KDC not works in configuration with trusted domain

Rowland Penny rpenny at samba.org
Tue Oct 10 21:22:47 UTC 2017 

On Wed, 11 Oct 2017 00:57:38 +0400
Evgeny Sinelnikov <sin at altlinux.org> wrote:

> 2017-10-11 0:49 GMT+04:00 Evgeny Sinelnikov <sin at altlinux.org>:
> > 2017-10-11 0:28 GMT+04:00 Rowland Penny via samba-technical
> > <samba-technical at lists.samba.org>:
> >> On Wed, 11 Oct 2017 00:18:33 +0400
> >> Evgeny Sinelnikov <sin at altlinux.org> wrote:
> >>
> >>>
> >>> Something interesting - found ldb request to reproduce this
> >>> problem without server:
> >>>
> >>> [root at samba-dc ~]# ldbsearch -H
> >>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
> >>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> >>> nCName systemFlags -d0
> >>
> >> I repeat, as you seem to have missed it, do not search in or alter
> >> anything in sam.ldb.d, only search in sam.ldb. If a record isn't
> >> found and you think it should exist, use '--cross-ncs' with the
> >> ldb tool.
> >>
> >
> > [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
> > nCName systemFlags --cross-ncs -d0
> > # record 1
> > dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > nCName: DC=adm72,DC=local
> > systemFlags: 3
> >
> > # record 2
> > dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> > systemFlags: 3
> >
> > # returned 2 records
> > # 2 entries
> > # 0 referrals
> >
> > No result with --cross-ncs. But it exists in
> > sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb. And it must
> > be there, as I understand.

Yes, it should be in both, but you shouldn't search in and you
definitely must not alter anything in sam.ldb.d
 
> 
> 
> If 'nCName' attribute not exists this request would be not revert
> record 2:
> 
> [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
> nCName systemFlags --cross-ncs -d0

1.2.840.113556.1.4.803:=2 means only enabled accounts, so I don't think
this has anything to do with your problem.

> # record 1
> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> nCName: DC=adm72,DC=local
> systemFlags: 3
> 
> # record 2
> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> systemFlags: 3
> 
> # returned 2 records
> # 2 entries
> # 0 referrals
> 

Have you tried dumping the entire object:

ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(cn=omsu))'

Rowland

More information about the samba-technical mailing list