[PATCH] rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists
Sinelnikov Evgeniy
Sinelnikov.E at digdes.com
Mon Apr 4 18:39:27 UTC 2016
> -----Original Message-----
> From: samba-technical [mailto:samba-technical-bounces at lists.samba.org]
> On Behalf Of Andrew Bartlett
> Sent: Friday, April 1, 2016 10:26 PM
> To: sin at altlinux.ru; samba-technical at lists.samba.org
> Subject: Re: [PATCH] rpc_server/drsuapi: Set msDS_IntId as attid for linked
> attributes if exists
>
> On Fri, 2016-04-01 at 17:46 +0300, Evgeny Sinelnikov wrote:
> > Hello,
> >
> > I send this email about topic of "Error 8418: The replication
> > operation failed because of a schema mismatch between the servers
> > involved":
> > - https://lists.samba.org/archive/samba-technical/2016-February/11215
> > 1.html
> > - https://lists.samba.org/archive/samba-technical/2016-February/11217
> > 4.html
> > - https://lists.samba.org/archive/samba-technical/2016-February/11236
> > 1.html
> > - https://lists.samba.org/archive/samba-technical/2016-March/113261.h
> > tml
> > - https://lists.samba.org/archive/samba-technical/2016-April/113304.h
> > tml
> >
> > Recently I tries to find solution for Samba replication problem with
> > MS Exchange schema extension and other products with same feature.
> >
> > Problem looks like error SCHEMA_MISMATCH error during replication
> > process from Samba DC to Windows DC:
> > # samba-tool drs replicate dc01 dc02 dc=company3,dc=dd ERROR(<class
> > 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> > drsException: DsReplicaSync failed (8418,
> > 'WERR_DS_DRA_SCHEMA_MISMATCH')
> > File "/usr/local/samba/lib64/python2.7/site
> > -packages/samba/netcmd/drs.py",
> > line 349, in run
> > drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> > source_dsa_guid, NC, req_options)
> > File "/usr/local/samba/lib64/python2.7/site
> > -packages/samba/drs_utils.py",
> > line 83, in sendDsReplicaSync
> > raise drsException("DsReplicaSync failed %s" % estr)
> >
> >
> > Previously I created a bug about suspection in DCERPC implementation
> > error:
> > https://bugzilla.samba.org/show_bug.cgi?id=11758
> > where also enumarates other bugs, which looks similar:
> > https://bugzilla.samba.org/show_bug.cgi?id=11388
> > https://bugzilla.samba.org/show_bug.cgi?id=11172
> > https://bugzilla.samba.org/show_bug.cgi?id=10470
> >
> >
> > Current patch solves this problem and tested on Samba-4.4.0 release.
> >
> > Please, review and push it.
>
> Very well done. I'm impressed!
>
> We need to confirm the behaviour in the schema partition, and once we
> have that worked out, we can proceed to merge this.
>
> Doing that requires creating a linked attribute with an msDS-IntID value, on a
> schema object. This may never happen in the real world, but if we are going
> to solve it, we should solve it correctly.
>
> I did mention that we need tests. We need the custom schema tests to
> create a linked attribute pair with an msDS-IntID value, and we then need to
> perform a DRS operation to fetch those, like the repl_exop test code does,
> and assert on the values. We also need to make our DRS client assert that
> the correct values are being used, and so fail just as Windows did.
>
> Finally, be aware that there are still bugs in this area. In particular I have a
> set of patches to fix other replication issues at h
> ttp://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tombst
> one-reanimation, but couldn't get those into Samba because we (now) start
> consistently hit the 'normal attribute' version of this issue, but only in a full
> make test.
>
> Thanks!
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
Ok, I spent two tests around behaviour in the schema partition.
But creating a linked attribute with an msDS-IntID value requires manipulations with schema object not provided with standard tools.
So, I used manual LDAP changes with adexplorer.
Firstly of all need to understand that the changes to the schema attributes requires SchemaMasterRole.
Secondly, that we have two parts of linked attribute - link and backlink.
Creating link as SchemaClass object attribute not provided as far as I could find.
Creating backlink is just add some Schema object as link dn to another object.
My tests shows backlink issues.
There are two variants of creating backlink attribute we could test:
- on same DC;
- on another DC.
Also we need to find an object with attribute that could set Schema Object dn as value.
Most of time I tries to find such object with such attribute.
For our tests I found Exchange object:
CN=microsoft,CN=Microsoft Exchange System Objects,DC=company3,DC=dd
With schema:
CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=company3,DC=dd
And homeMDB attribute with schema:
CN=ms-Exch-Home-MDB,CN=Schema,CN=Configuration,DC=company3,DC=dd
I set two Schema object values for this attribute (looks to screenshoots):
- CN=Computer,CN=Schema,CN=Configuration,DC=company3,DC=dd
- CN=Users,CN=Schema,CN=Configuration,DC=company3,DC=dd
___________________________
For this issues I got next results:
1) Setting homeMDB on Windows DC works
http://i.imgur.com/Jr0tx6g.png (adexplorer)
http://i.imgur.com/Mx85uNh.png (wireshark)
But Samba DC returns error during replication process:
[2016/04/04 18:23:51.791444, 0] ../source4/rpc_server/dcerpc_server.c:1048(dcesrv_request)
dcerpc dispatch in call drsuapi:02 with call_id 66
[2016/04/04 18:23:51.791955, 0] ../source4/rpc_server/dcerpc_server.c:940(dcesrv_save_call)
RPC REQUEST SAVED /var/log/samba/ndr/0028-RPC-drsuapi-2-request-call_id_66-common.dat
[2016/04/04 18:23:51.792208, 3] ../source4/dsdb/repl/drepl_service.c:203(_drepl_schedule_replication)
_drepl_schedule_replication: forcing sync of partition (b9750df0-070f-4a1e-93b1-81a4fcf41d77, DC=company3,DC=dd, ae22e205-5f46-48ef-b165-27df4468843b._msdcs.company3.dd)
[2016/04/04 18:23:51.792450, 0] ../source4/rpc_server/common/reply.c:175(dcesrv_save_reply)
RPC REPLY SAVED /var/log/samba/ndr/0029-RPC-drsuapi-response-call_id_66-common.dat
[2016/04/04 18:23:52.212929, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/04/04 18:23:52.213012, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2016/04/04 18:23:52.213240, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_RESET'
[2016/04/04 18:23:52.213271, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_RESET]
[2016/04/04 18:23:52.804035, 1] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_modify: we are not master: reject request
..
[2016/04/04 18:23:52.804207, 0] ../source4/dsdb/repl/replicated_objects.c:882(dsdb_replicated_objects_commit)
../source4/dsdb/repl/replicated_objects.c:882 Failed to prepare commit of transaction: Failed to add backlink from CN=microsoft,CN=Microsoft Exchange System Objects,DC=company3,DC=dd to CN=Computer,CN=Schema,CN=Configuration,DC=company
..
[2016/04/04 18:23:52.804365, 0] ../source4/dsdb/repl/drepl_out_helpers.c:776(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
With next packet (120-65329-test46-DsGetNCChanges-response-call_id_17) from Windows DC
....
linked_attributes: struct drsuapi_DsReplicaLinkedAttribute
identifier : *
identifier: struct drsuapi_DsReplicaObjectIdentifier
__ndr_size : 0x0000003a (58)
__ndr_size_sid : 0x00000000 (0)
guid : 9ecaa372-366b-4442-97ab-1f9902ef25bb
sid : S-0-0
__ndr_size_dn : 0x00000000 (0)
dn : ''
attid : UNKNOWN_ENUM_VALUE (0x88EC88B7)
value: struct drsuapi_DsAttributeValue
__ndr_size : 0x000000aa (170)
blob : *
blob : DATA_BLOB length=170
[0000] AA 00 00 00 00 00 00 00 9F 9C 95 5F 58 C5 8F 49 ........ ..._X..I
[0010] 97 76 A4 D3 3A E0 07 2F 00 00 00 00 00 00 00 00 .v..:../ ........
skipping zero buffer bytes
[0030] 00 00 00 00 38 00 00 00 43 00 4E 00 3D 00 43 00 ....8... C.N.=.C.
[0040] 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 2C 00 o.m.p.u. t.e.r.,.
[0050] 43 00 4E 00 3D 00 53 00 63 00 68 00 65 00 6D 00 C.N.=.S. c.h.e.m.
[0060] 61 00 2C 00 43 00 4E 00 3D 00 43 00 6F 00 6E 00 a.,.C.N. =.C.o.n.
[0070] 66 00 69 00 67 00 75 00 72 00 61 00 74 00 69 00 f.i.g.u. r.a.t.i.
[0080] 6F 00 6E 00 2C 00 44 00 43 00 3D 00 63 00 6F 00 o.n.,.D. C.=.c.o.
[0090] 6D 00 70 00 61 00 6E 00 79 00 33 00 2C 00 44 00 m.p.a.n. y.3.,.D.
[00A0] 43 00 3D 00 64 00 64 00 00 00 C.=.d.d. ..
flags : 0x00000001 (1)
1: DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
originating_add_time : Mon Apr 4 05:03:37 PM 2016 UTC
meta_data: struct drsuapi_DsReplicaMetaData
version : 0x00000003 (3)
originating_change_time : Mon Apr 4 06:23:36 PM 2016 UTC
originating_invocation_id: ae22e205-5f46-48ef-b165-27df4468843b
originating_usn : 0x000000000000a20d (41485)
2) Setting homeMDB on Samba DC returns next error after seizes schema role:
http://i.imgur.com/LMpViRy.png
# samba-tool fsmo seize --role=schema
ldb_wrap open of secrets.ldb
Attempting transfer...
FSMO transfer of 'schema' role successful
Not seizing role as transfer was successful
[2016/04/04 18:39:16.099746, 3] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4562(replmd_replicated_apply_merge)
Discarding older DRS attribute update to fSMORoleOwner on CN=Schema,CN=Configuration,DC=company3,DC=dd from ae22e205-5f46-48ef-b165-27df4468843b
[2016/04/04 18:39:16.810795, 2] ../source4/dsdb/repl/replicated_objects.c:1008(dsdb_replicated_objects_commit)
Replicated 1 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=company3,DC=dd
[2016/04/04 18:39:17.779423, 1] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_modify: updates are not allowed: reject request
..
[2016/04/04 18:39:34.408107, 1] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_modify: updates are not allowed: reject request
This is not really useful. At the moment I stood on this.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 120-65329-test46-DsGetNCChanges-response-call_id_17.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160404/78ba28f1/120-65329-test46-DsGetNCChanges-response-call_id_17.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 120-301724-test45-DsGetNCChanges-response-call_id_16.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160404/78ba28f1/120-301724-test45-DsGetNCChanges-response-call_id_16.txt>
More information about the samba-technical
mailing list