[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Mon May 6 04:41:12 MDT 2013


On 4.5.2013 0:22, Andrew Bartlett wrote:
> On Fri, 2013-05-03 at 19:21 +0300, Pekka L.J. Jalkanen wrote:
>> On 26.4.2013 13:05, Pekka L.J. Jalkanen wrote:
>>>
>>> So it seems that for some reason, exporting the keytab from Samba DC
>>> doesn't work. I tried to kinit first using the domain admin account, but
>>> to no avail--exportkeytab still throws the same error.
>>>
>>> Now, for the purposes of bug 9828 I could probably export it from our
>>> Windows DC using ktpass.exe, but I'd naturally like to know what's wrong
>>> here.
>>>
>>> What should I do? Am I missing something here?
>>
>> I forgot this for some time... as the samba-tool exportkeytab didn't
>> work, the easiest way to get a proper keytab for decrypting the capture
>> was apparently just copy secrets.keytab from the Samba DC and feed that
>> file to Wireshark. At least I've now managed to decrypt the stuff myself.
> 
> It would be useful to know why samba-tool exportkeytab didn't work, it
> is tested in our make test.  Perhaps run it with -d10 and see if it
> gives more clues?

Not much--only the two lines above the hexdump:

-----

gendb_search_v: DC=mydomain,DC=site NULL -> 1
ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
[0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b... .... . .
[0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
ERROR(runtime): uncaught exception - Invalid argument
  File
"/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/domain.py",
line 103, in run
    net.export_keytab(keytab=keytab, principal=principal)

-----

All the output right until that point consists of just LDB searches with
"error 0" responses, so I guess that it would not help all that
much--but I can send an uncensored version to you personally, if you
want to. (Not on list, because such an output lists all the accounts in
the database with very detailed information, even though the most secret
attributes are redacted.)

>> However, as this is not a test domain, I can't just post such a
>> sensitive piece of information to Bugzilla. I am, however, ready to send
>> it in a GPG-encrypted message to Andrew (currently assigned to the bug)
>> or another trusted Samba dev working on the bug. Would that be OK?
> 
> Can you reproduce this on a test domain?  That would be better.

Two limitations here:

1) Replicating the exact setup would require installing another W2k3 R2
DC, which I'm unable to do (no licence). But I can, at least in theory,
try to do the same thing with Win 2008 R2 (there is an evaluation
version). The bug might be reproducible in such a setup, but might as
well not.

2) In practice this would still be a relatively labourious procedure
(needs me to install three non-production virtual machines, create a
domain on Windows server, configure it to roughly match our production
environment, join it with samba on Linux server, install and join a
windows client, install RSAT on the client and then do the actual
capture) and right now I've other more urgent priorities at work. So if
I'll really have to do this it most likely won't happen until about
mid-June at earliest.

> While I
> do take GPG encrypted stuff, I prefer not to unless I'm actually fixing
> database errors in databases or other things that would never be
> reproduced again.

I understand your point. Sorry that can't help quickly, but if you don't
see a delay of one to two months to be a problem, I can try this then.
If you do, then the encryption is the only way. I'm not in terrible
hurry, even if it would be nice to get this fixed.

I think that the thing I'm going to try right now is to actually run the
MS adprep.exe tool that ships with W2k8 R2. It should add RODC support
to the schema and MS also tells to run it before installing any W2k8 DCs
(RODC or not) to an existing W2k3 domain, so at least it shouldn't do
any damage. If it works around this bug, all the better.

Pekka L.J. Jalkanen


More information about the samba mailing list