KDC not works in configuration with trusted domain
Evgeny Sinelnikov
sin at altlinux.org
Tue Oct 10 21:33:33 UTC 2017
2017-10-11 1:22 GMT+04:00 Rowland Penny via samba-technical
<samba-technical at lists.samba.org>:
> On Wed, 11 Oct 2017 00:57:38 +0400
> Evgeny Sinelnikov <sin at altlinux.org> wrote:
>
>> 2017-10-11 0:49 GMT+04:00 Evgeny Sinelnikov <sin at altlinux.org>:
>> > 2017-10-11 0:28 GMT+04:00 Rowland Penny via samba-technical
>> > <samba-technical at lists.samba.org>:
>> >> On Wed, 11 Oct 2017 00:18:33 +0400
>> >> Evgeny Sinelnikov <sin at altlinux.org> wrote:
>> >>
>> >>>
>> >>> Something interesting - found ldb request to reproduce this
>> >>> problem without server:
>> >>>
>> >>> [root at samba-dc ~]# ldbsearch -H
>> >>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>> >>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
>> >>> nCName systemFlags -d0
>> >>
>> >> I repeat, as you seem to have missed it, do not search in or alter
>> >> anything in sam.ldb.d, only search in sam.ldb. If a record isn't
>> >> found and you think it should exist, use '--cross-ncs' with the
>> >> ldb tool.
>> >>
>> >
>> > [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
>> > nCName systemFlags --cross-ncs -d0
>> > # record 1
>> > dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > nCName: DC=adm72,DC=local
>> > systemFlags: 3
>> >
>> > # record 2
>> > dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> > systemFlags: 3
>> >
>> > # returned 2 records
>> > # 2 entries
>> > # 0 referrals
>> >
>> > No result with --cross-ncs. But it exists in
>> > sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb. And it must
>> > be there, as I understand.
>
> Yes, it should be in both, but you shouldn't search in and you
> definitely must not alter anything in sam.ldb.d
>
>>
>>
>> If 'nCName' attribute not exists this request would be not revert
>> record 2:
>>
>> [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
>> nCName systemFlags --cross-ncs -d0
>
> 1.2.840.113556.1.4.803:=2 means only enabled accounts, so I don't think
> this has anything to do with your problem.
This is from original request:
ret = dsdb_search(sam_ctx, partitions_dn, &cross_res2,
partitions_dn, LDB_SCOPE_ONELEVEL,
cross_attrs2,
DSDB_SEARCH_SHOW_EXTENDED_DN,
"(&(objectClass=crossRef)"
"(systemFlags:%s:=%u))",
LDB_OID_COMPARATOR_AND,
SYSTEM_FLAG_CR_NTDS_DOMAIN);
[sin at tor samba.git]$ git grep "define LDB_OID_COMPARATOR_AND" | cat
lib/ldb/include/ldb.h:#define LDB_OID_COMPARATOR_AND "1.2.840.113556.1.4.803"
[sin at tor samba.git]$ git grep "define SYSTEM_FLAG_CR_NTDS_DOMAIN" | cat
libds/common/flags.h:#define SYSTEM_FLAG_CR_NTDS_DOMAIN 0x00000002
>> # record 1
>> dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> nCName: DC=adm72,DC=local
>> systemFlags: 3
>>
>> # record 2
>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> systemFlags: 3
>>
>> # returned 2 records
>> # 2 entries
>> # 0 referrals
>>
>
> Have you tried dumping the entire object:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef)(cn=omsu))'
>
I do it this time:
[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(cn=omsu))' -d0
# record 1
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectClass: top
objectClass: crossRef
cn: OMSU
instanceType: 4
whenCreated: 20130214104456.0Z
whenChanged: 20130214110622.0Z
uSNCreated: 9696
uSNChanged: 9696
showInAdvancedViewOnly: TRUE
name: OMSU
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
nTMixedDomain: 0
systemFlags: 3
trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectCategory: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
msDS-Behavior-Version: 3
distinguishedName: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
# returned 1 records
# 1 entries
# 0 referrals
[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local -d0 -a
>adm72.ldif
[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local -d0 -a
>omsu.ldif
[root at samba-dc ~]# diff -u adm72.ldif omsu.ldif
--- adm72.ldif 2017-10-11 02:02:06.821930205 +0500
+++ omsu.ldif 2017-10-11 02:02:38.394928323 +0500
@@ -1,25 +1,24 @@
# record 1
-dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
+dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectClass: top
objectClass: crossRef
-cn: ADM72
+cn: OMSU
instanceType: 4
-whenCreated: 20081225063010.0Z
-whenChanged: 20141015073249.0Z
-nCName: DC=adm72,DC=local
-uSNCreated: 9920
-objectVersion: 2
-uSNChanged: 9920
+whenCreated: 20130214104456.0Z
+whenChanged: 20130214110622.0Z
+uSNCreated: 9696
+uSNChanged: 9696
showInAdvancedViewOnly: TRUE
-name: ADM72
-objectGUID: 251e4849-921f-4d28-ad6a-da8aa4348925
-dnsRoot: adm72.local
-nETBIOSName: ADM72
+name: OMSU
+objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
+dnsRoot: omsu.adm72.local
+nETBIOSName: OMSU
nTMixedDomain: 0
systemFlags: 3
+trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectCategory: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
msDS-Behavior-Version: 3
-distinguishedName: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
+distinguishedName: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
# returned 1 records
# 1 entries
--
Sin (Sinelnikov Evgeny)
More information about the samba-technical
mailing list