[Samba] AD-DC samba_gpoupdate failing

Kristján Valur Jónsson kristjan at rvx.is
Tue Feb 26 13:34:32 UTC 2019 

Ok, I've analyzed this and found that the cause is a call to getpwuid(uid)
with the uid being that of the domain controller.
"wbinfo --uid-info=3000074" works and returns information, but this library
function fails.
This is then propagated upwards as a memory error, because it is being
called from getpwuid_alloc() which is a talloc variant. the api doesn't
allow us to distinguish either form of error.
Later, there is this code (in libgpo)
new_token = create_local_nt_token(mem_ctx, &object_sid, false,
  num_token_sids, token_sids);
ADS_ERROR_HAVE_NO_MEMORY(new_token);
where the failure of create_local_nt_token() is simply assumed to be a
memory failure.  This pretty much destroys any finess in lower level error
handling...

Now, the reason getpwuid was failing was that the nsswitch.conf wasn't set
up on the DCs.  I fixed it and it works.  But I"ve been running these DCs
for three years without it.  There is also no indication anywhere that it
is not correctly set up.
I wonder if it is possible to enhance such diagnosis.
1) ouput a warning (failur of getpwuid is currently a DEBUG macro)
2) fix error handling.  Will do some tests.


On Mon, 25 Feb 2019 at 14:25, Kristján Valur Jónsson <kristjan at rvx.is>
wrote:

> Well, I had a look at the python bindings and the error handling was in
> shambles.
>   I fixed libgpo/pygpo.c and I now get:
>     gpos = ads.get_gpo_list(creds.get_username())
> SystemError: Failed to get machine token for 'DC01$' (CN=DC01,OU=Domain
> Controllers,DC=rvx,DC=is)
>
> (the failing call is  status = gp_get_machine_token(self->ads_ptr, frame,
> dn,
>                                               &token);
>
> I'm a former python core dev, so I know a bit about python c code.  I've
> fixed what I could find there, and will create a pull request.  Meanwhile,
> do you know why this may be failing?  The DN does exist.
> K
>
>
>
> On Mon, 25 Feb 2019 at 13:10, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Mon, 25 Feb 2019 12:56:59 +0000
>> Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:
>>
>> > Hi,
>> > I just upgraded to 4.8.9 and decided to give the samba_gpoupdate
>> > feature a whirl.
>> > However, it fails.
>> > The line that's failing is "gpos =
>> > ads.get_gpo_list(creds.get_username())" returning None.
>> >
>> > This is probably a failure, since it should otherwise return an empty
>> > list (if there were no gpos to return).  But there is no output to
>> > indicate what may be failing.
>> > I have  setup of three redundant domain controllers, all of them
>> > similarly failing. Any thought on this, before I start digging around
>> > inside gpo.so in the python module dir?
>> >
>> >
>>
>> It was renamed to 'samba_gpudate' from 4.9.0, there were other changes
>> as well, perhaps testing 4.9.x would be a good idea.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
> --
> Kv,
> Kristján Valur Jónsson, RVX
>


-- 
Kv,
Kristján Valur Jónsson, RVX

More information about the samba mailing list