[PATCH] Finally run bind9_dlz spnego test, fix drs delete behaviour

Amitay Isaacs amitay at gmail.com
Wed Jun 5 00:31:19 MDT 2013 

On Tue, Jun 4, 2013 at 10:03 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2013-06-04 at 16:39 +1000, Andrew Bartlett wrote:
> > On Mon, 2013-06-03 at 22:27 +1000, Andrew Bartlett wrote:
> > > On Sun, 2013-06-02 at 23:05 +1000, Andrew Bartlett wrote:
> > > > I've been frustrated for over 6 months by why adding some 'simple'
> tests
> > > > to confirm that some of the crypto in the bind9_dlz code works
> because
> > > > it suddenly broke make test, particularly dbcheck.
> > > >
> > > > The attached patches just passed a private autobuild.  They add the
> > > > 'problem' tests, but first we fix the behaviour of DRS-initiated
> object
> > > > deletes.
> > > >
> > > > Please review/push/comment (this patch series includes the usnChanged
> > > > series I posted a few days ago).
> > > >
> > > > >From here, I would like to continue to improve the tests - the
> tests in
> > > > source4/torture/drs/python/delete_object.py could be trivially
> extended
> > > > to add a 'description' and 'memberOf' element that we should ensure
> gets
> > > > deleted on both hosts, for example.  We could also watch usnChanged
> > > > values to ensure we delete the right stuff, but for now I'm simply
> > > > stunned that this could ever have worked with this incorrect!
> > >
> > > Just as a heads-up I'm continuing to work on these patches.  The point
> > > tests I added (rather than just waiting for the dbcheck) show the issue
> > > isn't totally resolved, but is better.  (I somehow found a
> > > member/memberOf link left over...).
> > >
> > > Review of this much would be helpful, but expect additional changes as
> > > we finally start to get this right.
> >
> > I've not finished the patch yet, but what seems clear is that the issue
> > comes from processing (rather that dropping/ignoring, as we should)
> > linked attributes and to deleted objects.
>
> I'm almost shocked to finally have this finished, given how long this
> problem has dogged me.  The patches are in my fix-drs-testing-14 branch,
> and attached.
>
> Not only does this open up the chance to do more DRS testing, and more
> unrelated fixes to DRS replication (now that adding tests does not
> suddenly cause 'unrelated' breakages), it also allows us to resume
> adding tests of the bind9 DLZ module, which stalled out when adding
> bind9 tests broke stuff.
>
> The patches handle both normal and linked attributes, following all the
> special rules for deleted objects.
>
>
Hi Andrew,

While testing this branch I noticed that on the server object "dNSHostName"
attribute is missing for joined DC.  I have samba4 DC (euler-i1) and
Windows DC (w2008r2-i1) joined to samba4.


$ bin/ldbsearch -H ldap://euler-i1 -b
"CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lindom,DC=example,DC=local"
                       "(objectclass=server)" dNSHostName
# record 1
dn:
CN=W2008R2-I1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lindom,DC=example,DC=local

# record 2
dn:
CN=EULER-I1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lindom,DC=example,DC=local
dNSHostName: euler-i1.lindom.example.local

# returned 2 records
# 2 entries
# 0 referrals


$ bin/ldbsearch -H ldap://w2008r2-i1 -b
"CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lindom,DC=example,DC=local"

                       "(objectclass=server)" dNSHostName
# record 1
dn:
CN=EULER-I1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lindom,DC=example,DC=local
dNSHostName: euler-i1.lindom.example.local

# record 2
dn:
CN=W2008R2-I1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lindom,DC=example,DC=local
dNSHostName: W2008R2-I1.lindom.example.local

# returned 2 records
# 2 entries
# 0 referrals

This failure shows up when I try "samba-tool drs showrepl" command.

$ bin/samba-tool drs showrepl
Default-First-Site-Name\EULER-I1
DSA Options: 0x00000001
DSA object GUID: f5280c79-365e-4603-86e4-d7a3e155052b
DSA invocationId: 668da658-d986-455e-bdb6-47853bda8086

==== INBOUND NEIGHBORS ====

DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:28:13 2013 EST failed, result
2 (WERR_BADFILE)
                12 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:28:13 2013 EST failed, result
2 (WERR_BADFILE)
                12 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:28:13 2013 EST failed, result
2 (WERR_BADFILE)
                12 consecutive failure(s).
                Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:29:04 2013 EST failed, result
2 (WERR_BADFILE)
                490 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:29:05 2013 EST failed, result
2 (WERR_BADFILE)
                490 consecutive failure(s).
                Last success @ NTTIME(0)

DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:29:05 2013 EST failed, result
2 (WERR_BADFILE)
                730 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:29:05 2013 EST failed, result
2 (WERR_BADFILE)
                730 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=lindom,DC=example,DC=local
        Default-First-Site-Name\W2008R2-I1 via RPC
                DSA object GUID: 5a0e5a59-d3f6-421f-b46e-5d2bdcaef065
                Last attempt @ Wed Jun  5 16:29:05 2013 EST failed, result
2 (WERR_BADFILE)
                730 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "bin/python/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "bin/python/samba/netcmd/drs.py", line 177, in run
    c_server_dns = c_server_res[0]["dNSHostName"][0]

The error in printing KCC connection objects is due to missing
"dNSHostName" attribute.

There seem to be some more issues with replication. I was interested in
finding out whether DNS zones replicate to windows successfully.

Let me know if you need any more information.

Amitay.

More information about the samba-technical mailing list