samba_kcc: do not commit new nTDSConnection if we are rodc

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

samba_kcc: do not commit new nTDSConnection if we are rodc

Samba - samba-technical mailing list
Hello list,

attached is patch to prevent exception.


/usr/local/samba/sbin/samba_kcc: Traceback (most recent call last):

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>

/usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run

/usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite

/usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections

/usr/local/samba/sbin/samba_kcc:     part, True)

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections

/usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection

/usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections

/usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)

/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added

/usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))

/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)

../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED





Here some more information about: https://lists.samba.org/archive/samba/2017-November/212050.html



Thanks
-----------------------------------------------------------------
Andrej Gessel ([hidden email]<mailto:[hidden email]>)
Entwicklung Software

0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc

Samba - samba-technical mailing list
thanks Andrej,

On 13/11/17 23:30, Andrej Gessel via samba-technical wrote:

> Here some more information about: https://lists.samba.org/archive/samba/2017-November/212050.html
>
>
>
> Thanks
> -----------------------------------------------------------------
> Andrej Gessel ([hidden email]<mailto:[hidden email]>)
> Entwicklung Software
>
>
> 0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch
>
>
> From 3ebd0e65a12ba51093c097c9993aa766cebc7fd0 Mon Sep 17 00:00:00 2001
> From: Andrej Gessel <[hidden email]>
> Date: Mon, 13 Nov 2017 11:07:43 +0100
> Subject: [PATCH] samba_kcc: do not commit new nTDSConnection, if we are rodc
>
> Traceback (most recent call last):
> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
> /usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
> /usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
> /usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
> /usr/local/samba/sbin/samba_kcc:     part, True)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
> /usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
> /usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
> /usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
> /usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
> /usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
> CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
> ../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED
>
> Signed-off-by: Andrej Gessel <[hidden email]>
> ---
>  python/samba/kcc/__init__.py | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
> index 6f973ea..2468e37 100644
> --- a/python/samba/kcc/__init__.py
> +++ b/python/samba/kcc/__init__.py
> @@ -1501,7 +1501,7 @@ class KCC(object):
>                              cn.set_modified(True)
>  
>                      # Display any modified connection
> -                    if self.readonly:
> +                    if self.readonly or ldsa.is_ro():
>                          if cn.to_be_modified:
>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>  
> @@ -1585,11 +1585,11 @@ class KCC(object):
>                                      rbh.dsa_dnstr, link_sched)
>  
>              # Display any added connection
> -            if self.readonly:
> +            if self.readonly or lbh.is_ro():
>                  if cn.to_be_added:
>                      logger.info("TO BE ADDED:\n%s" % cn)
>  
> -                    lbh.commit_connections(self.samdb, ro=True)
> +                lbh.commit_connections(self.samdb, ro=True)
>              else:
>                  lbh.commit_connections(self.samdb)
>  
> -- 2.7.4
>

This looks good to me, but could do with a test.

Does `samba-tool drs kcc $SERVER` trigger it? if so, a test like this
might suffice:

diff --git a/python/samba/tests/samba_tool/rodc.py
b/python/samba/tests/samba_tool/rodc.py
index 4851a53910a..9bac19a3b46 100644
--- a/python/samba/tests/samba_tool/rodc.py
+++ b/python/samba/tests/samba_tool/rodc.py
@@ -126,3 +126,7 @@ class RodcCmdTestCase(SambaToolCmdTest):
                                             "sambatool6", "sambatool5",
                                             "--server",
os.environ["DC_SERVER"])
         self.assertCmdFail(result, "ensuring rodc prefetch quit on
non-replicated user")
+
+    def test_kcc_does_not_crash(self):
+        (result, out, err) = self.runsubcmd("drs", "kcc",
os.environ["DC_SERVER"])
+        self.assertCmdSuccess(result, out, err, "ensuring kcc runs on
the rodc")

Could you try that (with modifications as necessary to make it
actually run)? Garming might have a better idea.

cheers,
Douglas

Reply | Threaded
Open this post in threaded view
|

AW: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc

Samba - samba-technical mailing list
Sorry,

I thought that I sent it to the mailing list.

If you read my previous mail, this error happens if RWDC, we joined to, and RODC are in the different sites.

I see error in this situation:
Default-First-Site-Name:
        - TEST-DC (RWDC)
Testsite2:
        - empty
Testsite:
        - BUILDHOST (RODC)

If I move TEST-DC to Testsite2, samba_kcc runs without error. If I move it back(waiting for replication), I see the error again.

I can resend the patch with this test, but I think it's not covering the issue.


Andrej

-----Ursprüngliche Nachricht-----
Von: Douglas Bagnall [mailto:[hidden email]]
Gesendet: Mittwoch, 15. November 2017 02:50
An: Andrej Gessel <[hidden email]>
Betreff: Re: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc

OK, it may be that running 'samba-tool drs kcc' is forbidden on an RODC by a higher layer.

The test would then look something like:

import subprocess
...

   def test_kcc_does_not_crash(self):
       result = subprocess.call(["bin/samba_kcc", "-H",
                                 os.environ["DC_SERVER"])
       self.assertEqual(result, 0, "ensuring kcc runs on the rodc")



It would be best to keep this discussion on the mailing list so we have a record of how we got to wherever we get to.

cheers,
Douglas


On 15/11/17 12:44, Andrej Gessel wrote:

> Hello,
>
> If I run "samba-tool drs kcc BUILDHOST.samdom.com" I get that error:
> (with and without patch)
>
> ERROR(runtime): DsExecuteKCC failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 237, in run
>     self.drsuapi.DsExecuteKCC(self.drsuapi_handle, 1, req1)
>
> in Samba log I saw this output:
>
> DsExecuteKCC refused for security token (level=10) Security token SIDs
> (11):
>   SID[  0]: S-1-5-21-1047937841-3429790757-297101198-221314
>   SID[  1]: S-1-5-21-1047937841-3429790757-297101198-521
>   SID[  2]: S-1-5-21-1047937841-3429790757-297101198-498
>   SID[  3]: S-1-18-1
>   SID[  4]: S-1-5-21-1047937841-3429790757-297101198-572
>   SID[  5]: S-1-1-0
>   SID[  6]: S-1-5-2
>   SID[  7]: S-1-5-11
>   SID[  8]: S-1-5-32-574
>   SID[  9]: S-1-5-32-545
>   SID[ 10]: S-1-5-32-554
>  Privileges (0x          800000):
>   Privilege[  0]: SeChangeNotifyPrivilege
>  Rights (0x             400):
>   Right[  0]: SeRemoteInteractiveLogonRight
>
>
> Andrej
>
> -----Ursprüngliche Nachricht-----
> Von: Douglas Bagnall [mailto:[hidden email]]
> Gesendet: Dienstag, 14. November 2017 22:12
> An: Andrej Gessel <[hidden email]>;
> [hidden email]
> Cc: Garming Sam <[hidden email]>
> Betreff: Re: [PATCH] samba_kcc: do not commit new nTDSConnection if we
> are rodc
>
> thanks Andrej,
>
> On 13/11/17 23:30, Andrej Gessel via samba-technical wrote:
>> Here some more information about:
>> https://lists.samba.org/archive/samba/2017-November/212050.html
>>
>>
>>
>> Thanks
>> -----------------------------------------------------------------
>> Andrej Gessel
>> ([hidden email]<mailto:[hidden email]>)
>> Entwicklung Software
>>
>>
>> 0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch
>>
>>
>> From 3ebd0e65a12ba51093c097c9993aa766cebc7fd0 Mon Sep 17 00:00:00
>> 2001
>> From: Andrej Gessel <[hidden email]>
>> Date: Mon, 13 Nov 2017 11:07:43 +0100
>> Subject: [PATCH] samba_kcc: do not commit new nTDSConnection, if we
>> are rodc
>>
>> Traceback (most recent call last):
>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
>> /usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
>> /usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
>> /usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
>> /usr/local/samba/sbin/samba_kcc:     part, True)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
>> /usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
>> /usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
>> /usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
>> /usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
>> /usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could
>> not add nTDSConnection for
>> (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
>> CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samd
>> o
>> m,DC=com) - (Invalid LDB reply type 1)
>> ../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc -
>> NT_STATUS_ACCESS_DENIED
>>
>> Signed-off-by: Andrej Gessel <[hidden email]>
>> ---
>>  python/samba/kcc/__init__.py | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/python/samba/kcc/__init__.py
>> b/python/samba/kcc/__init__.py index 6f973ea..2468e37 100644
>> --- a/python/samba/kcc/__init__.py
>> +++ b/python/samba/kcc/__init__.py
>> @@ -1501,7 +1501,7 @@ class KCC(object):
>>                              cn.set_modified(True)
>>  
>>                      # Display any modified connection
>> -                    if self.readonly:
>> +                    if self.readonly or ldsa.is_ro():
>>                          if cn.to_be_modified:
>>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>>  
>> @@ -1585,11 +1585,11 @@ class KCC(object):
>>                                      rbh.dsa_dnstr, link_sched)
>>  
>>              # Display any added connection
>> -            if self.readonly:
>> +            if self.readonly or lbh.is_ro():
>>                  if cn.to_be_added:
>>                      logger.info("TO BE ADDED:\n%s" % cn)
>>  
>> -                    lbh.commit_connections(self.samdb, ro=True)
>> +                lbh.commit_connections(self.samdb, ro=True)
>>              else:
>>                  lbh.commit_connections(self.samdb)
>>  
>> -- 2.7.4
>>
>
> This looks good to me, but could do with a test.
>
> Does `samba-tool drs kcc $SERVER` trigger it? if so, a test like this might suffice:
>
> diff --git a/python/samba/tests/samba_tool/rodc.py
> b/python/samba/tests/samba_tool/rodc.py
> index 4851a53910a..9bac19a3b46 100644
> --- a/python/samba/tests/samba_tool/rodc.py
> +++ b/python/samba/tests/samba_tool/rodc.py
> @@ -126,3 +126,7 @@ class RodcCmdTestCase(SambaToolCmdTest):
>                                              "sambatool6", "sambatool5",
>                                              "--server",
> os.environ["DC_SERVER"])
>          self.assertCmdFail(result, "ensuring rodc prefetch quit on
> non-replicated user")
> +
> +    def test_kcc_does_not_crash(self):
> +        (result, out, err) = self.runsubcmd("drs", "kcc",
> os.environ["DC_SERVER"])
> +        self.assertCmdSuccess(result, out, err, "ensuring kcc runs on
> the rodc")
>
> Could you try that (with modifications as necessary to make it actually run)? Garming might have a better idea.
>
> cheers,
> Douglas
>

Reply | Threaded
Open this post in threaded view
|

Re: AW: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc

Samba - samba-technical mailing list
On 15/11/17 16:15, Andrej Gessel via samba-technical wrote:

> Sorry,
>
> I thought that I sent it to the mailing list.
>
> If you read my previous mail, this error happens if RWDC, we joined to, and RODC are in the different sites.
>
> I see error in this situation:
> Default-First-Site-Name:
> - TEST-DC (RWDC)
> Testsite2:
> - empty
> Testsite:
> - BUILDHOST (RODC)
>
> If I move TEST-DC to Testsite2, samba_kcc runs without error. If I move it back(waiting for replication), I see the error again.
>
> I can resend the patch with this test, but I think it's not covering the issue.

Right. So it occurs is when the RODC wants to write something (the other
DC has moved) but it isn't allowed to because RO.

We can probably trigger something like that, though I won't be able to
look into it until well into next week.

cheers,
Douglas


> Andrej
>
> -----Ursprüngliche Nachricht-----
> Von: Douglas Bagnall [mailto:[hidden email]]
> Gesendet: Mittwoch, 15. November 2017 02:50
> An: Andrej Gessel <[hidden email]>
> Betreff: Re: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc
>
> OK, it may be that running 'samba-tool drs kcc' is forbidden on an RODC by a higher layer.
>
> The test would then look something like:
>
> import subprocess
> ...
>
>    def test_kcc_does_not_crash(self):
>        result = subprocess.call(["bin/samba_kcc", "-H",
>                                  os.environ["DC_SERVER"])
>        self.assertEqual(result, 0, "ensuring kcc runs on the rodc")
>
>
>
> It would be best to keep this discussion on the mailing list so we have a record of how we got to wherever we get to.
>
> cheers,
> Douglas
>
>
> On 15/11/17 12:44, Andrej Gessel wrote:
>> Hello,
>>
>> If I run "samba-tool drs kcc BUILDHOST.samdom.com" I get that error:
>> (with and without patch)
>>
>> ERROR(runtime): DsExecuteKCC failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 237, in run
>>     self.drsuapi.DsExecuteKCC(self.drsuapi_handle, 1, req1)
>>
>> in Samba log I saw this output:
>>
>> DsExecuteKCC refused for security token (level=10) Security token SIDs
>> (11):
>>   SID[  0]: S-1-5-21-1047937841-3429790757-297101198-221314
>>   SID[  1]: S-1-5-21-1047937841-3429790757-297101198-521
>>   SID[  2]: S-1-5-21-1047937841-3429790757-297101198-498
>>   SID[  3]: S-1-18-1
>>   SID[  4]: S-1-5-21-1047937841-3429790757-297101198-572
>>   SID[  5]: S-1-1-0
>>   SID[  6]: S-1-5-2
>>   SID[  7]: S-1-5-11
>>   SID[  8]: S-1-5-32-574
>>   SID[  9]: S-1-5-32-545
>>   SID[ 10]: S-1-5-32-554
>>  Privileges (0x          800000):
>>   Privilege[  0]: SeChangeNotifyPrivilege
>>  Rights (0x             400):
>>   Right[  0]: SeRemoteInteractiveLogonRight
>>
>>
>> Andrej
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Douglas Bagnall [mailto:[hidden email]]
>> Gesendet: Dienstag, 14. November 2017 22:12
>> An: Andrej Gessel <[hidden email]>;
>> [hidden email]
>> Cc: Garming Sam <[hidden email]>
>> Betreff: Re: [PATCH] samba_kcc: do not commit new nTDSConnection if we
>> are rodc
>>
>> thanks Andrej,
>>
>> On 13/11/17 23:30, Andrej Gessel via samba-technical wrote:
>>> Here some more information about:
>>> https://lists.samba.org/archive/samba/2017-November/212050.html
>>>
>>>
>>>
>>> Thanks
>>> -----------------------------------------------------------------
>>> Andrej Gessel
>>> ([hidden email]<mailto:[hidden email]>)
>>> Entwicklung Software
>>>
>>>
>>> 0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch
>>>
>>>
>>> From 3ebd0e65a12ba51093c097c9993aa766cebc7fd0 Mon Sep 17 00:00:00
>>> 2001
>>> From: Andrej Gessel <[hidden email]>
>>> Date: Mon, 13 Nov 2017 11:07:43 +0100
>>> Subject: [PATCH] samba_kcc: do not commit new nTDSConnection, if we
>>> are rodc
>>>
>>> Traceback (most recent call last):
>>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
>>> /usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
>>> /usr/local/samba/sbin/samba_kcc: File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
>>> /usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
>>> /usr/local/samba/sbin/samba_kcc: File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
>>> /usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
>>> /usr/local/samba/sbin/samba_kcc: File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
>>> /usr/local/samba/sbin/samba_kcc:     part, True)
>>> /usr/local/samba/sbin/samba_kcc: File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
>>> /usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
>>> /usr/local/samba/sbin/samba_kcc: File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
>>> /usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
>>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
>>> /usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
>>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
>>> /usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
>>> /usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could
>>> not add nTDSConnection for
>>> (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
>>> CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samd
>>> o
>>> m,DC=com) - (Invalid LDB reply type 1)
>>> ../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc -
>>> NT_STATUS_ACCESS_DENIED
>>>
>>> Signed-off-by: Andrej Gessel <[hidden email]>
>>> ---
>>>  python/samba/kcc/__init__.py | 6 +++---
>>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/python/samba/kcc/__init__.py
>>> b/python/samba/kcc/__init__.py index 6f973ea..2468e37 100644
>>> --- a/python/samba/kcc/__init__.py
>>> +++ b/python/samba/kcc/__init__.py
>>> @@ -1501,7 +1501,7 @@ class KCC(object):
>>>                              cn.set_modified(True)
>>>  
>>>                      # Display any modified connection
>>> -                    if self.readonly:
>>> +                    if self.readonly or ldsa.is_ro():
>>>                          if cn.to_be_modified:
>>>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>>>  
>>> @@ -1585,11 +1585,11 @@ class KCC(object):
>>>                                      rbh.dsa_dnstr, link_sched)
>>>  
>>>              # Display any added connection
>>> -            if self.readonly:
>>> +            if self.readonly or lbh.is_ro():
>>>                  if cn.to_be_added:
>>>                      logger.info("TO BE ADDED:\n%s" % cn)
>>>  
>>> -                    lbh.commit_connections(self.samdb, ro=True)
>>> +                lbh.commit_connections(self.samdb, ro=True)
>>>              else:
>>>                  lbh.commit_connections(self.samdb)
>>>  
>>> -- 2.7.4
>>>
>>
>> This looks good to me, but could do with a test.
>>
>> Does `samba-tool drs kcc $SERVER` trigger it? if so, a test like this might suffice:
>>
>> diff --git a/python/samba/tests/samba_tool/rodc.py
>> b/python/samba/tests/samba_tool/rodc.py
>> index 4851a53910a..9bac19a3b46 100644
>> --- a/python/samba/tests/samba_tool/rodc.py
>> +++ b/python/samba/tests/samba_tool/rodc.py
>> @@ -126,3 +126,7 @@ class RodcCmdTestCase(SambaToolCmdTest):
>>                                              "sambatool6", "sambatool5",
>>                                              "--server",
>> os.environ["DC_SERVER"])
>>          self.assertCmdFail(result, "ensuring rodc prefetch quit on
>> non-replicated user")
>> +
>> +    def test_kcc_does_not_crash(self):
>> +        (result, out, err) = self.runsubcmd("drs", "kcc",
>> os.environ["DC_SERVER"])
>> +        self.assertCmdSuccess(result, out, err, "ensuring kcc runs on
>> the rodc")
>>
>> Could you try that (with modifications as necessary to make it actually run)? Garming might have a better idea.
>>
>> cheers,
>> Douglas
>>
>