AW: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc
Andrej Gessel
Andrej.Gessel at janztec.com
Wed Nov 15 03:15:33 UTC 2017
Sorry,
I thought that I sent it to the mailing list.
If you read my previous mail, this error happens if RWDC, we joined to, and RODC are in the different sites.
I see error in this situation:
Default-First-Site-Name:
- TEST-DC (RWDC)
Testsite2:
- empty
Testsite:
- BUILDHOST (RODC)
If I move TEST-DC to Testsite2, samba_kcc runs without error. If I move it back(waiting for replication), I see the error again.
I can resend the patch with this test, but I think it's not covering the issue.
Andrej
-----Ursprüngliche Nachricht-----
Von: Douglas Bagnall [mailto:douglas.bagnall at catalyst.net.nz]
Gesendet: Mittwoch, 15. November 2017 02:50
An: Andrej Gessel <Andrej.Gessel at janztec.com>
Betreff: Re: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc
OK, it may be that running 'samba-tool drs kcc' is forbidden on an RODC by a higher layer.
The test would then look something like:
import subprocess
...
def test_kcc_does_not_crash(self):
result = subprocess.call(["bin/samba_kcc", "-H",
os.environ["DC_SERVER"])
self.assertEqual(result, 0, "ensuring kcc runs on the rodc")
It would be best to keep this discussion on the mailing list so we have a record of how we got to wherever we get to.
cheers,
Douglas
On 15/11/17 12:44, Andrej Gessel wrote:
> Hello,
>
> If I run "samba-tool drs kcc BUILDHOST.samdom.com" I get that error:
> (with and without patch)
>
> ERROR(runtime): DsExecuteKCC failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 237, in run
> self.drsuapi.DsExecuteKCC(self.drsuapi_handle, 1, req1)
>
> in Samba log I saw this output:
>
> DsExecuteKCC refused for security token (level=10) Security token SIDs
> (11):
> SID[ 0]: S-1-5-21-1047937841-3429790757-297101198-221314
> SID[ 1]: S-1-5-21-1047937841-3429790757-297101198-521
> SID[ 2]: S-1-5-21-1047937841-3429790757-297101198-498
> SID[ 3]: S-1-18-1
> SID[ 4]: S-1-5-21-1047937841-3429790757-297101198-572
> SID[ 5]: S-1-1-0
> SID[ 6]: S-1-5-2
> SID[ 7]: S-1-5-11
> SID[ 8]: S-1-5-32-574
> SID[ 9]: S-1-5-32-545
> SID[ 10]: S-1-5-32-554
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
>
>
> Andrej
>
> -----Ursprüngliche Nachricht-----
> Von: Douglas Bagnall [mailto:douglas.bagnall at catalyst.net.nz]
> Gesendet: Dienstag, 14. November 2017 22:12
> An: Andrej Gessel <Andrej.Gessel at janztec.com>;
> samba-technical at lists.samba.org
> Cc: Garming Sam <garming at catalyst.net.nz>
> Betreff: Re: [PATCH] samba_kcc: do not commit new nTDSConnection if we
> are rodc
>
> thanks Andrej,
>
> On 13/11/17 23:30, Andrej Gessel via samba-technical wrote:
>> Here some more information about:
>> https://lists.samba.org/archive/samba/2017-November/212050.html
>>
>>
>>
>> Thanks
>> -----------------------------------------------------------------
>> Andrej Gessel
>> (andrej.gessel at janztec.com<mailto:andrej.gessel at janztec.com>)
>> Entwicklung Software
>>
>>
>> 0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch
>>
>>
>> From 3ebd0e65a12ba51093c097c9993aa766cebc7fd0 Mon Sep 17 00:00:00
>> 2001
>> From: Andrej Gessel <Andrej.Gessel at janztec.com>
>> Date: Mon, 13 Nov 2017 11:07:43 +0100
>> Subject: [PATCH] samba_kcc: do not commit new nTDSConnection, if we
>> are rodc
>>
>> Traceback (most recent call last):
>> /usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
>> /usr/local/samba/sbin/samba_kcc: attempt_live_connections=opts.attempt_live_connections)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
>> /usr/local/samba/sbin/samba_kcc: all_connected = self.intersite(ping)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
>> /usr/local/samba/sbin/samba_kcc: all_connected = self.create_intersite_connections()
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
>> /usr/local/samba/sbin/samba_kcc: part, True)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
>> /usr/local/samba/sbin/samba_kcc: partial_ok, detect_failed)
>> /usr/local/samba/sbin/samba_kcc: File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
>> /usr/local/samba/sbin/samba_kcc: lbh.commit_connections(self.samdb)
>> /usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
>> /usr/local/samba/sbin/samba_kcc: connect.commit_added(samdb, ro)
>> /usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
>> /usr/local/samba/sbin/samba_kcc: (self.dnstr, estr))
>> /usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could
>> not add nTDSConnection for
>> (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
>> CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samd
>> o
>> m,DC=com) - (Invalid LDB reply type 1)
>> ../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc -
>> NT_STATUS_ACCESS_DENIED
>>
>> Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
>> ---
>> python/samba/kcc/__init__.py | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/python/samba/kcc/__init__.py
>> b/python/samba/kcc/__init__.py index 6f973ea..2468e37 100644
>> --- a/python/samba/kcc/__init__.py
>> +++ b/python/samba/kcc/__init__.py
>> @@ -1501,7 +1501,7 @@ class KCC(object):
>> cn.set_modified(True)
>>
>> # Display any modified connection
>> - if self.readonly:
>> + if self.readonly or ldsa.is_ro():
>> if cn.to_be_modified:
>> logger.info("TO BE MODIFIED:\n%s" % cn)
>>
>> @@ -1585,11 +1585,11 @@ class KCC(object):
>> rbh.dsa_dnstr, link_sched)
>>
>> # Display any added connection
>> - if self.readonly:
>> + if self.readonly or lbh.is_ro():
>> if cn.to_be_added:
>> logger.info("TO BE ADDED:\n%s" % cn)
>>
>> - lbh.commit_connections(self.samdb, ro=True)
>> + lbh.commit_connections(self.samdb, ro=True)
>> else:
>> lbh.commit_connections(self.samdb)
>>
>> -- 2.7.4
>>
>
> This looks good to me, but could do with a test.
>
> Does `samba-tool drs kcc $SERVER` trigger it? if so, a test like this might suffice:
>
> diff --git a/python/samba/tests/samba_tool/rodc.py
> b/python/samba/tests/samba_tool/rodc.py
> index 4851a53910a..9bac19a3b46 100644
> --- a/python/samba/tests/samba_tool/rodc.py
> +++ b/python/samba/tests/samba_tool/rodc.py
> @@ -126,3 +126,7 @@ class RodcCmdTestCase(SambaToolCmdTest):
> "sambatool6", "sambatool5",
> "--server",
> os.environ["DC_SERVER"])
> self.assertCmdFail(result, "ensuring rodc prefetch quit on
> non-replicated user")
> +
> + def test_kcc_does_not_crash(self):
> + (result, out, err) = self.runsubcmd("drs", "kcc",
> os.environ["DC_SERVER"])
> + self.assertCmdSuccess(result, out, err, "ensuring kcc runs on
> the rodc")
>
> Could you try that (with modifications as necessary to make it actually run)? Garming might have a better idea.
>
> cheers,
> Douglas
>
More information about the samba-technical
mailing list