samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Samba - General mailing list
Hello list,

I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in additional Site where only Samba RODC exists.

When I start samba_kcc on first RODC it run’s without errors. If I start samba_kcc on RODC in additional Site it fails with:

/usr/local/samba/sbin/samba_kcc: Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
/usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
/usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc:     part, True)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

root@buildhost /home/andrej/gitrepos/samba (git)-[samba-4.7.1] # samba-tool drs showrepl -UAdministrator
Testsite\BUILDHOST
DSA Options: 0x00000025
DSA object GUID: 6a61584e-a6c8-435a-8e20-39a25d6a3232
DSA invocationId: d5ac7a08-9dcd-41ec-a39f-42fd906530e8

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: RODC Connection (FRS)
        Enabled        : TRUE
        Server DNS name : test-dc.2a-net.local
        Server DN name  : CN=NTDS Settings,CN=TEST-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=com
                TransportType: RPC
                options: 0x00000041
Warning: No NC replicated for Connection!

Replication works correctly.

As I can understand RODC generates its own topology and should create an intersite connection, because the replication server is in the other site.

Is this code/binary tested somewhere?


Andrej
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Samba - General mailing list
On Thu, 9 Nov 2017 12:24:49 +0000
Andrej Gessel via samba <[hidden email]> wrote:

> Hello list,
>
> I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in
> additional Site where only Samba RODC exists.
>
> When I start samba_kcc on first RODC it run’s without errors. If I
> start samba_kcc on RODC in additional Site it fails with:
>

What do you mean by 'When I start samba_kcc' ??
You don't start this manually.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Samba - General mailing list
Hello Rowland,

of course it will be started by samba, I saw this output if I run "samba -i".
But I can trigger this output also by starting samba_kcc manually.

Andrej

-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:[hidden email]]
Gesendet: Donnerstag, 9. November 2017 14:04
An: [hidden email]
Cc: Andrej Gessel <[hidden email]>
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

On Thu, 9 Nov 2017 12:24:49 +0000
Andrej Gessel via samba <[hidden email]> wrote:

> Hello list,
>
> I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in
> additional Site where only Samba RODC exists.
>
> When I start samba_kcc on first RODC it run’s without errors. If I
> start samba_kcc on RODC in additional Site it fails with:
>

What do you mean by 'When I start samba_kcc' ??
You don't start this manually.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Samba - General mailing list
Hello list,

I try to fix my issue and found some more debug information:

1) I see error in this situation:
Default-First-Site-Name:
        - TEST-DC (RWDC)
Testsite2:
        - empty
Testsite:
        - BUILDHOST (RODC)

If I move TEST-DC to Testsite2, it fix the error, maybe because of 2).

2) python/samba/kcc/__init__.py:create_connections function try always to connect to Default-First-Site-Name, although Default-First-Site-Name is now empty and TEST-DC is in Testsite2.
Get_bridgehead found just the TEST-DC from Testsite2.

@@ -1710,12 +1710,14 @@ class KCC(object):
 
         # Utilize the IP transport only for now
         transport = self.ip_transport
 
         DEBUG("edge_list %s" % edge_list)
         for e in edge_list:
+            print "--------e.vertices[0].site: %s" % e.vertices[0].site.site_dnstr
+            print "--------e.vertices[1].site: %s" % e.vertices[1].site.site_dnstr
             # XXX more accurate comparison?
             if e.directed and e.vertices[0].site is self.my_site:
                 continue
 
             if e.vertices[0].site is self.my_site:
                 rsite = e.vertices[1].site

this changes show me always the edges between Default-First-Site-Name and Tesite, what I think to see here is one connection to Default-First-Site-Name and one connection to Testsite2

3) should it not be as shown below? If ldsa/lbh is ro, it will fails like show in previous e-mail

diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index 6f973ea..46689da 100644
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -1498,13 +1498,13 @@ class KCC(object):
                              dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
                             cn.options |= \
                                 dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
                             cn.set_modified(True)
 
                     # Display any modified connection
-                    if self.readonly:
+                    if self.readonly or ldsa.is_ro():
                         if cn.to_be_modified:
                             logger.info("TO BE MODIFIED:\n%s" % cn)
 
                         ldsa.commit_connections(self.samdb, ro=True)
                     else:
                         ldsa.commit_connections(self.samdb)
@@ -1582,13 +1582,13 @@ class KCC(object):
                             dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE)
 
             cn = lbh.new_connection(opt, system_flags, transport,
                                     rbh.dsa_dnstr, link_sched)
 
             # Display any added connection
-            if self.readonly:
+            if self.readonly or lbh.is_ro():
                 if cn.to_be_added:
                     logger.info("TO BE ADDED:\n%s" % cn)
 
                     lbh.commit_connections(self.samdb, ro=True)
             else:
                 lbh.commit_connections(self.samdb)




Please correct me if I'm wrong so I'm not looking in the wrong direction to solve this issue.

Andrej


-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Andrej Gessel via samba
Gesendet: Donnerstag, 9. November 2017 14:43
An: Rowland Penny <[hidden email]>; [hidden email]
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Hello Rowland,

of course it will be started by samba, I saw this output if I run "samba -i".
But I can trigger this output also by starting samba_kcc manually.

Andrej

-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:[hidden email]]
Gesendet: Donnerstag, 9. November 2017 14:04
An: [hidden email]
Cc: Andrej Gessel <[hidden email]>
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

On Thu, 9 Nov 2017 12:24:49 +0000
Andrej Gessel via samba <[hidden email]> wrote:

> Hello list,
>
> I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in
> additional Site where only Samba RODC exists.
>
> When I start samba_kcc on first RODC it run’s without errors. If I
> start samba_kcc on RODC in additional Site it fails with:
>

What do you mean by 'When I start samba_kcc' ??
You don't start this manually.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Samba - General mailing list
hi Andrej,

Yes, this is the correct fix:

> diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
> index 6f973ea..46689da 100644
> --- a/python/samba/kcc/__init__.py
> +++ b/python/samba/kcc/__init__.py
> @@ -1498,13 +1498,13 @@ class KCC(object):
>                               dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
>                              cn.options |= \
>                                  dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
>                              cn.set_modified(True)
>  
>                      # Display any modified connection
> -                    if self.readonly:
> +                    if self.readonly or ldsa.is_ro():
>                          if cn.to_be_modified:
>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>  
>                          ldsa.commit_connections(self.samdb, ro=True)
>                      else:
>                          ldsa.commit_connections(self.samdb)
> @@ -1582,13 +1582,13 @@ class KCC(object):
>                              dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE)
>  
>              cn = lbh.new_connection(opt, system_flags, transport,
>                                      rbh.dsa_dnstr, link_sched)
>  
>              # Display any added connection
> -            if self.readonly:
> +            if self.readonly or lbh.is_ro():
>                  if cn.to_be_added:
>                      logger.info("TO BE ADDED:\n%s" % cn)
>  
>                      lbh.commit_connections(self.samdb, ro=True)
>              else:
>                  lbh.commit_connections(self.samdb)
>

Can you format it as a patch with a Signed-off-by and send it to
samba-technical?

The KCC can't really do much on an RODC (because it is read-only), but
it shouldn't crash here because of the few useful things it can do,
like tidy up the non-replicated repsFrom objects.

Samba has no automatic way of managing the replication links for
RODCs, and we are not really sure how Windows does it.

cheers,
Douglas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba