KDC not works in configuration with trusted domain

Evgeny Sinelnikov sin at altlinux.org
Tue Oct 10 20:18:33 UTC 2017 

2017-10-10 3:28 GMT+04:00 Evgeny Sinelnikov <sin at altlinux.org>:
> 2017-10-09 21:53 GMT+04:00 Rowland Penny via samba-technical
> <samba-technical at lists.samba.org>:
>> On Mon, 9 Oct 2017 17:55:07 +0400
>> Evgeny Sinelnikov via samba-technical <samba-technical at lists.samba.org>
>> wrote:
>>
>>>
>>> # Local Data on Samba DC
>>> [root at samba-dc ~]# ldbsearch -k yes -H
>>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
>>> trustParent -d0 | grep -B1 -A2 'OMSU'
>>> # record 7
>>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> nCName:
>>> <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
>>> 29258221-3996020766>;DC=omsu,DC=adm72,DC=local dnsRoot:
>>> omsu.adm72.local nETBIOSName: OMSU
>>> trustParent:
>>> <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
>>> s,CN=Configuration,DC=adm72,DC=local
>>>
>>
>> I cannot really help with this, except to point out two things:
>>
>> One: the above search is wrong, you should never search, or even
>> worse change something, in sam.ldb.d. This search on a DC should work:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
>> trustParent -d0 | grep -B1 -A2 'OMSU'
>>
>> It does for me:
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b CN=Partitions,CN=Configuration,DC=samdom,DC=example,dc=com '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust trustParent -d0 | grep -B1 -A2 'SAMDOM'
>
> This is not right internal LDAP request. Try
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))',
> please.
>
>
>> # record 5
>> dn: CN=SAMDOM,CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com
>> nCName: DC=samdom,DC=example,DC=com
>> dnsRoot: samdom.example.com
>> nETBIOSName: SAMDOM
>>
>> Which brings me to
>>
>> Two: if 'nCName' isn't being returned, is it actually there ? Have
>> you tried dumping the entire object.
>
> I found reproducible scenario for this problem:
> https://bugzilla.samba.org/show_bug.cgi?id=13078
>
>         ret = dsdb_search(sam_ctx, partitions_dn, &cross_res2,
>                           partitions_dn, LDB_SCOPE_ONELEVEL,
>                           cross_attrs2,
>                           DSDB_SEARCH_SHOW_EXTENDED_DN,
>                           "(&(objectClass=crossRef)"
>                            "(systemFlags:%s:=%u))",
>                           LDB_OID_COMPARATOR_AND,
>                           SYSTEM_FLAG_CR_NTDS_DOMAIN);
>
>
> # Samba DC
> [user at samba-dc ~]$ ldbsearch -k yes -H ldap://samba-dc -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
>
> # WIndows DC
> [user at samba-dc ~]$ ldbsearch -k yes -H ldap://dc-resp142 -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=omsu,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
>
> # Internal request
> [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/ -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
> DC=ADM72,DC=LOCAL.ldb
> DC=FORESTDNSZONES,DC=ADM72,DC=LOCAL.ldb
> CN=SCHEMA,CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
> DC=DOMAINDNSZONES,DC=ADM72,DC=LOCAL.ldb           metadata.tdb
> [root at samba-dc ~]# ldbsearch -H
> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> nCName systemFlags -d0
> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: <GUID=20f2eac9-426d-4003-b9c8-0f2737f982f9>;<SID=S-1-5-21-3196609985-6
>  36931310-2637777318>;DC=adm72,DC=local
> systemFlags: 3
>
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
>  29258221-3996020766>;DC=omsu,DC=adm72,DC=local
> systemFlags: 3
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>

Something interesting - found ldb request to reproduce this problem
without server:

[root at samba-dc ~]# ldbsearch -H
/var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
-b CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=20f2eac9-426d-4003-b9c8-0f2737f982f9>;<SID=S-1-5-21-3196609985-6
 36931310-2637777318>;DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
 29258221-3996020766>;DC=omsu,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals

[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals





-- 
Sin (Sinelnikov Evgeny)

More information about the samba-technical mailing list