[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED

Andrej Gessel Andrej.Gessel at janztec.com
Thu Nov 9 12:24:49 UTC 2017 

Hello list,

I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in additional Site where only Samba RODC exists.

When I start samba_kcc on first RODC it run’s without errors. If I start samba_kcc on RODC in additional Site it fails with:

/usr/local/samba/sbin/samba_kcc: Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
/usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
/usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc:     part, True)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

root at buildhost /home/andrej/gitrepos/samba (git)-[samba-4.7.1] # samba-tool drs showrepl -UAdministrator
Testsite\BUILDHOST
DSA Options: 0x00000025
DSA object GUID: 6a61584e-a6c8-435a-8e20-39a25d6a3232
DSA invocationId: d5ac7a08-9dcd-41ec-a39f-42fd906530e8

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: RODC Connection (FRS)
        Enabled        : TRUE
        Server DNS name : test-dc.2a-net.local
        Server DN name  : CN=NTDS Settings,CN=TEST-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=com
                TransportType: RPC
                options: 0x00000041
Warning: No NC replicated for Connection!

Replication works correctly.

As I can understand RODC generates its own topology and should create an intersite connection, because the replication server is in the other site.

Is this code/binary tested somewhere?


Andrej

More information about the samba mailing list