") at ../tevent.c:721
#23 0x00007f2fc8fba3eb in tevent_common_loop_wait (ev=0x563e5397f1c0,
location=0x7f2fbdd55378 "../source4/smbd/process_standard.c:364") at
../tevent.c:844
#24 0x00007f2fc8fbe3a7 in std_event_loop_wait (ev=0x563e5397f1c0,
location=0x7f2fbdd55378 "../source4/smbd/process_standard.c:364") at
../tevent_standard.c:145
#25 0x00007f2fbdd54bd2 in standard_new_task (ev=0x563e5397f1c0,
lp_ctx=0x563e53976020, service_name=0x7f2fbb5cd3b2 "kdc",
new_task=0x7f2fca7bc950 <task_server_callback>,
private_data=0x563e53c7b870)
    at ../source4/smbd/process_standard.c:364
#26 0x00007f2fca7bca7a in task_server_startup
(event_ctx=event_ctx@entry=0x563e5397f1c0,
lp_ctx=lp_ctx@entry=0x563e53976020,
service_name=service_name@entry=0x7f2fbb5cd3b2 "kdc",
    model_ops=model_ops@entry=0x7f2fbdf55be0 <standard_ops>,
task_init=0x7f2fbb5c9f80 <kdc_task_init>) at
../source4/smbd/service_task.c:114
#27 0x00007f2fca7bb6d2 in server_service_init
(model_ops=0x7f2fbdf55be0 <standard_ops>, lp_ctx=0x563e53976020,
event_context=0x563e5397f1c0, name=0x563e53978d10 "kdc") at
../source4/smbd/service.c:63
#28 server_service_startup (event_ctx=0x563e5397f1c0,
lp_ctx=0x563e53976020, model=<optimized out>,
server_services=<optimized out>) at ../source4/smbd/service.c:95
#29 0x0000563e53754233 in binary_smbd_main (argc=<optimized out>,
argv=<optimized out>, binary_name=0x563e53754d28 "samba") at
../source4/smbd/server.c:489
#30 0x00007f2fc8c327f0 in __libc_start_main (main=0x563e53753000
<main>, argc=1, argv=0x7ffd395d61d8, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7ffd395d61c8) at ../csu/libc-start.c:289
#31 0x0000563e53753039 in _start () at ../sysdeps/x86_64/start.S:108


So... no one KDC request for any TGS not works if we have secondary
trusted domain if dsdb_trust_xref_forest_info() failed. And it failed
every time when nCName attribute no exists in LDAP request for it:

# Windows DC
[user@samba-dc ~]$ ldbsearch -k yes -H ldap://dc-resp142 -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName nCName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'
# record 6
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=omsu,DC=adm72,DC=local
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local

# Samba DC
[user@samba-dc ~]$ ldbsearch -k yes -H ldap://samba-dc -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName nCName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'
# record 7
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local

# Local Data on Samba DC
[root@samba-dc ~]# ldbsearch -k yes -H
/var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
-b CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'
# record 7
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
 29258221-3996020766>;DC=omsu,DC=adm72,DC=local
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
trustParent: <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
 s,CN=Configuration,DC=adm72,DC=local

_____________________

Current workaround, that I found (and it works) looks like this:
diff --git a/source4/dsdb/common/util_trusts.c
b/source4/dsdb/common/util_trusts.c
index aea3720..be2b3d1 100644
--- a/source4/dsdb/common/util_trusts.c
+++ b/source4/dsdb/common/util_trusts.c
@@ -1052,8 +1052,9 @@ NTSTATUS dsdb_trust_xref_forest_info(TALLOC_CTX *mem_ctx,
                nc_dn = samdb_result_dn(sam_ctx, m, m, "nCName", NULL);
                if (nc_dn == NULL) {
                        DEBUG(4, ("dsdb_trust_xref_forest_info cross2
nCName as result dn not found\n"));
-                       TALLOC_FREE(frame);
-                       return NT_STATUS_INTERNAL_DB_CORRUPTION;
+                       //TALLOC_FREE(frame);
+                       //return NT_STATUS_INTERNAL_DB_CORRUPTION;
+                       continue;
                }

                status = dsdb_get_extended_dn_sid(nc_dn, &sid, "SID");

I want to fix it completly, but I don't understand yet why LDAP not
return nCName atrribute, that exists in Configuration partition?


PS: This is not first and second time on large AD installation, when I
got this problem.

--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
On Mon, 9 Oct 2017 17:55:07 +0400
Evgeny Sinelnikov via samba-technical <[hidden email]>
wrote:

>
> # Local Data on Samba DC
> [root@samba-dc ~]# ldbsearch -k yes -H
> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
> trustParent -d0 | grep -B1 -A2 'OMSU'
> # record 7
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName:
> <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
> 29258221-3996020766>;DC=omsu,DC=adm72,DC=local dnsRoot:
> omsu.adm72.local nETBIOSName: OMSU
> trustParent:
> <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
> s,CN=Configuration,DC=adm72,DC=local
>

I cannot really help with this, except to point out two things:

One: the above search is wrong, you should never search, or even
worse change something, in sam.ldb.d. This search on a DC should work:

ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'

It does for me:
ldbsearch -H /usr/local/samba/private/sam.ldb -b CN=Partitions,CN=Configuration,DC=samdom,DC=example,dc=com '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust trustParent -d0 | grep -B1 -A2 'SAMDOM'

# record 5
dn: CN=SAMDOM,CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com
nCName: DC=samdom,DC=example,DC=com
dnsRoot: samdom.example.com
nETBIOSName: SAMDOM

Which brings me to

Two: if 'nCName' isn't being returned, is it actually there ? Have
you tried dumping the entire object.

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-09 21:53 GMT+04:00 Rowland Penny via samba-technical
<[hidden email]>:

> On Mon, 9 Oct 2017 17:55:07 +0400
> Evgeny Sinelnikov via samba-technical <[hidden email]>
> wrote:
>
>>
>> # Local Data on Samba DC
>> [root@samba-dc ~]# ldbsearch -k yes -H
>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
>> trustParent -d0 | grep -B1 -A2 'OMSU'
>> # record 7
>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> nCName:
>> <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
>> 29258221-3996020766>;DC=omsu,DC=adm72,DC=local dnsRoot:
>> omsu.adm72.local nETBIOSName: OMSU
>> trustParent:
>> <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
>> s,CN=Configuration,DC=adm72,DC=local
>>
>
> I cannot really help with this, except to point out two things:
>
> One: the above search is wrong, you should never search, or even
> worse change something, in sam.ldb.d. This search on a DC should work:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
> trustParent -d0 | grep -B1 -A2 'OMSU'
>
> It does for me:
> ldbsearch -H /usr/local/samba/private/sam.ldb -b CN=Partitions,CN=Configuration,DC=samdom,DC=example,dc=com '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust trustParent -d0 | grep -B1 -A2 'SAMDOM'

This is not right internal LDAP request. Try
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))',
please.


> # record 5
> dn: CN=SAMDOM,CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com
> nCName: DC=samdom,DC=example,DC=com
> dnsRoot: samdom.example.com
> nETBIOSName: SAMDOM
>
> Which brings me to
>
> Two: if 'nCName' isn't being returned, is it actually there ? Have
> you tried dumping the entire object.

I found reproducible scenario for this problem:
https://bugzilla.samba.org/show_bug.cgi?id=13078

        ret = dsdb_search(sam_ctx, partitions_dn, &cross_res2,
                          partitions_dn, LDB_SCOPE_ONELEVEL,
                          cross_attrs2,
                          DSDB_SEARCH_SHOW_EXTENDED_DN,
                          "(&(objectClass=crossRef)"
                           "(systemFlags:%s:=%u))",
                          LDB_OID_COMPARATOR_AND,
                          SYSTEM_FLAG_CR_NTDS_DOMAIN);


# Samba DC
[user@samba-dc ~]$ ldbsearch -k yes -H ldap://samba-dc -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


# WIndows DC
[user@samba-dc ~]$ ldbsearch -k yes -H ldap://dc-resp142 -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=omsu,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


# Internal request
[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/ -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
DC=ADM72,DC=LOCAL.ldb
DC=FORESTDNSZONES,DC=ADM72,DC=LOCAL.ldb
CN=SCHEMA,CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
DC=DOMAINDNSZONES,DC=ADM72,DC=LOCAL.ldb           metadata.tdb
[root@samba-dc ~]# ldbsearch -H
/var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
-b CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=20f2eac9-426d-4003-b9c8-0f2737f982f9>;<SID=S-1-5-21-3196609985-6
 36931310-2637777318>;DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
 29258221-3996020766>;DC=omsu,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-10 3:28 GMT+04:00 Evgeny Sinelnikov <[hidden email]>:

> 2017-10-09 21:53 GMT+04:00 Rowland Penny via samba-technical
> <[hidden email]>:
>> On Mon, 9 Oct 2017 17:55:07 +0400
>> Evgeny Sinelnikov via samba-technical <[hidden email]>
>> wrote:
>>
>>>
>>> # Local Data on Samba DC
>>> [root@samba-dc ~]# ldbsearch -k yes -H
>>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
>>> trustParent -d0 | grep -B1 -A2 'OMSU'
>>> # record 7
>>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> nCName:
>>> <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
>>> 29258221-3996020766>;DC=omsu,DC=adm72,DC=local dnsRoot:
>>> omsu.adm72.local nETBIOSName: OMSU
>>> trustParent:
>>> <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
>>> s,CN=Configuration,DC=adm72,DC=local
>>>
>>
>> I cannot really help with this, except to point out two things:
>>
>> One: the above search is wrong, you should never search, or even
>> worse change something, in sam.ldb.d. This search on a DC should work:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
>> trustParent -d0 | grep -B1 -A2 'OMSU'
>>
>> It does for me:
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b CN=Partitions,CN=Configuration,DC=samdom,DC=example,dc=com '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust trustParent -d0 | grep -B1 -A2 'SAMDOM'
>
> This is not right internal LDAP request. Try
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))',
> please.
>
>
>> # record 5
>> dn: CN=SAMDOM,CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com
>> nCName: DC=samdom,DC=example,DC=com
>> dnsRoot: samdom.example.com
>> nETBIOSName: SAMDOM
>>
>> Which brings me to
>>
>> Two: if 'nCName' isn't being returned, is it actually there ? Have
>> you tried dumping the entire object.
>
> I found reproducible scenario for this problem:
> https://bugzilla.samba.org/show_bug.cgi?id=13078
>
>         ret = dsdb_search(sam_ctx, partitions_dn, &cross_res2,
>                           partitions_dn, LDB_SCOPE_ONELEVEL,
>                           cross_attrs2,
>                           DSDB_SEARCH_SHOW_EXTENDED_DN,
>                           "(&(objectClass=crossRef)"
>                            "(systemFlags:%s:=%u))",
>                           LDB_OID_COMPARATOR_AND,
>                           SYSTEM_FLAG_CR_NTDS_DOMAIN);
>
>
> # Samba DC
> [user@samba-dc ~]$ ldbsearch -k yes -H ldap://samba-dc -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
>
> # WIndows DC
> [user@samba-dc ~]$ ldbsearch -k yes -H ldap://dc-resp142 -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=omsu,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
>
> # Internal request
> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/ -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
> DC=ADM72,DC=LOCAL.ldb
> DC=FORESTDNSZONES,DC=ADM72,DC=LOCAL.ldb
> CN=SCHEMA,CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
> DC=DOMAINDNSZONES,DC=ADM72,DC=LOCAL.ldb           metadata.tdb
> [root@samba-dc ~]# ldbsearch -H
> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: <GUID=20f2eac9-426d-4003-b9c8-0f2737f982f9>;<SID=S-1-5-21-3196609985-6
>  36931310-2637777318>;DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
>  29258221-3996020766>;DC=omsu,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>

Something interesting - found ldb request to reproduce this problem
without server:

[root@samba-dc ~]# ldbsearch -H
/var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
-b CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=20f2eac9-426d-4003-b9c8-0f2737f982f9>;<SID=S-1-5-21-3196609985-6
 36931310-2637777318>;DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
 29258221-3996020766>;DC=omsu,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals

[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals





--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
On Wed, 11 Oct 2017 00:18:33 +0400
Evgeny Sinelnikov <[hidden email]> wrote:

>
> Something interesting - found ldb request to reproduce this problem
> without server:
>
> [root@samba-dc ~]# ldbsearch -H
> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0

I repeat, as you seem to have missed it, do not search in or alter
anything in sam.ldb.d, only search in sam.ldb. If a record isn't found
and you think it should exist, use '--cross-ncs' with the ldb tool.

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-11 0:28 GMT+04:00 Rowland Penny via samba-technical
<[hidden email]>:

> On Wed, 11 Oct 2017 00:18:33 +0400
> Evgeny Sinelnikov <[hidden email]> wrote:
>
>>
>> Something interesting - found ldb request to reproduce this problem
>> without server:
>>
>> [root@samba-dc ~]# ldbsearch -H
>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
>> nCName systemFlags -d0
>
> I repeat, as you seem to have missed it, do not search in or alter
> anything in sam.ldb.d, only search in sam.ldb. If a record isn't found
> and you think it should exist, use '--cross-ncs' with the ldb tool.
>

[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags --cross-ncs -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals

No result with --cross-ncs. But it exists in
sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb. And it must be
there, as I understand.


--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-11 0:49 GMT+04:00 Evgeny Sinelnikov <[hidden email]>:

> 2017-10-11 0:28 GMT+04:00 Rowland Penny via samba-technical
> <[hidden email]>:
>> On Wed, 11 Oct 2017 00:18:33 +0400
>> Evgeny Sinelnikov <[hidden email]> wrote:
>>
>>>
>>> Something interesting - found ldb request to reproduce this problem
>>> without server:
>>>
>>> [root@samba-dc ~]# ldbsearch -H
>>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
>>> nCName systemFlags -d0
>>
>> I repeat, as you seem to have missed it, do not search in or alter
>> anything in sam.ldb.d, only search in sam.ldb. If a record isn't found
>> and you think it should exist, use '--cross-ncs' with the ldb tool.
>>
>
> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags --cross-ncs -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
> No result with --cross-ncs. But it exists in
> sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb. And it must be
> there, as I understand.


If 'nCName' attribute not exists this request would be not revert record 2:

[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
nCName systemFlags --cross-ncs -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
On Wed, 11 Oct 2017 00:57:38 +0400
Evgeny Sinelnikov <[hidden email]> wrote:

> 2017-10-11 0:49 GMT+04:00 Evgeny Sinelnikov <[hidden email]>:
> > 2017-10-11 0:28 GMT+04:00 Rowland Penny via samba-technical
> > <[hidden email]>:
> >> On Wed, 11 Oct 2017 00:18:33 +0400
> >> Evgeny Sinelnikov <[hidden email]> wrote:
> >>
> >>>
> >>> Something interesting - found ldb request to reproduce this
> >>> problem without server:
> >>>
> >>> [root@samba-dc ~]# ldbsearch -H
> >>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
> >>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> >>> nCName systemFlags -d0
> >>
> >> I repeat, as you seem to have missed it, do not search in or alter
> >> anything in sam.ldb.d, only search in sam.ldb. If a record isn't
> >> found and you think it should exist, use '--cross-ncs' with the
> >> ldb tool.
> >>
> >
> > [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> > nCName systemFlags --cross-ncs -d0
> > # record 1
> > dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > nCName: DC=adm72,DC=local
> > systemFlags: 3
> >
> > # record 2
> > dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > systemFlags: 3
> >
> > # returned 2 records
> > # 2 entries
> > # 0 referrals
> >
> > No result with --cross-ncs. But it exists in
> > sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb. And it must
> > be there, as I understand.

Yes, it should be in both, but you shouldn't search in and you
definitely must not alter anything in sam.ldb.d
 
>
>
> If 'nCName' attribute not exists this request would be not revert
> record 2:
>
> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
> nCName systemFlags --cross-ncs -d0

1.2.840.113556.1.4.803:=2 means only enabled accounts, so I don't think
this has anything to do with your problem.

> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>

Have you tried dumping the entire object:

ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(cn=omsu))'

Rowland


Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-11 1:22 GMT+04:00 Rowland Penny via samba-technical
<[hidden email]>:

> On Wed, 11 Oct 2017 00:57:38 +0400
> Evgeny Sinelnikov <[hidden email]> wrote:
>
>> 2017-10-11 0:49 GMT+04:00 Evgeny Sinelnikov <[hidden email]>:
>> > 2017-10-11 0:28 GMT+04:00 Rowland Penny via samba-technical
>> > <[hidden email]>:
>> >> On Wed, 11 Oct 2017 00:18:33 +0400
>> >> Evgeny Sinelnikov <[hidden email]> wrote:
>> >>
>> >>>
>> >>> Something interesting - found ldb request to reproduce this
>> >>> problem without server:
>> >>>
>> >>> [root@samba-dc ~]# ldbsearch -H
>> >>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>> >>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
>> >>> nCName systemFlags -d0
>> >>
>> >> I repeat, as you seem to have missed it, do not search in or alter
>> >> anything in sam.ldb.d, only search in sam.ldb. If a record isn't
>> >> found and you think it should exist, use '--cross-ncs' with the
>> >> ldb tool.
>> >>
>> >
>> > [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
>> > nCName systemFlags --cross-ncs -d0
>> > # record 1
>> > dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > nCName: DC=adm72,DC=local
>> > systemFlags: 3
>> >
>> > # record 2
>> > dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > systemFlags: 3
>> >
>> > # returned 2 records
>> > # 2 entries
>> > # 0 referrals
>> >
>> > No result with --cross-ncs. But it exists in
>> > sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb. And it must
>> > be there, as I understand.
>
> Yes, it should be in both, but you shouldn't search in and you
> definitely must not alter anything in sam.ldb.d
>
>>
>>
>> If 'nCName' attribute not exists this request would be not revert
>> record 2:
>>
>> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
>> nCName systemFlags --cross-ncs -d0
>
> 1.2.840.113556.1.4.803:=2 means only enabled accounts, so I don't think
> this has anything to do with your problem.

This is from original request:

        ret = dsdb_search(sam_ctx, partitions_dn, &cross_res2,
                          partitions_dn, LDB_SCOPE_ONELEVEL,
                          cross_attrs2,
                          DSDB_SEARCH_SHOW_EXTENDED_DN,
                          "(&(objectClass=crossRef)"
                           "(systemFlags:%s:=%u))",
                          LDB_OID_COMPARATOR_AND,
                          SYSTEM_FLAG_CR_NTDS_DOMAIN);

[sin@tor samba.git]$ git grep "define LDB_OID_COMPARATOR_AND" | cat
lib/ldb/include/ldb.h:#define LDB_OID_COMPARATOR_AND  "1.2.840.113556.1.4.803"

[sin@tor samba.git]$ git grep "define SYSTEM_FLAG_CR_NTDS_DOMAIN" | cat
libds/common/flags.h:#define SYSTEM_FLAG_CR_NTDS_DOMAIN         0x00000002

>> # record 1
>> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> nCName: DC=adm72,DC=local
>> systemFlags: 3
>>
>> # record 2
>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> systemFlags: 3
>>
>> # returned 2 records
>> # 2 entries
>> # 0 referrals
>>
>
> Have you tried dumping the entire object:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(cn=omsu))'
>

I do it this time:

[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(cn=omsu))' -d0
# record 1
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectClass: top
objectClass: crossRef
cn: OMSU
instanceType: 4
whenCreated: 20130214104456.0Z
whenChanged: 20130214110622.0Z
uSNCreated: 9696
uSNChanged: 9696
showInAdvancedViewOnly: TRUE
name: OMSU
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
nTMixedDomain: 0
systemFlags: 3
trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectCategory: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
msDS-Behavior-Version: 3
distinguishedName: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local

# returned 1 records
# 1 entries
# 0 referrals


[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local -d0 -a
>adm72.ldif
[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local -d0 -a
>omsu.ldif
[root@samba-dc ~]# diff -u adm72.ldif omsu.ldif
--- adm72.ldif 2017-10-11 02:02:06.821930205 +0500
+++ omsu.ldif   2017-10-11 02:02:38.394928323 +0500
@@ -1,25 +1,24 @@
 # record 1
-dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
+dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
 objectClass: top
 objectClass: crossRef
-cn: ADM72
+cn: OMSU
 instanceType: 4
-whenCreated: 20081225063010.0Z
-whenChanged: 20141015073249.0Z
-nCName: DC=adm72,DC=local
-uSNCreated: 9920
-objectVersion: 2
-uSNChanged: 9920
+whenCreated: 20130214104456.0Z
+whenChanged: 20130214110622.0Z
+uSNCreated: 9696
+uSNChanged: 9696
 showInAdvancedViewOnly: TRUE
-name: ADM72
-objectGUID: 251e4849-921f-4d28-ad6a-da8aa4348925
-dnsRoot: adm72.local
-nETBIOSName: ADM72
+name: OMSU
+objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
+dnsRoot: omsu.adm72.local
+nETBIOSName: OMSU
 nTMixedDomain: 0
 systemFlags: 3
+trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
 objectCategory: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
 msDS-Behavior-Version: 3
-distinguishedName: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
+distinguishedName: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local

 # returned 1 records
 # 1 entries



--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
On Wed, 11 Oct 2017 01:33:33 +0400
Evgeny Sinelnikov <[hidden email]> wrote:

> > Have you tried dumping the entire object:
> >
> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > '(&(objectClass=crossRef)(cn=omsu))'
> >
>
> I do it this time:
>
> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(cn=omsu))' -d0
> # record 1
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> objectClass: top
> objectClass: crossRef
> cn: OMSU
> instanceType: 4
> whenCreated: 20130214104456.0Z
> whenChanged: 20130214110622.0Z
> uSNCreated: 9696
> uSNChanged: 9696
> showInAdvancedViewOnly: TRUE
> name: OMSU
> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
> dnsRoot: omsu.adm72.local
> nETBIOSName: OMSU
> nTMixedDomain: 0
> systemFlags: 3
> trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> objectCategory:
> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
> msDS-Behavior-Version: 3 distinguishedName:
> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>

Well, it is obvious now why you aren't getting 'nCName' returned, it
isn't there.

Rowland
 

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
<[hidden email]>:

> On Wed, 11 Oct 2017 01:33:33 +0400
> Evgeny Sinelnikov <[hidden email]> wrote:
>
>> > Have you tried dumping the entire object:
>> >
>> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > '(&(objectClass=crossRef)(cn=omsu))'
>> >
>>
>> I do it this time:
>>
>> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef)(cn=omsu))' -d0
>> # record 1
>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> objectClass: top
>> objectClass: crossRef
>> cn: OMSU
>> instanceType: 4
>> whenCreated: 20130214104456.0Z
>> whenChanged: 20130214110622.0Z
>> uSNCreated: 9696
>> uSNChanged: 9696
>> showInAdvancedViewOnly: TRUE
>> name: OMSU
>> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
>> dnsRoot: omsu.adm72.local
>> nETBIOSName: OMSU
>> nTMixedDomain: 0
>> systemFlags: 3
>> trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> objectCategory:
>> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
>> msDS-Behavior-Version: 3 distinguishedName:
>> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>
>
> Well, it is obvious now why you aren't getting 'nCName' returned, it
> isn't there.

I don't understand why are think so...

1) Data for CN=Configuration,DC=adm72,DC=local consists in special
partition and It's there.
2) This attribute replicated from original DC, there it exists.
3) Same request to original DC works.
4) Explicit request
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
should return the Object, only if 'nCName' attribute exists.

It looks like a bug in dsdb/ldb.


--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
On Wed, 11 Oct 2017 22:08:47 +0400
Evgeny Sinelnikov <[hidden email]> wrote:

> 2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
> <[hidden email]>:
> > On Wed, 11 Oct 2017 01:33:33 +0400
> > Evgeny Sinelnikov <[hidden email]> wrote:
> >
> >> > Have you tried dumping the entire object:
> >> >
> >> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
> >> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> > '(&(objectClass=crossRef)(cn=omsu))'
> >> >
> >>
> >> I do it this time:
> >>
> >> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> >> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> '(&(objectClass=crossRef)(cn=omsu))' -d0
> >> # record 1
> >> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> objectClass: top
> >> objectClass: crossRef
> >> cn: OMSU
> >> instanceType: 4
> >> whenCreated: 20130214104456.0Z
> >> whenChanged: 20130214110622.0Z
> >> uSNCreated: 9696
> >> uSNChanged: 9696
> >> showInAdvancedViewOnly: TRUE
> >> name: OMSU
> >> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
> >> dnsRoot: omsu.adm72.local
> >> nETBIOSName: OMSU
> >> nTMixedDomain: 0
> >> systemFlags: 3
> >> trustParent:
> >> CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> objectCategory:
> >> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
> >> msDS-Behavior-Version: 3 distinguishedName:
> >> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >>
> >
> > Well, it is obvious now why you aren't getting 'nCName' returned, it
> > isn't there.
>
> I don't understand why are think so...
>
> 1) Data for CN=Configuration,DC=adm72,DC=local consists in special
> partition and It's there.

Yes it seems that it is, BUT it isn't in sam.ldb and this is where you
should be checking for it, you can damage your database by messing with
the files in sam.ldb.d.
 
> 2) This attribute replicated from original DC, there it exists.

> 3) Same request to original DC works.
> 4) Explicit request
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
> should return the Object, only if 'nCName' attribute exists.
>
> It looks like a bug in dsdb/ldb.
>

No, it looks like you have a problem in the database, try running
'samba-tool dbcheck'

Rowland



Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-11 22:21 GMT+04:00 Rowland Penny via samba-technical
<[hidden email]>:

> On Wed, 11 Oct 2017 22:08:47 +0400
> Evgeny Sinelnikov <[hidden email]> wrote:
>
>> 2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
>> <[hidden email]>:
>> > On Wed, 11 Oct 2017 01:33:33 +0400
>> > Evgeny Sinelnikov <[hidden email]> wrote:
>> >
>> >> > Have you tried dumping the entire object:
>> >> >
>> >> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> >> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> > '(&(objectClass=crossRef)(cn=omsu))'
>> >> >
>> >>
>> >> I do it this time:
>> >>
>> >> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> >> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> '(&(objectClass=crossRef)(cn=omsu))' -d0
>> >> # record 1
>> >> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> objectClass: top
>> >> objectClass: crossRef
>> >> cn: OMSU
>> >> instanceType: 4
>> >> whenCreated: 20130214104456.0Z
>> >> whenChanged: 20130214110622.0Z
>> >> uSNCreated: 9696
>> >> uSNChanged: 9696
>> >> showInAdvancedViewOnly: TRUE
>> >> name: OMSU
>> >> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
>> >> dnsRoot: omsu.adm72.local
>> >> nETBIOSName: OMSU
>> >> nTMixedDomain: 0
>> >> systemFlags: 3
>> >> trustParent:
>> >> CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> objectCategory:
>> >> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
>> >> msDS-Behavior-Version: 3 distinguishedName:
>> >> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >>
>> >
>> > Well, it is obvious now why you aren't getting 'nCName' returned, it
>> > isn't there.
>>
>> I don't understand why are think so...
>>
>> 1) Data for CN=Configuration,DC=adm72,DC=local consists in special
>> partition and It's there.
>
> Yes it seems that it is, BUT it isn't in sam.ldb and this is where you
> should be checking for it, you can damage your database by messing with
> the files in sam.ldb.d.

It is problem on replicated DC database after join to domain,
reproduced on various large AD installations. I don't touch any files
in sam.ldb.db before I don't see the problem in logs.


>> 2) This attribute replicated from original DC, there it exists.
>
>> 3) Same request to original DC works.
>> 4) Explicit request
>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
>> should return the Object, only if 'nCName' attribute exists.
>>
>> It looks like a bug in dsdb/ldb.
>>
>
> No, it looks like you have a problem in the database, try running
> 'samba-tool dbcheck'

Ok, thank you. I try to do it on backuped data.

This time I found just interesting with trace:

[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags objectGUID -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
objectGUID: 251e4849-921f-4d28-ad6a-da8aa4348925
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


[root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags objectGUID -d0 --trace
[...]
partition_request() -> (metadata partition)
ldb_trace_next_request: (tdb)->search
Added timed event "ltdb_callback": 0x7f7a60

Added timed event "ltdb_timeout": 0x79c1d0

Destroying timer event 0x1560f80 "ltdb_timeout"

Ending timer event 0x1922a60 "ltdb_callback"

Running timer event 0x7f7a60 "ltdb_callback"

Destroying timer event 0x79c1d0 "ltdb_timeout"

Ending timer event 0x7f7a60 "ltdb_callback"

ldb_asprintf/set_errstring: dsdb_module_search_tree at
../source4/dsdb/samdb/ldb_modules/util.c:180
ldb_trace_response: ENTRY
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3



# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3

ldb_trace_response: DONE
error: 0
msg: dsdb_module_search_tree at ../source4/dsdb/samdb/ldb_modules/util.c:180

Destroying timer event 0x16d7d50 "ltdb_timeout"

Ending timer event 0x1d50e10 "ltdb_callback"

# returned 2 records
# 2 entries
# 0 referrals


______________________

What does mean this strange output: "msg: dsdb_module_search_tree at
../source4/dsdb/samdb/ldb_modules/util.c:180" ?

That's looks like old problem:

commit 0b4d3db42d472788c30054d41acc1ad0dc8aefee
Author: Stefan Metzmacher <[hidden email]>
Date:   Thu Jan 14 11:50:56 2016 +0100

    s4:dsdb/ldb_modules: make it possible to find a reason for
LDB_ERR_NO_SUCH_OBJECT in util.c

    Signed-off-by: Stefan Metzmacher <[hidden email]>
    Reviewed-by: Volker Lendecke <[hidden email]>

diff --git a/source4/dsdb/samdb/ldb_modules/util.c
b/source4/dsdb/samdb/ldb_modules/util.c
index 1455760..5f995de 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -177,8 +177,7 @@ int dsdb_module_search_tree(struct ldb_module *module,
        if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
                if (res->count == 0) {
                        talloc_free(tmp_ctx);
-                       ldb_reset_err_string(ldb_module_get_ctx(module));
-                       return LDB_ERR_NO_SUCH_OBJECT;
+                       return ldb_error(ldb_module_get_ctx(module),
LDB_ERR_NO_SUCH_OBJECT, __func__);
                }
                if (res->count != 1) {
                        talloc_free(tmp_ctx);
@@ -279,7 +278,7 @@ int dsdb_module_dn_by_guid(struct ldb_module
*module, TALLOC_CTX *mem_ctx,
        }
        if (res->count == 0) {
                talloc_free(tmp_ctx);
-               return LDB_ERR_NO_SUCH_OBJECT;
+               return ldb_error(ldb_module_get_ctx(module),
LDB_ERR_NO_SUCH_OBJECT, __func__);
        }
        if (res->count != 1) {
                ldb_asprintf_errstring(ldb_module_get_ctx(module),
"More than one object found matching objectGUID %s\n",





--
Sin (Sinelnikov Evgeny)

Reply | Threaded
Open this post in threaded view
|

Re: KDC not works in configuration with trusted domain

Samba - samba-technical mailing list
2017-10-12 3:28 GMT+04:00 Evgeny Sinelnikov <[hidden email]>:

> 2017-10-11 22:21 GMT+04:00 Rowland Penny via samba-technical
> <[hidden email]>:
>> On Wed, 11 Oct 2017 22:08:47 +0400
>> Evgeny Sinelnikov <[hidden email]> wrote:
>>
>>> 2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
>>> <[hidden email]>:
>>> > On Wed, 11 Oct 2017 01:33:33 +0400
>>> > Evgeny Sinelnikov <[hidden email]> wrote:
>>> >
>>> >> > Have you tried dumping the entire object:
>>> >> >
>>> >> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> >> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> > '(&(objectClass=crossRef)(cn=omsu))'
>>> >> >
>>> >>
>>> >> I do it this time:
>>> >>
>>> >> [root@samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> >> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> '(&(objectClass=crossRef)(cn=omsu))' -d0
>>> >> # record 1
>>> >> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> objectClass: top
>>> >> objectClass: crossRef
>>> >> cn: OMSU
>>> >> instanceType: 4
>>> >> whenCreated: 20130214104456.0Z
>>> >> whenChanged: 20130214110622.0Z
>>> >> uSNCreated: 9696
>>> >> uSNChanged: 9696
>>> >> showInAdvancedViewOnly: TRUE
>>> >> name: OMSU
>>> >> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
>>> >> dnsRoot: omsu.adm72.local
>>> >> nETBIOSName: OMSU
>>> >> nTMixedDomain: 0
>>> >> systemFlags: 3
>>> >> trustParent:
>>> >> CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> objectCategory:
>>> >> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
>>> >> msDS-Behavior-Version: 3 distinguishedName:
>>> >> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >>
>>> >
>>> > Well, it is obvious now why you aren't getting 'nCName' returned, it
>>> > isn't there.
>>>
>>> I don't understand why are think so...
>>>
>>> 1) Data for CN=Configuration,DC=adm72,DC=local consists in special
>>> partition and It's there.
>>
>> Yes it seems that it is, BUT it isn't in sam.ldb and this is where you
>> should be checking for it, you can damage your database by messing with
>> the files in sam.ldb.d.
>
> It is problem on replicated DC database after join to domain,
> reproduced on various large AD installations. I don't touch any files
> in sam.ldb.db before I don't see the problem in logs.
>
>
>>> 2) This attribute replicated from original DC, there it exists.
>>
>>> 3) Same request to original DC works.
>>> 4) Explicit request
>>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
>>> should return the Object, only if 'nCName' attribute exists.
>>>
>>> It looks like a bug in dsdb/ldb.
>>>
>>
>> No, it looks like you have a problem in the database, try running
>> 'samba-tool dbcheck'
>
> Ok, thank you. I try to do it on backuped data.
...

Ok, I found where it lost. This attribute removed as one way link.
source4/dsdb/samdb/ldb_modules/extended_dn_out.c

/*
  this is called to post-process the results from the search
 */
static int extended_callback(struct ldb_request *req, struct ldb_reply *ares,
                int (*handle_dereference)(struct ldb_dn *dn,
                                struct
dsdb_openldap_dereference_result **dereference_attrs,
                                const char *attr, const DATA_BLOB *val))
{
...
        /* Walk the returned elements (but only if we have a schema to
         * interpret the list with) */
        for (i = 0; ac->schema && i < msg->num_elements; i++) {
...
                for (j = 0; j < msg->elements[i].num_values; j++) {
                        const char *dn_str;
                        struct ldb_dn *dn;
                        struct dsdb_dn *dsdb_dn = NULL;
                        struct ldb_val *plain_dn = &msg->elements[i].values[j];
                        bool is_deleted_objects = false;

                        ldb_asprintf_errstring(ldb,
                                               "schema check for %.*s
on %s as %s",
                                               (int)plain_dn->length,
plain_dn->data,
                                               msg->elements[i].name,
ldb_dn_get_linearized(msg->dn));
...
                        /* note that we don't fixup objectCategory as
                           it should not be possible to move
                           objectCategory elements in the schema */
                        if (attribute->one_way_link &&
                            strcasecmp(attribute->lDAPDisplayName,
"objectCategory") != 0) {
                                bool remove_value;
                                ret = fix_one_way_link(ac, dn,
is_deleted_objects, &remove_value,
                                                       attribute->linkID);
                                if (ret != LDB_SUCCESS) {
                                        talloc_free(dsdb_dn);
                                        return
ldb_module_done(ac->req, NULL, NULL, ret);
                                }
                                if (remove_value &&
                                    !ldb_request_get_control(req,
LDB_CONTROL_REVEAL_INTERNALS)) {
                                        ldb_asprintf_errstring(ldb,
"fix one way link");
                                        /* we show these with REVEAL
                                           to allow dbcheck to find and
                                           cleanup these orphaned links */
                                        memmove(&msg->elements[i].values[j],
                                                &msg->elements[i].values[j+1],

(msg->elements[i].num_values-(j+1))*sizeof(struct ldb_val));
                                        msg->elements[i].num_values--;
                                        j--;
                                        continue;
                                }
                        }
...

# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
systemFlags objectGUID nCName -d0 --trace
[...]
ldb_asprintf/set_errstring: schema check for
<GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-1729258221-3996020766>;DC=omsu,DC=adm72,DC=local
on nCName as CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
ldb_trace_next_request: (show_deleted)->search
ldb_trace_next_request: (partition)->search
partition_request() -> (metadata partition)
ldb_trace_next_request: (tdb)->search
Added timed event "ltdb_callback": 0x27e6cd0
[...]

Running timer event 0x7f7a60 "ltdb_callback"

Destroying timer event 0x79c1d0 "ltdb_timeout"

Ending timer event 0x7f7a60 "ltdb_callback"

ldb_asprintf/set_errstring: dsdb_module_search_tree at
../source4/dsdb/samdb/ldb_modules/util.c:180
ldb_asprintf/set_errstring: fix one way link
ldb_trace_response: ENTRY
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3



# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3

ldb_trace_response: DONE
error: 0
msg: fix one way link

Destroying timer event 0x16d7d50 "ltdb_timeout"

Ending timer event 0x1d50e10 "ltdb_callback"

# returned 2 records
# 2 entries

______________

It is seriously bug for KDC as I show above:
https://bugzilla.samba.org/show_bug.cgi?id=13078

This is not reproduced on Windows DC, with which our Samba DC
successfully replicated in two ways. So, we don't must remove 'nCName'
attribute for all or for 'crossRef' ObjectClass entries only by one
way links fixup.


--
Sin (Sinelnikov Evgeny)