KDC not works in configuration with trusted domain

Evgeny Sinelnikov sin at altlinux.org
Thu Oct 12 00:31:20 UTC 2017 

2017-10-12 3:28 GMT+04:00 Evgeny Sinelnikov <sin at altlinux.org>:
> 2017-10-11 22:21 GMT+04:00 Rowland Penny via samba-technical
> <samba-technical at lists.samba.org>:
>> On Wed, 11 Oct 2017 22:08:47 +0400
>> Evgeny Sinelnikov <sin at altlinux.org> wrote:
>>
>>> 2017-10-11 11:59 GMT+04:00 Rowland Penny via samba-technical
>>> <samba-technical at lists.samba.org>:
>>> > On Wed, 11 Oct 2017 01:33:33 +0400
>>> > Evgeny Sinelnikov <sin at altlinux.org> wrote:
>>> >
>>> >> > Have you tried dumping the entire object:
>>> >> >
>>> >> > ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> >> > CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> > '(&(objectClass=crossRef)(cn=omsu))'
>>> >> >
>>> >>
>>> >> I do it this time:
>>> >>
>>> >> [root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> >> CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> '(&(objectClass=crossRef)(cn=omsu))' -d0
>>> >> # record 1
>>> >> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> objectClass: top
>>> >> objectClass: crossRef
>>> >> cn: OMSU
>>> >> instanceType: 4
>>> >> whenCreated: 20130214104456.0Z
>>> >> whenChanged: 20130214110622.0Z
>>> >> uSNCreated: 9696
>>> >> uSNChanged: 9696
>>> >> showInAdvancedViewOnly: TRUE
>>> >> name: OMSU
>>> >> objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
>>> >> dnsRoot: omsu.adm72.local
>>> >> nETBIOSName: OMSU
>>> >> nTMixedDomain: 0
>>> >> systemFlags: 3
>>> >> trustParent:
>>> >> CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >> objectCategory:
>>> >> CN=Cross-Ref,CN=Schema,CN=Configuration,DC=adm72,DC=local
>>> >> msDS-Behavior-Version: 3 distinguishedName:
>>> >> CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>>> >>
>>> >
>>> > Well, it is obvious now why you aren't getting 'nCName' returned, it
>>> > isn't there.
>>>
>>> I don't understand why are think so...
>>>
>>> 1) Data for CN=Configuration,DC=adm72,DC=local consists in special
>>> partition and It's there.
>>
>> Yes it seems that it is, BUT it isn't in sam.ldb and this is where you
>> should be checking for it, you can damage your database by messing with
>> the files in sam.ldb.d.
>
> It is problem on replicated DC database after join to domain,
> reproduced on various large AD installations. I don't touch any files
> in sam.ldb.db before I don't see the problem in logs.
>
>
>>> 2) This attribute replicated from original DC, there it exists.
>>
>>> 3) Same request to original DC works.
>>> 4) Explicit request
>>> '(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2)(nCName=*))'
>>> should return the Object, only if 'nCName' attribute exists.
>>>
>>> It looks like a bug in dsdb/ldb.
>>>
>>
>> No, it looks like you have a problem in the database, try running
>> 'samba-tool dbcheck'
>
> Ok, thank you. I try to do it on backuped data.
...

Ok, I found where it lost. This attribute removed as one way link.
source4/dsdb/samdb/ldb_modules/extended_dn_out.c

/*
  this is called to post-process the results from the search
 */
static int extended_callback(struct ldb_request *req, struct ldb_reply *ares,
                int (*handle_dereference)(struct ldb_dn *dn,
                                struct
dsdb_openldap_dereference_result **dereference_attrs,
                                const char *attr, const DATA_BLOB *val))
{
...
        /* Walk the returned elements (but only if we have a schema to
         * interpret the list with) */
        for (i = 0; ac->schema && i < msg->num_elements; i++) {
...
                for (j = 0; j < msg->elements[i].num_values; j++) {
                        const char *dn_str;
                        struct ldb_dn *dn;
                        struct dsdb_dn *dsdb_dn = NULL;
                        struct ldb_val *plain_dn = &msg->elements[i].values[j];
                        bool is_deleted_objects = false;

                        ldb_asprintf_errstring(ldb,
                                               "schema check for %.*s
on %s as %s",
                                               (int)plain_dn->length,
plain_dn->data,
                                               msg->elements[i].name,
ldb_dn_get_linearized(msg->dn));
...
                        /* note that we don't fixup objectCategory as
                           it should not be possible to move
                           objectCategory elements in the schema */
                        if (attribute->one_way_link &&
                            strcasecmp(attribute->lDAPDisplayName,
"objectCategory") != 0) {
                                bool remove_value;
                                ret = fix_one_way_link(ac, dn,
is_deleted_objects, &remove_value,
                                                       attribute->linkID);
                                if (ret != LDB_SUCCESS) {
                                        talloc_free(dsdb_dn);
                                        return
ldb_module_done(ac->req, NULL, NULL, ret);
                                }
                                if (remove_value &&
                                    !ldb_request_get_control(req,
LDB_CONTROL_REVEAL_INTERNALS)) {
                                        ldb_asprintf_errstring(ldb,
"fix one way link");
                                        /* we show these with REVEAL
                                           to allow dbcheck to find and
                                           cleanup these orphaned links */
                                        memmove(&msg->elements[i].values[j],
                                                &msg->elements[i].values[j+1],

(msg->elements[i].num_values-(j+1))*sizeof(struct ldb_val));
                                        msg->elements[i].num_values--;
                                        j--;
                                        continue;
                                }
                        }
...

# ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
systemFlags objectGUID nCName -d0 --trace
[...]
ldb_asprintf/set_errstring: schema check for
<GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-1729258221-3996020766>;DC=omsu,DC=adm72,DC=local
on nCName as CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
ldb_trace_next_request: (show_deleted)->search
ldb_trace_next_request: (partition)->search
partition_request() -> (metadata partition)
ldb_trace_next_request: (tdb)->search
Added timed event "ltdb_callback": 0x27e6cd0
[...]

Running timer event 0x7f7a60 "ltdb_callback"

Destroying timer event 0x79c1d0 "ltdb_timeout"

Ending timer event 0x7f7a60 "ltdb_callback"

ldb_asprintf/set_errstring: dsdb_module_search_tree at
../source4/dsdb/samdb/ldb_modules/util.c:180
ldb_asprintf/set_errstring: fix one way link
ldb_trace_response: ENTRY
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3



# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
objectGUID: 1258a934-cb2d-467d-b4a9-5105756cba94
systemFlags: 3

ldb_trace_response: DONE
error: 0
msg: fix one way link

Destroying timer event 0x16d7d50 "ltdb_timeout"

Ending timer event 0x1d50e10 "ltdb_callback"

# returned 2 records
# 2 entries

______________

It is seriously bug for KDC as I show above:
https://bugzilla.samba.org/show_bug.cgi?id=13078

This is not reproduced on Windows DC, with which our Samba DC
successfully replicated in two ways. So, we don't must remove 'nCName'
attribute for all or for 'crossRef' ObjectClass entries only by one
way links fixup.


-- 
Sin (Sinelnikov Evgeny)

More information about the samba-technical mailing list