ad-dc-2 python3 problem

Noel Power nopower at suse.com
Fri Oct 26 16:52:28 UTC 2018 

I have a problem with samba4.ldap.login_basics and some others that fail 
in the ad_dc_2 job in my attempt to run ad_dc_2 CI job under pure python3

please see

branch: 
https://gitlab.com/samba-team/devel/samba/commits/npower-py3build_ad_dc2
CI: https://gitlab.com/samba-team/devel/samba/pipelines/34355915

I'm betting it is the same underlying cause all the failing tests in 
this job, it is seems also to prevent some environments from starting 
(so looks like it will affect other CI jobs too). Interesting error 
messages are

python3: Traceback (most recent call last):
python3:   File 
"/data/samba-back2/source4/scripting/bin/samba_spnupdate", line 254, in 
<module>
python3:     local_update(add_list)
python3:   File 
"/data/samba-back2/source4/scripting/bin/samba_spnupdate", line 200, in 
local_update
python3:     res = samdb.modify(msg)
python3: _ldb.LdbError: (20, "attribute 'servicePrincipalName': value 
#26 on 'CN=OFFLINEBACKUPDC,OU=Domain 
Controllers,DC=backupdom,DC=samba,DC=example,DC=com' already exists")

which happens periodically (seems samba/smbd runs this on a timer)

Also the test seems to fail specifically with

gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating 
NEG_TOKEN_INIT for ldap/offlinebackupdc failed (next[(null)]): 
NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://offlinebackupdc' with backend 'ldap': LDAP 
client internal error: NT_STATUS_LOGON_FAILURE
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating 
NEG_TOKEN_INIT for ldap/offlinebackupdc failed (next[(null)]): 
NT_STATUS_INVALID_PARAMETER
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://offlinebackupdc' with backend 'ldap': LDAP 
client internal error: NT_STATUS_INVALID_PARAMETER
ime: 2018-10-26 09:45:53.673424Z
error: 
samba4.ldap.login_basics.python(offlinebackupdc).__main__.BasicUserAuthTests.test_login_basics_krb5(offlinebackupdc) 
[
Exception: Exception: Traceback (most recent call last):
   File "/data/samba-back2/source4/dsdb/tests/python/login_basics.py", 
line 56, in setUp
     super(BasicUserAuthTests, self).setUp()
   File 
"/data/samba-back2/source4/dsdb/tests/python/password_lockout_base.py", 
line 352, in setUp
     self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds)
   File 
"/data/samba-back2/source4/dsdb/tests/python/password_lockout_base.py", 
line 258, in _readd_user
     ldb = SamDB(url=self.host_url, credentials=creds, lp=self.lp)
   File "/data/samba-back2/bin/python/samba/samdb.py", line 65, in __init__
     options=options)
   File "/data/samba-back2/bin/python/samba/__init__.py", line 115, in 
__init__
     self.connect(url, flags, options)
   File "/data/samba-back2/bin/python/samba/samdb.py", line 80, in connect
     options=options)
_ldb.LdbError: (1, 'LDAP client internal error: 
NT_STATUS_INVALID_PARAMETER')


and some poking around with some increased debug and it looks like the 
underlying error is

Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 343
Received smb_krb5 packet of length 212
kinit for lockout1krb5 at BACKUPDOM.SAMBA.EXAMPLE.COM succeeded
Server ldap/offlinebackupdc at BACKUPDOM.SAMBA.EXAMPLE.COM is not 
registered with our KDC:  Miscellaneous failure (see text): Server 
(ldap/offlinebackupdc at BACKUPDOM.SAMBA.EXAMPLE.COM) unknown
gensec_update_send: gssapi_krb5[0x559615e44ba0]: subreq: 0x559615f44110
gensec_update_send: spnego[0x559615f42610]: subreq: 0x559615f42b30
gensec_update_done: gssapi_krb5[0x559615e44ba0]: 
NT_STATUS_INVALID_PARAMETER 
tevent_req[0x559615f44110/../source4/auth/gensec/gensec_gssapi.c:1054]: 
state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct 
gensec_gssapi_update_state (0x559615f442c0)] timer[(nil)] 
finish[../source4/auth/gensec/gensec_gssapi.c:1067]
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating 
NEG_TOKEN_INIT for ldap/offlinebackupdc failed (next[ntlmssp]): 
NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp

I'm feeling this must be to do with the spnupdate problem above. 
Something funky I think is happening as part of the environment 
setup/provisioning stage. I don't know enough about the ad/dc and the 
associated test environments in general :-), any ideas, hints where to 
look or even a solution would be really really awesome.


To reproduce (note: fails outside of CI too)

clone the branch mentioned above

# configure
PYTHON='python3' ./configure.developer

# make & test
PYTHON='python3' make test FAIL_IMMEDIATELY=1 
TESTS='samba4.ldap.login_basics --include-env=offlinebackupdc '

Thanks

Noel

More information about the samba-technical mailing list