PATCHES: On enabling read ACLs on LDAP searches for 4.0
Andrew Bartlett
abartlet at samba.org
Fri Dec 7 13:34:55 MST 2012
On Fri, 2012-12-07 at 11:40 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >>> https://bugzilla.samba.org/show_bug.cgi?id=9470
> >>> Can you try again with attached patches?
> >>
> >> Updated patches are in
> >> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
> >> They might not fix MMC but they fix some important bugs, but need some
> >> more testing
> >> as I don't understand the dirsync stuff...
> >
> > Can you try some of this locally? The error is changed, but still fails
> > (on the RODC in this case).
> >
> > I can still try running this for new patches, but the DNS registration
> > is flaky and so it's very time-consuming to re-run. (But at least it
> > keeps doing the same steps, from the same base image each time).
>
> Ok, there was a memory corruption bug in the acl_read module
> triggered by some bugs in other modules.
>
> I've pushed fixes to
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
It still isn't working for me, using a branch based on your code in that
branch with hash ad652b58e7aae887adf0ffd3193023b6de876b30
The error is back to the one I first reported.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
C:\Users\Administrator>copy /Y con answers.txt
[DCInstall]
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=s4.howto.abartlet.net
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="s4-howto\Denied RODC Password Replication Group"
PasswordReplicationAllowed="s4-howto\Allowed RODC Password Replication Group"
DelegatedAdmin="s4-howto\Administrator"
SiteName=Default-First-Site-Name
InstallDNS=No
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=s4.howto.abartlet.net
UserName=s4.howto.abartlet.net\administrator
Password=p at ssw0rd
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=p at ssw0rd
RebootOnCompletion=No
copy /Y con answers.txt
[DCInstall]
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=s4.howto.abartlet.net
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="s4-howto\Denied RODC Password Replication Group"
PasswordReplicationAllowed="s4-howto\Allowed RODC Password Replication Group"
DelegatedAdmin="s4-howto\Administrator"
SiteName=Default-First-Site-Name
InstallDNS=No
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=s4.howto.abartlet.net
UserName=s4.howto.abartlet.net\administrator
Password=p at ssw0rd
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=p at ssw0rd
RebootOnCompletion=No
1 file(s) copied.
C:\Users\Administrator>C:\Users\Administrator>dcpromo /answer:answers.txt
dcpromo /answer:answers.txt
Checking if Active Directory Domain Services binaries are installed...
Active Directory Domain Services Setup
Validating environment and parameters...
----------------------------------------
The following actions will be performed:
Configure this server as an additional Active Directory domain controller for the domain "s4.howto.abartlet.net".
Site: Default-First-Site-Name
Additional Options:
Read-only domain controller: "Yes"
Global catalog: Yes
DNS Server: No
Source domain controller: any writable domain controller
Password Replication Policy:
Allow: s4-howto\Allowed RODC Password Replication Group
Deny: BUILTIN\Administrators
Deny: BUILTIN\Server Operators
Deny: BUILTIN\Backup Operators
Deny: BUILTIN\Account Operators
Deny: s4-howto\Denied RODC Password Replication Group
Delegation for RODC Installation and Administration:
s4-howto\Administrator
Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL
----------------------------------------
Starting...
Checking if Group Policy Management Console needs to be installed...
Changing domain membership of this computer...
Press CTRL-C to: Cancel
Located domain controller obed.s4.howto.abartlet.net for domain s4.howto.abartlet.net
Examining an existing forest...
The attempted domain controller operation has completed
The functional level of the forest is incompatible with this operating system.
The operation failed because:
The functional level of the forest is incompatible with this operating system.
"The version of the operating system installed on this server no longer supports the current AD DS Forest functional level or AD LDS Configuration Set functional level. You must raise the AD DS Forest functional level or AD LDS Configuration Set functional level before this server can become an AD DS Domain Controller or an AD LDS Instance in this Forest or Configuration Set."
This error can occur if you have not been granted necessary permissions to read data in the directory. For more information, please see article 936241 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=88420).
Active Directory Domain Services was not installed.
Active Directory Domain Services (AD DS) binaries will remain installed. To uninstall AD DS binaries, use Server Manager to remove the AD DS role.
Windows Server 2008 and "Windows Server 2008 R2" domain controllers have a new more secure default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" from using weaker NT 4.0 style cryptography algorithms when establishing security channel sessions against Windows Server 2008 or "Windows Server 2008 R2" domain controllers. As a result of this new default, operations or applications that require a security channel serviced by Windows Server 2008 or "Windows Server 2008 R2" domain controllers might fail.
Platforms impacted by this change include Windows NT 4.0, as well as non-Microsoft SMB "clients" and network-attached storage (NAS) devices that do not support stronger cryptography algorithms. Some operations on clients running versions of Windows earlier than Windows Vista with Service Pack 1 are also impacted, including domain join operaecho off
echo START DCPROMO log
more c:\windows\debug\dcpromoui.log
echo END DCPROMO log
tions performed by the Active Directory Migration Tool or Windows Deployment Services.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).
You must restart this computer to complete the operation.
C:\Users\Administrator>echo off
echo START DCPROMO log
START DCPROMO log
more c:\windows\debug\dcpromoui.log
dcpromoui 5A4.7EC 0000 11:52:58.984 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 5A4.7EC 0001 11:52:58.984 C:\Windows\system32\dcpromo.exe
dcpromoui 5A4.7EC 0002 11:52:58.984 file timestamp 07/14/2009 12:39:02.901
dcpromoui 5A4.7EC 0003 11:52:58.984 local time 02/21/2012 11:52:58.984
dcpromoui 5A4.7EC 0004 11:52:58.984 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 5A4.7EC 0005 11:52:58.984 logging flags 0001007C
dcpromoui 5A4.7EC 0006 11:52:58.984 Enter wmain
dcpromoui 5A4.7EC 0007 11:52:58.984 Enter CheckArgs
dcpromoui 5A4.7EC 0008 11:52:58.984 Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 5A4.7EC 0009 11:52:58.984 Detecting WOW64
dcpromoui 5A4.7EC 000A 11:52:58.984 Detecting OS product type
dcpromoui 5A4.7EC 000B 11:52:58.984 Enter CheckIsServerCore
dcpromoui 5A4.7EC 000C 11:52:58.984 It is not on server foundation
dcpromoui 5A4.7EC 000D 11:52:58.984 HRESULT = 0x00000000
dcpromoui 5A4.7EC 000E 11:52:58.984 Enter IsSKUSupported
dcpromoui 5A4.7EC 000F 11:52:58.984 GUI mode: false
dcpromoui 5A4.7EC 0010 11:52:58.984 Create mutex returns 0x0
dcpromoui 5A4.7EC 0011 11:52:58.984 Console mode
dcpromoui 5A4.7EC 0012 11:52:58.984 Enter CheckInstallStates
dcpromoui 5A4.7EC 0013 11:52:58.984 Detecting NetFx3 component install state
dcpromoui 5A4.6E4 0014 11:52:58.984 Enter CbsGetUpdateInstallState
dcpromoui 5A4.6E4 0015 11:52:58.984 The category is 3
dcpromoui 5A4.6E4 0016 11:52:58.984 Enter FindRoleInfo
dcpromoui 5A4.6E4 0017 11:52:58.984 Enter CheckIsServerCore
dcpromoui 5A4.6E4 0018 11:52:58.984 It is not on server foundation
dcpromoui 5A4.6E4 0019 11:52:58.984 HRESULT = 0x00000000
dcpromoui 5A4.6E4 001A 11:52:58.984 Enter GetUpdateName
dcpromoui 5A4.6E4 001B 11:52:58.984 Enter GetPackageName
dcpromoui 5A4.6E4 001C 11:53:05.224 Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 5A4.6E4 001D 11:53:05.240 Enter CbsGetUpdateInstallState
dcpromoui 5A4.6E4 001E 11:53:05.240 package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is NetFx3
dcpromoui 5A4.6E4 001F 11:53:06.394 HRESULT = 0x00000000
dcpromoui 5A4.7EC 0020 11:53:06.394 HRESULT = 0x00000000
dcpromoui 5A4.7EC 0021 11:53:06.394 NetFx3 component install state is 7
dcpromoui 5A4.7EC 0022 11:53:06.394 Detecting DS component install state
dcpromoui 5A4.5F0 0023 11:53:06.394 Enter CbsGetUpdateInstallState
dcpromoui 5A4.5F0 0024 11:53:06.394 The category is 0
dcpromoui 5A4.5F0 0025 11:53:06.394 Enter FindRoleInfo
dcpromoui 5A4.5F0 0026 11:53:06.394 Enter CheckIsServerCore
dcpromoui 5A4.5F0 0027 11:53:06.394 It is not on server foundation
dcpromoui 5A4.5F0 0028 11:53:06.394 HRESULT = 0x00000000
dcpromoui 5A4.5F0 0029 11:53:06.394 Enter GetUpdateName
dcpromoui 5A4.5F0 002A 11:53:06.394 Enter GetPackageName
dcpromoui 5A4.5F0 002B 11:53:07.190 Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 5A4.5F0 002C 11:53:07.221 Enter CbsGetUpdateInstallState
dcpromoui 5A4.5F0 002D 11:53:07.221 package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is DirectoryServices-DomainController
dcpromoui 5A4.5F0 002E 11:53:08.032 HRESULT = 0x00000000
dcpromoui 5A4.7EC 002F 11:53:08.032 HRESULT = 0x00000000
dcpromoui 5A4.7EC 0030 11:53:08.032 DS component install state is 7
dcpromoui 5A4.7EC 0000 11:53:08.095 appending to log file C:\Windows\debug\dcpromoui.log
dcpromoui 5A4.7EC 0001 11:53:08.095 C:\Windows\system32\dcpromo.exe
dcpromoui 5A4.7EC 0002 11:53:08.095 file timestamp 07/14/2009 12:39:02.901
dcpromoui 5A4.7EC 0003 11:53:08.095 C:\Windows\system32\dcpromocmd.dll
dcpromoui 5A4.7EC 0004 11:53:08.095 file timestamp 11/21/2010 00:26:03.122
dcpromoui 5A4.7EC 0005 11:53:08.095 local time 02/21/2012 11:53:08.095
dcpromoui 5A4.7EC 0006 11:53:08.095 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 5A4.7EC 0007 11:53:08.095 logging flags 0011007C
dcpromoui 5A4.7EC 0008 11:53:08.095 Enter DCPromoEntryW
dcpromoui 5A4.7EC 0009 11:53:08.095 Enter Computer::RemoveLeadingBackslashes
dcpromoui 5A4.7EC 000A 11:53:08.095 Enter Computer::Refresh
dcpromoui 5A4.7EC 000B 11:53:08.095 Enter IsLocalComputer
dcpromoui 5A4.7EC 000C 11:53:08.095 Enter RefreshLocalInformation
dcpromoui 5A4.7EC 000D 11:53:08.095 Enter GetProductTypeFromRegistry
dcpromoui 5A4.7EC 000E 11:53:08.095 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 5A4.7EC 000F 11:53:08.095 Enter RegistryKey::GetValue-String ProductType
dcpromoui 5A4.7EC 0010 11:53:08.095 ServerNT
dcpromoui 5A4.7EC 0011 11:53:08.095 prodtype : 0x3
dcpromoui 5A4.7EC 0012 11:53:08.095 Enter GetSafebootOption
dcpromoui 5A4.7EC 0013 11:53:08.095 Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 5A4.7EC 0014 11:53:08.095 HRESULT = 0x80070002
dcpromoui 5A4.7EC 0015 11:53:08.095 returning : 0x0
dcpromoui 5A4.7EC 0016 11:53:08.095 Enter DetermineRoleAndMembership
dcpromoui 5A4.7EC 0017 11:53:08.095 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 0018 11:53:08.095 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 5A4.7EC 0019 11:53:08.095 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 001A 11:53:08.095 lpServer : (null)
dcpromoui 5A4.7EC 001B 11:53:08.095 InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 5A4.7EC 001C 11:53:08.110 HRESULT = 0x00000000
dcpromoui 5A4.7EC 001D 11:53:08.110 MachineRole : 0x2
dcpromoui 5A4.7EC 001E 11:53:08.110 Flags : 0x0
dcpromoui 5A4.7EC 001F 11:53:08.110 DomainNameFlat : WORKGROUP
dcpromoui 5A4.7EC 0020 11:53:08.110 DomainNameDns : (null)
dcpromoui 5A4.7EC 0021 11:53:08.110 DomainForestName : (null)
dcpromoui 5A4.7EC 0022 11:53:08.110 Enter IsDcInRepairMode
dcpromoui 5A4.7EC 0023 11:53:08.110 HRESULT = 0x00000000
dcpromoui 5A4.7EC 0024 11:53:08.110 Enter State::DetermineRunContext
dcpromoui 5A4.7EC 0025 11:53:08.110 Enter DS::GetPriorServerRole
dcpromoui 5A4.7EC 0026 11:53:08.110 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 0027 11:53:08.110 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 5A4.7EC 0028 11:53:08.110 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 0029 11:53:08.110 lpServer : (null)
dcpromoui 5A4.7EC 002A 11:53:08.110 InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 5A4.7EC 002B 11:53:08.110 HRESULT = 0x00000000
dcpromoui 5A4.7EC 002C 11:53:08.110 OperationState : 0
dcpromoui 5A4.7EC 002D 11:53:08.110 PreviousServerState : 0
dcpromoui 5A4.7EC 002E 11:53:08.110 Enter Computer::GetNetbiosName
dcpromoui 5A4.7EC 002F 11:53:08.110 WIN2008R2-6
dcpromoui 5A4.7EC 0030 11:53:08.110 Enter Computer::GetRole WIN2008R2-6
dcpromoui 5A4.7EC 0031 11:53:08.110 role: 2
dcpromoui 5A4.7EC 0032 11:53:08.110 NT5_STANDALONE_SERVER
dcpromoui 5A4.7EC 0033 11:53:08.110 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 5A4.7EC 0034 11:53:08.110 Enter State::ProcessCmdLineOnlyArgs
dcpromoui 5A4.7EC 0035 11:53:08.110 Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 5A4.7EC 0036 11:53:08.110 Enter State::DetermineArgumentSpec
dcpromoui 5A4.7EC 0037 11:53:08.110 Enter State::GetMode NORMAL
dcpromoui 5A4.7EC 0038 11:53:08.110 Enter State::GetOperation NONE
dcpromoui 5A4.7EC 0039 11:53:08.110 Enter ValidateArgs
dcpromoui 5A4.7EC 003A 11:53:08.110 found no additional commandline options
dcpromoui 5A4.7EC 003B 11:53:08.110 Enter State::SetupAnswerFile answers.txt
echo END DCPROMO log
dcpromoui 5A4.7EC 003C 11:53:08.110 Enter FS::NormalizePath answers.txt
dcpromoui 5A4.7EC 003D 11:53:08.110 answerfile resolved to: C:\Users\Administrator\answers.txt
dcpromoui 5A4.7EC 003E 11:53:08.110 Enter FS::GetPathSyntax C:\Users\Administrator\answers.txt
dcpromoui 5A4.7EC 003F 11:53:08.110 true
dcpromoui 5A4.7EC 0040 11:53:08.110 answerfile found
dcpromoui 5A4.7EC 0041 11:53:08.110 answerfile will be considered for unattend settings
dcpromoui 5A4.7EC 0042 11:53:08.110 Enter GetAllKeys
dcpromoui 5A4.7EC 0043 11:53:08.110 Key: ReplicaOrNewDomain
dcpromoui 5A4.7EC 0044 11:53:08.110 Key: ReplicaDomainDNSName
dcpromoui 5A4.7EC 0045 11:53:08.110 Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0046 11:53:08.110 Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0047 11:53:08.110 Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0048 11:53:08.110 Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0049 11:53:08.110 Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 004A 11:53:08.110 Key: PasswordReplicationAllowed
dcpromoui 5A4.7EC 004B 11:53:08.110 Key: DelegatedAdmin
dcpromoui 5A4.7EC 004C 11:53:08.110 Key: SiteName
dcpromoui 5A4.7EC 004D 11:53:08.110 Key: InstallDNS
dcpromoui 5A4.7EC 004E 11:53:08.110 Key: ConfirmGc
dcpromoui 5A4.7EC 004F 11:53:08.110 Key: Cleaning up ...
restoring /etc/resolv.conf
$ mv -f /etc/resolv.conf.wintest-bak /etc/resolv.conf
Traceback (most recent call last):
File "./wintest/test-s4-howto.py", line 711, in <module>
test_howto(t)
File "./wintest/test-s4-howto.py", line 631, in test_howto
run_dcpromo_rodc(t, "W2K8R2C")
File "./wintest/test-s4-howto.py", line 343, in run_dcpromo_rodc
raise Exception("dcpromo failed")
Exception: dcpromo failed
More information about the samba-technical
mailing list