[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Andrej Gessel
Andrej.Gessel at janztec.com
Fri Nov 10 16:36:41 UTC 2017
Hello list,
I try to fix my issue and found some more debug information:
1) I see error in this situation:
Default-First-Site-Name:
- TEST-DC (RWDC)
Testsite2:
- empty
Testsite:
- BUILDHOST (RODC)
If I move TEST-DC to Testsite2, it fix the error, maybe because of 2).
2) python/samba/kcc/__init__.py:create_connections function try always to connect to Default-First-Site-Name, although Default-First-Site-Name is now empty and TEST-DC is in Testsite2.
Get_bridgehead found just the TEST-DC from Testsite2.
@@ -1710,12 +1710,14 @@ class KCC(object):
# Utilize the IP transport only for now
transport = self.ip_transport
DEBUG("edge_list %s" % edge_list)
for e in edge_list:
+ print "--------e.vertices[0].site: %s" % e.vertices[0].site.site_dnstr
+ print "--------e.vertices[1].site: %s" % e.vertices[1].site.site_dnstr
# XXX more accurate comparison?
if e.directed and e.vertices[0].site is self.my_site:
continue
if e.vertices[0].site is self.my_site:
rsite = e.vertices[1].site
this changes show me always the edges between Default-First-Site-Name and Tesite, what I think to see here is one connection to Default-First-Site-Name and one connection to Testsite2
3) should it not be as shown below? If ldsa/lbh is ro, it will fails like show in previous e-mail
diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index 6f973ea..46689da 100644
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -1498,13 +1498,13 @@ class KCC(object):
dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
cn.options |= \
dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
cn.set_modified(True)
# Display any modified connection
- if self.readonly:
+ if self.readonly or ldsa.is_ro():
if cn.to_be_modified:
logger.info("TO BE MODIFIED:\n%s" % cn)
ldsa.commit_connections(self.samdb, ro=True)
else:
ldsa.commit_connections(self.samdb)
@@ -1582,13 +1582,13 @@ class KCC(object):
dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE)
cn = lbh.new_connection(opt, system_flags, transport,
rbh.dsa_dnstr, link_sched)
# Display any added connection
- if self.readonly:
+ if self.readonly or lbh.is_ro():
if cn.to_be_added:
logger.info("TO BE ADDED:\n%s" % cn)
lbh.commit_connections(self.samdb, ro=True)
else:
lbh.commit_connections(self.samdb)
Please correct me if I'm wrong so I'm not looking in the wrong direction to solve this issue.
Andrej
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Andrej Gessel via samba
Gesendet: Donnerstag, 9. November 2017 14:43
An: Rowland Penny <rpenny at samba.org>; samba at lists.samba.org
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Hello Rowland,
of course it will be started by samba, I saw this output if I run "samba -i".
But I can trigger this output also by starting samba_kcc manually.
Andrej
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rpenny at samba.org]
Gesendet: Donnerstag, 9. November 2017 14:04
An: samba at lists.samba.org
Cc: Andrej Gessel <Andrej.Gessel at janztec.com>
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
On Thu, 9 Nov 2017 12:24:49 +0000
Andrej Gessel via samba <samba at lists.samba.org> wrote:
> Hello list,
>
> I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in
> additional Site where only Samba RODC exists.
>
> When I start samba_kcc on first RODC it run’s without errors. If I
> start samba_kcc on RODC in additional Site it fails with:
>
What do you mean by 'When I start samba_kcc' ??
You don't start this manually.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list