PATCHES: On enabling read ACLs on LDAP searches for 4.0

Andrew Bartlett abartlet at samba.org
Fri Dec 7 13:34:55 MST 2012


On Fri, 2012-12-07 at 11:40 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> >>> https://bugzilla.samba.org/show_bug.cgi?id=9470
> >>> Can you try again with attached patches?
> >>
> >> Updated patches are in
> >> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
> >> They might not fix MMC but they fix some important bugs, but need some
> >> more testing
> >> as I don't understand the dirsync stuff...
> > 
> > Can you try some of this locally?  The error is changed, but still fails
> > (on the RODC in this case).
> > 
> > I can still try running this for new patches, but the DNS registration
> > is flaky and so it's very time-consuming to re-run.  (But at least it
> > keeps doing the same steps, from the same base image each time).
> 
> Ok, there was a memory corruption bug in the acl_read module
> triggered by some bugs in other modules.
> 
> I've pushed fixes to
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls

It still isn't working for me, using a branch based on your code in that
branch with hash ad652b58e7aae887adf0ffd3193023b6de876b30

The error is back to the one I first reported.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
C:\Users\Administrator>copy /Y con answers.txt

[DCInstall]
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=s4.howto.abartlet.net
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="s4-howto\Denied RODC Password Replication Group"
PasswordReplicationAllowed="s4-howto\Allowed RODC Password Replication Group"
DelegatedAdmin="s4-howto\Administrator"
SiteName=Default-First-Site-Name
InstallDNS=No
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=s4.howto.abartlet.net
UserName=s4.howto.abartlet.net\administrator
Password=p at ssw0rd
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=p at ssw0rd
RebootOnCompletion=No


copy /Y con answers.txt


[DCInstall]
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=s4.howto.abartlet.net
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="s4-howto\Denied RODC Password Replication Group"
PasswordReplicationAllowed="s4-howto\Allowed RODC Password Replication Group"
DelegatedAdmin="s4-howto\Administrator"
SiteName=Default-First-Site-Name
InstallDNS=No
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=s4.howto.abartlet.net
UserName=s4.howto.abartlet.net\administrator
Password=p at ssw0rd
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=p at ssw0rd
RebootOnCompletion=No


        1 file(s) copied.

C:\Users\Administrator>C:\Users\Administrator>dcpromo /answer:answers.txt

dcpromo /answer:answers.txt
Checking if Active Directory Domain Services binaries are installed...
Active Directory Domain Services Setup

Validating environment and parameters...

----------------------------------------
The following actions will be performed:
Configure this server as an additional Active Directory domain controller for the domain "s4.howto.abartlet.net".

Site: Default-First-Site-Name

Additional Options:
  Read-only domain controller: "Yes"
  Global catalog: Yes
  DNS Server: No

Source domain controller: any writable domain controller

Password Replication Policy:
  Allow: s4-howto\Allowed RODC Password Replication Group
  Deny:  BUILTIN\Administrators
  Deny:  BUILTIN\Server Operators
  Deny:  BUILTIN\Backup Operators
  Deny:  BUILTIN\Account Operators
  Deny:  s4-howto\Denied RODC Password Replication Group

Delegation for RODC Installation and Administration:
s4-howto\Administrator

Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL
----------------------------------------

Starting...

Checking if Group Policy Management Console needs to be installed...

Changing domain membership of this computer...

Press CTRL-C to: Cancel

Located domain controller obed.s4.howto.abartlet.net for domain s4.howto.abartlet.net


Examining an existing forest...

The attempted domain controller operation has completed


The functional level of the forest is incompatible with this operating system.



The operation failed because:

The functional level of the forest is incompatible with this operating system.

"The version of the operating system installed on this server no longer supports the current AD DS Forest functional level or AD LDS Configuration Set functional level. You must raise the AD DS Forest functional level or AD LDS Configuration Set functional level before this server can become an AD DS Domain Controller or an AD LDS Instance in this Forest or Configuration Set."

This error can occur if you have not been granted necessary permissions to read data in the directory.  For more information, please see article 936241 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=88420).
Active Directory Domain Services was not installed.

Active Directory Domain Services (AD DS) binaries will remain installed. To uninstall AD DS binaries, use Server Manager to remove the AD DS role.

Windows Server 2008 and "Windows Server 2008 R2" domain controllers have a new more secure default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" from using weaker NT 4.0 style cryptography algorithms when establishing security channel sessions against Windows Server 2008 or "Windows Server 2008 R2" domain controllers. As a result of this new default, operations or applications that require a security channel serviced by Windows Server 2008 or "Windows Server 2008 R2" domain controllers might fail.

Platforms impacted by this change include Windows NT 4.0, as well as non-Microsoft SMB "clients" and network-attached storage (NAS) devices that do not support stronger cryptography algorithms. Some operations on clients running versions of Windows earlier than Windows Vista with Service Pack 1 are also impacted, including domain join operaecho off
echo START DCPROMO log
more c:\windows\debug\dcpromoui.log
echo END DCPROMO log
tions performed by the Active Directory Migration Tool or Windows Deployment Services.

For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

You must restart this computer to complete the operation.

C:\Users\Administrator>echo off

echo START DCPROMO log
START DCPROMO log

more c:\windows\debug\dcpromoui.log
dcpromoui 5A4.7EC 0000 11:52:58.984 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 5A4.7EC 0001 11:52:58.984 C:\Windows\system32\dcpromo.exe
dcpromoui 5A4.7EC 0002 11:52:58.984 file timestamp 07/14/2009 12:39:02.901
dcpromoui 5A4.7EC 0003 11:52:58.984 local time 02/21/2012 11:52:58.984
dcpromoui 5A4.7EC 0004 11:52:58.984 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 5A4.7EC 0005 11:52:58.984 logging flags 0001007C
dcpromoui 5A4.7EC 0006 11:52:58.984 Enter wmain
dcpromoui 5A4.7EC 0007 11:52:58.984   Enter CheckArgs
dcpromoui 5A4.7EC 0008 11:52:58.984     Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 5A4.7EC 0009 11:52:58.984   Detecting WOW64
dcpromoui 5A4.7EC 000A 11:52:58.984   Detecting OS product type
dcpromoui 5A4.7EC 000B 11:52:58.984   Enter CheckIsServerCore
dcpromoui 5A4.7EC 000C 11:52:58.984     It is not on server foundation
dcpromoui 5A4.7EC 000D 11:52:58.984     HRESULT = 0x00000000
dcpromoui 5A4.7EC 000E 11:52:58.984   Enter IsSKUSupported
dcpromoui 5A4.7EC 000F 11:52:58.984   GUI mode: false
dcpromoui 5A4.7EC 0010 11:52:58.984   Create mutex returns 0x0
dcpromoui 5A4.7EC 0011 11:52:58.984   Console mode
dcpromoui 5A4.7EC 0012 11:52:58.984   Enter CheckInstallStates
dcpromoui 5A4.7EC 0013 11:52:58.984     Detecting NetFx3 component install state
dcpromoui 5A4.6E4 0014 11:52:58.984 Enter CbsGetUpdateInstallState
dcpromoui 5A4.6E4 0015 11:52:58.984   The category is 3
dcpromoui 5A4.6E4 0016 11:52:58.984   Enter FindRoleInfo
dcpromoui 5A4.6E4 0017 11:52:58.984     Enter CheckIsServerCore
dcpromoui 5A4.6E4 0018 11:52:58.984       It is not on server foundation
dcpromoui 5A4.6E4 0019 11:52:58.984       HRESULT = 0x00000000
dcpromoui 5A4.6E4 001A 11:52:58.984   Enter GetUpdateName
dcpromoui 5A4.6E4 001B 11:52:58.984   Enter GetPackageName
dcpromoui 5A4.6E4 001C 11:53:05.224     Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 5A4.6E4 001D 11:53:05.240   Enter CbsGetUpdateInstallState
dcpromoui 5A4.6E4 001E 11:53:05.240     package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is NetFx3
dcpromoui 5A4.6E4 001F 11:53:06.394   HRESULT = 0x00000000
dcpromoui 5A4.7EC 0020 11:53:06.394     HRESULT = 0x00000000
dcpromoui 5A4.7EC 0021 11:53:06.394     NetFx3 component install state is 7
dcpromoui 5A4.7EC 0022 11:53:06.394     Detecting DS component install state
dcpromoui 5A4.5F0 0023 11:53:06.394 Enter CbsGetUpdateInstallState
dcpromoui 5A4.5F0 0024 11:53:06.394   The category is 0
dcpromoui 5A4.5F0 0025 11:53:06.394   Enter FindRoleInfo
dcpromoui 5A4.5F0 0026 11:53:06.394     Enter CheckIsServerCore
dcpromoui 5A4.5F0 0027 11:53:06.394       It is not on server foundation
dcpromoui 5A4.5F0 0028 11:53:06.394       HRESULT = 0x00000000
dcpromoui 5A4.5F0 0029 11:53:06.394   Enter GetUpdateName
dcpromoui 5A4.5F0 002A 11:53:06.394   Enter GetPackageName
dcpromoui 5A4.5F0 002B 11:53:07.190     Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 5A4.5F0 002C 11:53:07.221   Enter CbsGetUpdateInstallState
dcpromoui 5A4.5F0 002D 11:53:07.221     package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is DirectoryServices-DomainController
dcpromoui 5A4.5F0 002E 11:53:08.032   HRESULT = 0x00000000
dcpromoui 5A4.7EC 002F 11:53:08.032     HRESULT = 0x00000000
dcpromoui 5A4.7EC 0030 11:53:08.032     DS component install state is 7
dcpromoui 5A4.7EC 0000 11:53:08.095 appending to log file C:\Windows\debug\dcpromoui.log
dcpromoui 5A4.7EC 0001 11:53:08.095 C:\Windows\system32\dcpromo.exe
dcpromoui 5A4.7EC 0002 11:53:08.095 file timestamp 07/14/2009 12:39:02.901
dcpromoui 5A4.7EC 0003 11:53:08.095 C:\Windows\system32\dcpromocmd.dll
dcpromoui 5A4.7EC 0004 11:53:08.095 file timestamp 11/21/2010 00:26:03.122
dcpromoui 5A4.7EC 0005 11:53:08.095 local time 02/21/2012 11:53:08.095
dcpromoui 5A4.7EC 0006 11:53:08.095 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 5A4.7EC 0007 11:53:08.095 logging flags 0011007C
dcpromoui 5A4.7EC 0008 11:53:08.095 Enter DCPromoEntryW
dcpromoui 5A4.7EC 0009 11:53:08.095   Enter Computer::RemoveLeadingBackslashes 
dcpromoui 5A4.7EC 000A 11:53:08.095   Enter Computer::Refresh
dcpromoui 5A4.7EC 000B 11:53:08.095     Enter IsLocalComputer
dcpromoui 5A4.7EC 000C 11:53:08.095     Enter RefreshLocalInformation
dcpromoui 5A4.7EC 000D 11:53:08.095     Enter GetProductTypeFromRegistry
dcpromoui 5A4.7EC 000E 11:53:08.095       Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 5A4.7EC 000F 11:53:08.095       Enter RegistryKey::GetValue-String ProductType
dcpromoui 5A4.7EC 0010 11:53:08.095       ServerNT
dcpromoui 5A4.7EC 0011 11:53:08.095       prodtype : 0x3
dcpromoui 5A4.7EC 0012 11:53:08.095     Enter GetSafebootOption
dcpromoui 5A4.7EC 0013 11:53:08.095       Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 5A4.7EC 0014 11:53:08.095       HRESULT = 0x80070002
dcpromoui 5A4.7EC 0015 11:53:08.095       returning : 0x0
dcpromoui 5A4.7EC 0016 11:53:08.095     Enter DetermineRoleAndMembership
dcpromoui 5A4.7EC 0017 11:53:08.095       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 0018 11:53:08.095         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 5A4.7EC 0019 11:53:08.095           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 001A 11:53:08.095           lpServer  : (null)
dcpromoui 5A4.7EC 001B 11:53:08.095           InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 5A4.7EC 001C 11:53:08.110           HRESULT = 0x00000000
dcpromoui 5A4.7EC 001D 11:53:08.110         MachineRole      : 0x2
dcpromoui 5A4.7EC 001E 11:53:08.110         Flags            : 0x0
dcpromoui 5A4.7EC 001F 11:53:08.110         DomainNameFlat   : WORKGROUP
dcpromoui 5A4.7EC 0020 11:53:08.110         DomainNameDns    : (null)
dcpromoui 5A4.7EC 0021 11:53:08.110         DomainForestName : (null)
dcpromoui 5A4.7EC 0022 11:53:08.110       Enter IsDcInRepairMode
dcpromoui 5A4.7EC 0023 11:53:08.110   HRESULT = 0x00000000
dcpromoui 5A4.7EC 0024 11:53:08.110   Enter State::DetermineRunContext
dcpromoui 5A4.7EC 0025 11:53:08.110     Enter DS::GetPriorServerRole
dcpromoui 5A4.7EC 0026 11:53:08.110       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 0027 11:53:08.110         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 5A4.7EC 0028 11:53:08.110           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 5A4.7EC 0029 11:53:08.110           lpServer  : (null)
dcpromoui 5A4.7EC 002A 11:53:08.110           InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 5A4.7EC 002B 11:53:08.110           HRESULT = 0x00000000
dcpromoui 5A4.7EC 002C 11:53:08.110         OperationState      : 0
dcpromoui 5A4.7EC 002D 11:53:08.110         PreviousServerState : 0
dcpromoui 5A4.7EC 002E 11:53:08.110     Enter Computer::GetNetbiosName
dcpromoui 5A4.7EC 002F 11:53:08.110       WIN2008R2-6
dcpromoui 5A4.7EC 0030 11:53:08.110     Enter Computer::GetRole WIN2008R2-6
dcpromoui 5A4.7EC 0031 11:53:08.110       role: 2
dcpromoui 5A4.7EC 0032 11:53:08.110     NT5_STANDALONE_SERVER
dcpromoui 5A4.7EC 0033 11:53:08.110   Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 5A4.7EC 0034 11:53:08.110   Enter State::ProcessCmdLineOnlyArgs
dcpromoui 5A4.7EC 0035 11:53:08.110     Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 5A4.7EC 0036 11:53:08.110   Enter State::DetermineArgumentSpec
dcpromoui 5A4.7EC 0037 11:53:08.110     Enter State::GetMode NORMAL
dcpromoui 5A4.7EC 0038 11:53:08.110     Enter State::GetOperation NONE
dcpromoui 5A4.7EC 0039 11:53:08.110   Enter ValidateArgs
dcpromoui 5A4.7EC 003A 11:53:08.110     found no additional commandline options
dcpromoui 5A4.7EC 003B 11:53:08.110   Enter State::SetupAnswerFile answers.txt
echo END DCPROMO log

dcpromoui 5A4.7EC 003C 11:53:08.110     Enter FS::NormalizePath answers.txt
dcpromoui 5A4.7EC 003D 11:53:08.110     answerfile resolved to: C:\Users\Administrator\answers.txt
dcpromoui 5A4.7EC 003E 11:53:08.110     Enter FS::GetPathSyntax C:\Users\Administrator\answers.txt
dcpromoui 5A4.7EC 003F 11:53:08.110     true
dcpromoui 5A4.7EC 0040 11:53:08.110     answerfile found
dcpromoui 5A4.7EC 0041 11:53:08.110     answerfile will be considered for unattend settings
dcpromoui 5A4.7EC 0042 11:53:08.110     Enter GetAllKeys
dcpromoui 5A4.7EC 0043 11:53:08.110       Key: ReplicaOrNewDomain
dcpromoui 5A4.7EC 0044 11:53:08.110       Key: ReplicaDomainDNSName
dcpromoui 5A4.7EC 0045 11:53:08.110       Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0046 11:53:08.110       Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0047 11:53:08.110       Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0048 11:53:08.110       Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 0049 11:53:08.110       Key: PasswordReplicationDenied
dcpromoui 5A4.7EC 004A 11:53:08.110       Key: PasswordReplicationAllowed
dcpromoui 5A4.7EC 004B 11:53:08.110       Key: DelegatedAdmin
dcpromoui 5A4.7EC 004C 11:53:08.110       Key: SiteName
dcpromoui 5A4.7EC 004D 11:53:08.110       Key: InstallDNS
dcpromoui 5A4.7EC 004E 11:53:08.110       Key: ConfirmGc
dcpromoui 5A4.7EC 004F 11:53:08.110       Key: Cleaning up ...
restoring /etc/resolv.conf
$ mv -f /etc/resolv.conf.wintest-bak /etc/resolv.conf
Traceback (most recent call last):
  File "./wintest/test-s4-howto.py", line 711, in <module>
    test_howto(t)
  File "./wintest/test-s4-howto.py", line 631, in test_howto
    run_dcpromo_rodc(t, "W2K8R2C")
  File "./wintest/test-s4-howto.py", line 343, in run_dcpromo_rodc
    raise Exception("dcpromo failed")
Exception: dcpromo failed


More information about the samba-technical mailing list