AW: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Fri Nov 17 03:35:37 UTC 2017


On 15/11/17 16:15, Andrej Gessel via samba-technical wrote:
> Sorry, 
> 
> I thought that I sent it to the mailing list.
> 
> If you read my previous mail, this error happens if RWDC, we joined to, and RODC are in the different sites. 
> 
> I see error in this situation:
> Default-First-Site-Name:
> 	- TEST-DC (RWDC)
> Testsite2:
> 	- empty
> Testsite:
> 	- BUILDHOST (RODC)
> 
> If I move TEST-DC to Testsite2, samba_kcc runs without error. If I move it back(waiting for replication), I see the error again.
> 
> I can resend the patch with this test, but I think it's not covering the issue.

Right. So it occurs is when the RODC wants to write something (the other
DC has moved) but it isn't allowed to because RO.

We can probably trigger something like that, though I won't be able to
look into it until well into next week.

cheers,
Douglas


> Andrej
> 
> -----Ursprüngliche Nachricht-----
> Von: Douglas Bagnall [mailto:douglas.bagnall at catalyst.net.nz] 
> Gesendet: Mittwoch, 15. November 2017 02:50
> An: Andrej Gessel <Andrej.Gessel at janztec.com>
> Betreff: Re: AW: [PATCH] samba_kcc: do not commit new nTDSConnection if we are rodc
> 
> OK, it may be that running 'samba-tool drs kcc' is forbidden on an RODC by a higher layer.
> 
> The test would then look something like:
> 
> import subprocess
> ...
> 
>    def test_kcc_does_not_crash(self):
>        result = subprocess.call(["bin/samba_kcc", "-H",
>                                  os.environ["DC_SERVER"])
>        self.assertEqual(result, 0, "ensuring kcc runs on the rodc")
> 
> 
> 
> It would be best to keep this discussion on the mailing list so we have a record of how we got to wherever we get to.
> 
> cheers,
> Douglas
> 
> 
> On 15/11/17 12:44, Andrej Gessel wrote:
>> Hello,
>>
>> If I run "samba-tool drs kcc BUILDHOST.samdom.com" I get that error: 
>> (with and without patch)
>>
>> ERROR(runtime): DsExecuteKCC failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 237, in run
>>     self.drsuapi.DsExecuteKCC(self.drsuapi_handle, 1, req1)
>>
>> in Samba log I saw this output:
>>
>> DsExecuteKCC refused for security token (level=10) Security token SIDs 
>> (11):
>>   SID[  0]: S-1-5-21-1047937841-3429790757-297101198-221314
>>   SID[  1]: S-1-5-21-1047937841-3429790757-297101198-521
>>   SID[  2]: S-1-5-21-1047937841-3429790757-297101198-498
>>   SID[  3]: S-1-18-1
>>   SID[  4]: S-1-5-21-1047937841-3429790757-297101198-572
>>   SID[  5]: S-1-1-0
>>   SID[  6]: S-1-5-2
>>   SID[  7]: S-1-5-11
>>   SID[  8]: S-1-5-32-574
>>   SID[  9]: S-1-5-32-545
>>   SID[ 10]: S-1-5-32-554
>>  Privileges (0x          800000):
>>   Privilege[  0]: SeChangeNotifyPrivilege
>>  Rights (0x             400):
>>   Right[  0]: SeRemoteInteractiveLogonRight
>>
>>
>> Andrej
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Douglas Bagnall [mailto:douglas.bagnall at catalyst.net.nz]
>> Gesendet: Dienstag, 14. November 2017 22:12
>> An: Andrej Gessel <Andrej.Gessel at janztec.com>; 
>> samba-technical at lists.samba.org
>> Cc: Garming Sam <garming at catalyst.net.nz>
>> Betreff: Re: [PATCH] samba_kcc: do not commit new nTDSConnection if we 
>> are rodc
>>
>> thanks Andrej,
>>
>> On 13/11/17 23:30, Andrej Gessel via samba-technical wrote:
>>> Here some more information about: 
>>> https://lists.samba.org/archive/samba/2017-November/212050.html
>>>
>>>
>>>
>>> Thanks
>>> -----------------------------------------------------------------
>>> Andrej Gessel
>>> (andrej.gessel at janztec.com<mailto:andrej.gessel at janztec.com>)
>>> Entwicklung Software
>>>
>>>
>>> 0001-samba_kcc-do-not-commit-new-nTDSConnection-if-we-are.patch
>>>
>>>
>>> From 3ebd0e65a12ba51093c097c9993aa766cebc7fd0 Mon Sep 17 00:00:00 
>>> 2001
>>> From: Andrej Gessel <Andrej.Gessel at janztec.com>
>>> Date: Mon, 13 Nov 2017 11:07:43 +0100
>>> Subject: [PATCH] samba_kcc: do not commit new nTDSConnection, if we 
>>> are rodc
>>>
>>> Traceback (most recent call last):
>>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
>>> /usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
>>> /usr/local/samba/sbin/samba_kcc: File 
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
>>> /usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
>>> /usr/local/samba/sbin/samba_kcc: File 
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
>>> /usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
>>> /usr/local/samba/sbin/samba_kcc: File 
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
>>> /usr/local/samba/sbin/samba_kcc:     part, True)
>>> /usr/local/samba/sbin/samba_kcc: File 
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
>>> /usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
>>> /usr/local/samba/sbin/samba_kcc: File 
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
>>> /usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
>>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
>>> /usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
>>> /usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
>>> /usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
>>> /usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could 
>>> not add nTDSConnection for 
>>> (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings, 
>>> CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samd
>>> o
>>> m,DC=com) - (Invalid LDB reply type 1)
>>> ../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - 
>>> NT_STATUS_ACCESS_DENIED
>>>
>>> Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
>>> ---
>>>  python/samba/kcc/__init__.py | 6 +++---
>>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/python/samba/kcc/__init__.py 
>>> b/python/samba/kcc/__init__.py index 6f973ea..2468e37 100644
>>> --- a/python/samba/kcc/__init__.py
>>> +++ b/python/samba/kcc/__init__.py
>>> @@ -1501,7 +1501,7 @@ class KCC(object):
>>>                              cn.set_modified(True)
>>>  
>>>                      # Display any modified connection
>>> -                    if self.readonly:
>>> +                    if self.readonly or ldsa.is_ro():
>>>                          if cn.to_be_modified:
>>>                              logger.info("TO BE MODIFIED:\n%s" % cn)
>>>  
>>> @@ -1585,11 +1585,11 @@ class KCC(object):
>>>                                      rbh.dsa_dnstr, link_sched)
>>>  
>>>              # Display any added connection
>>> -            if self.readonly:
>>> +            if self.readonly or lbh.is_ro():
>>>                  if cn.to_be_added:
>>>                      logger.info("TO BE ADDED:\n%s" % cn)
>>>  
>>> -                    lbh.commit_connections(self.samdb, ro=True)
>>> +                lbh.commit_connections(self.samdb, ro=True)
>>>              else:
>>>                  lbh.commit_connections(self.samdb)
>>>  
>>> -- 2.7.4
>>>
>>
>> This looks good to me, but could do with a test.
>>
>> Does `samba-tool drs kcc $SERVER` trigger it? if so, a test like this might suffice:
>>
>> diff --git a/python/samba/tests/samba_tool/rodc.py
>> b/python/samba/tests/samba_tool/rodc.py
>> index 4851a53910a..9bac19a3b46 100644
>> --- a/python/samba/tests/samba_tool/rodc.py
>> +++ b/python/samba/tests/samba_tool/rodc.py
>> @@ -126,3 +126,7 @@ class RodcCmdTestCase(SambaToolCmdTest):
>>                                              "sambatool6", "sambatool5",
>>                                              "--server",
>> os.environ["DC_SERVER"])
>>          self.assertCmdFail(result, "ensuring rodc prefetch quit on 
>> non-replicated user")
>> +
>> +    def test_kcc_does_not_crash(self):
>> +        (result, out, err) = self.runsubcmd("drs", "kcc",
>> os.environ["DC_SERVER"])
>> +        self.assertCmdSuccess(result, out, err, "ensuring kcc runs on
>> the rodc")
>>
>> Could you try that (with modifications as necessary to make it actually run)? Garming might have a better idea.
>>
>> cheers,
>> Douglas
>>
> 




More information about the samba-technical mailing list