KDC not works in configuration with trusted domain

Evgeny Sinelnikov sin at altlinux.org
Wed Oct 11 23:28:13 UTC 2017 

2017-10-11 22:21 GMT+04:00 Rowland Penny via samba-technical
<samba-technical at lists.samba.org>:
> On Wed, 11 Oct 2017 22:08:47 +0400
> Evgeny Sinelnikov <sin at altlinux.org> wrote:
>
>> 2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
>> <samba-technical at lists.samba.org>:
>> > On Wed, 11 Oct 2017 01:33:33 +0400
>> > Evgeny Sinelnikov <sin at altlinux.org> wrote:
>> >
>> >> > Have you tried dumping the entire object:
>> >> >
>> >> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> >> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> > '(&(objectClass=crossRef)(cn=omsu))'
>> >> >
>> >>
>> >> I do it this time:
>> >>
>> >> [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> >> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> '(&(objectClass=crossRef)(cn=omsu))' -d0
>> >> # record 1
>> >> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> objectClass: top
>> >> objectClass: crossRef
>> >> cn: OMSU
>> >> instanceType: 4
>> >> whenCreated: 20130214104456.0Z
>> >> whenChanged: 20130214110622.0Z
>> >> uSNCreated: 9696
>> >> uSNChanged: 9696
>> >> showInAdvancedViewOnly: TRUE
>> >> name: OMSU
>> >> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
>> >> dnsRoot: omsu.adm72.local
>> >> nETBIOSName: OMSU
>> >> nTMixedDomain: 0
>> >> systemFlags: 3
>> >> trustParent:
>> >> CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >> objectCategory:
>> >> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
>> >> msDS-Behavior-Version: 3 distinguishedName:
>> >> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> >>
>> >
>> > Well, it is obvious now why you aren't getting 'nCName' returned, it
>> > isn't there.
>>
>> I don't understand why are think so...
>>
>> 1) Data for CN=Configuration,DC=adm72,DC=local consists in special
>> partition and It's there.
>
> Yes it seems that it is, BUT it isn't in sam.ldb and this is where you
> should be checking for it, you can damage your database by messing with
> the files in sam.ldb.d.

It is problem on replicated DC database after join to domain,
reproduced on various large AD installations. I don't touch any files
in sam.ldb.db before I don't see the problem in logs.


>> 2) This attribute replicated from original DC, there it exists.
>
>> 3) Same request to original DC works.
>> 4) Explicit request
>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
>> should return the Object, only if 'nCName' attribute exists.
>>
>> It looks like a bug in dsdb/ldb.
>>
>
> No, it looks like you have a problem in the database, try running
> 'samba-tool dbcheck'

Ok, thank you. I try to do it on backuped data.

This time I found just interesting with trace:

[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags objectGUID -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
objectGUID: 251e4849-921f-4d28-ad6a-da8aa4348925
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags objectGUID -d0 --trace
[...]
partition_request() -> (metadata partition)
ldb_trace_next_request: (tdb)->search
Added timed event "ltdb_callback": 0x7f7a60

Added timed event "ltdb_timeout": 0x79c1d0

Destroying timer event 0x1560f80 "ltdb_timeout"

Ending timer event 0x1922a60 "ltdb_callback"

Running timer event 0x7f7a60 "ltdb_callback"

Destroying timer event 0x79c1d0 "ltdb_timeout"

Ending timer event 0x7f7a60 "ltdb_callback"

ldb_asprintf/set_errstring: dsdb_module_search_tree at
../source4/dsdb/samdb/ldb_modules/util.c:180
ldb_trace_response: ENTRY
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3



# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3

ldb_trace_response: DONE
error: 0
msg: dsdb_module_search_tree at ../source4/dsdb/samdb/ldb_modules/util.c:180

Destroying timer event 0x16d7d50 "ltdb_timeout"

Ending timer event 0x1d50e10 "ltdb_callback"

# returned 2 records
# 2 entries
# 0 referrals


______________________

What does mean this strange output: "msg: dsdb_module_search_tree at
../source4/dsdb/samdb/ldb_modules/util.c:180" ?

That's looks like old problem:

commit 0b4d3db42d472788c30054d41acc1ad0dc8aefee
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jan 14 11:50:56 2016 +0100

    s4:dsdb/ldb_modules: make it possible to find a reason for
LDB_ERR_NO_SUCH_OBJECT in util.c

    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/util.c
b/source4/dsdb/samdb/ldb_modules/util.c
index 1455760..5f995de 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -177,8 +177,7 @@ int dsdb_module_search_tree(struct ldb_module *module,
        if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
                if (res->count == 0) {
                        talloc_free(tmp_ctx);
-                       ldb_reset_err_string(ldb_module_get_ctx(module));
-                       return LDB_ERR_NO_SUCH_OBJECT;
+                       return ldb_error(ldb_module_get_ctx(module),
LDB_ERR_NO_SUCH_OBJECT, __func__);
                }
                if (res->count != 1) {
                        talloc_free(tmp_ctx);
@@ -279,7 +278,7 @@ int dsdb_module_dn_by_guid(struct ldb_module
*module, TALLOC_CTX *mem_ctx,
        }
        if (res->count == 0) {
                talloc_free(tmp_ctx);
-               return LDB_ERR_NO_SUCH_OBJECT;
+               return ldb_error(ldb_module_get_ctx(module),
LDB_ERR_NO_SUCH_OBJECT, __func__);
        }
        if (res->count != 1) {
                ldb_asprintf_errstring(ldb_module_get_ctx(module),
"More than one object found matching objectGUID %s\n",





-- 
Sin (Sinelnikov Evgeny)

More information about the samba-technical mailing list