[PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Tue Nov 14 21:12:17 UTC 2017 

thanks Andrej,

On 13/11/17 23:30, Andrej Gessel via samba-technical wrote:
> Here some more information about: https://lists.samba.org/archive/samba/2017-November/212050.html
> 
> 
> 
> Thanks
> -----------------------------------------------------------------
> Andrej Gessel (andrej.gessel at janztec.com<mailto:andrej.gessel at janztec.com>)
> Entwicklung Software
> 
> 
> 0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch
> 
> 
> From 3ebd0e65a12ba51093c097c9993aa766cebc7fd0 Mon Sep 17 00:00:00 2001
> From: Andrej Gessel <Andrej.Gessel at janztec.com>
> Date: Mon, 13 Nov 2017 11:07:43 +0100
> Subject: [PATCH] samba_kcc: do not commit new nTDSConnection, if we are rodc
> 
> Traceback (most recent call last):
> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
> /usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
> /usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
> /usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
> /usr/local/samba/sbin/samba_kcc:     part, True)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
> /usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
> /usr/local/samba/sbin/samba_kcc: File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
> /usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
> /usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
> /usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
> /usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
> CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
> ../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED
> 
> Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
> ---
>  python/samba/kcc/__init__.py | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
> index 6f973ea..2468e37 100644
> --- a/python/samba/kcc/__init__.py
> +++ b/python/samba/kcc/__init__.py
> @@ -1501,7 +1501,7 @@ class KCC(object):
>                              cn.set_modified(True)
>  
>                      # Display any modified connection
> -                    if self.readonly:
> +                    if self.readonly or ldsa.is_ro():
>                          if cn.to_be_modified:
>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>  
> @@ -1585,11 +1585,11 @@ class KCC(object):
>                                      rbh.dsa_dnstr, link_sched)
>  
>              # Display any added connection
> -            if self.readonly:
> +            if self.readonly or lbh.is_ro():
>                  if cn.to_be_added:
>                      logger.info("TO BE ADDED:\n%s" % cn)
>  
> -                    lbh.commit_connections(self.samdb, ro=True)
> +                lbh.commit_connections(self.samdb, ro=True)
>              else:
>                  lbh.commit_connections(self.samdb)
>  
> -- 2.7.4
> 

This looks good to me, but could do with a test.

Does `samba-tool drs kcc $SERVER` trigger it? if so, a test like this
might suffice:

diff --git a/python/samba/tests/samba_tool/rodc.py
b/python/samba/tests/samba_tool/rodc.py
index 4851a53910a..9bac19a3b46 100644
--- a/python/samba/tests/samba_tool/rodc.py
+++ b/python/samba/tests/samba_tool/rodc.py
@@ -126,3 +126,7 @@ class RodcCmdTestCase(SambaToolCmdTest):
                                             "sambatool6", "sambatool5",
                                             "--server",
os.environ["DC_SERVER"])
         self.assertCmdFail(result, "ensuring rodc prefetch quit on
non-replicated user")
+
+    def test_kcc_does_not_crash(self):
+        (result, out, err) = self.runsubcmd("drs", "kcc",
os.environ["DC_SERVER"])
+        self.assertCmdSuccess(result, out, err, "ensuring kcc runs on
the rodc")

Could you try that (with modifications as necessary to make it
actually run)? Garming might have a better idea.

cheers,
Douglas

More information about the samba-technical mailing list