KDC not works in configuration with trusted domain

Rowland Penny rpenny at samba.org
Wed Oct 11 18:21:24 UTC 2017 

On Wed, 11 Oct 2017 22:08:47 +0400
Evgeny Sinelnikov <sin at altlinux.org> wrote:

> 2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
> <samba-technical at lists.samba.org>:
> > On Wed, 11 Oct 2017 01:33:33 +0400
> > Evgeny Sinelnikov <sin at altlinux.org> wrote:
> >
> >> > Have you tried dumping the entire object:
> >> >
> >> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
> >> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> > '(&(objectClass=crossRef)(cn=omsu))'
> >> >
> >>
> >> I do it this time:
> >>
> >> [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> >> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> '(&(objectClass=crossRef)(cn=omsu))' -d0
> >> # record 1
> >> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> objectClass: top
> >> objectClass: crossRef
> >> cn: OMSU
> >> instanceType: 4
> >> whenCreated: 20130214104456.0Z
> >> whenChanged: 20130214110622.0Z
> >> uSNCreated: 9696
> >> uSNChanged: 9696
> >> showInAdvancedViewOnly: TRUE
> >> name: OMSU
> >> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
> >> dnsRoot: omsu.adm72.local
> >> nETBIOSName: OMSU
> >> nTMixedDomain: 0
> >> systemFlags: 3
> >> trustParent:
> >> CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >> objectCategory:
> >> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
> >> msDS-Behavior-Version: 3 distinguishedName:
> >> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
> >>
> >
> > Well, it is obvious now why you aren't getting 'nCName' returned, it
> > isn't there.
> 
> I don't understand why are think so...
> 
> 1) Data for CN=Configuration,DC=adm72,DC=local consists in special
> partition and It's there.

Yes it seems that it is, BUT it isn't in sam.ldb and this is where you
should be checking for it, you can damage your database by messing with
the files in sam.ldb.d.
 
> 2) This attribute replicated from original DC, there it exists.

> 3) Same request to original DC works.
> 4) Explicit request
> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
> should return the Object, only if 'nCName' attribute exists.
> 
> It looks like a bug in dsdb/ldb.
> 

No, it looks like you have a problem in the database, try running
'samba-tool dbcheck'

Rowland

More information about the samba-technical mailing list