KDC tests failing since this week

Andrew Bartlett abartlet at samba.org
Fri Jun 17 10:55:32 UTC 2016 

On Fri, 2016-06-17 at 12:29 +0200, Andreas Schneider wrote:
> On Friday, 17 June 2016 18:04:41 CEST Andrew Bartlett wrote:
> > On Thu, 2016-06-16 at 13:51 +0200, Andreas Schneider wrote:
> > > On Thursday, 16 June 2016 10:44:39 CEST Andrew Bartlett wrote:
> > > > On Wed, 2016-06-15 at 15:15 +0200, Andreas Schneider wrote:
> > > > > Hi Andrew,
> > > > > 
> > > > > I'm working on refactoring the KDC code. Last week
> > > > > 
> > > > > 	make -j test TESTS="samba4.krb5.kdc"
> > > > > 
> > > > > worked just fine for me, this week if I run it the fl2008r2dc
> > > > > tests
> > > > > runs into 
> > > > > a timeout. The changes which went into master are mostly your
> > > > > code.
> > > > > 
> > > > > auth_check_password_recv: sam_ignoredomain authentication for
> > > > > user 
> > > > > [SAMBA2008R2\Administrator] succeeded
> > > > > NTLMSSP Sign/Seal - Initialising with flags:
> > > > > Got NTLMSSP neg_flags=0x62088235
> > > > >   NTLMSSP_NEGOTIATE_UNICODE
> > > > >   NTLMSSP_REQUEST_TARGET
> > > > >   NTLMSSP_NEGOTIATE_SIGN
> > > > >   NTLMSSP_NEGOTIATE_SEAL
> > > > >   NTLMSSP_NEGOTIATE_NTLM
> > > > >   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > > > >   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > > > >   NTLMSSP_NEGOTIATE_VERSION
> > > > >   NTLMSSP_NEGOTIATE_128
> > > > >   NTLMSSP_NEGOTIATE_KEY_EXCH
> > > > > Terminating connection - 'ldapsrv_call_loop:
> > > > > tstream_read_pdu_blob_recv() - 
> > > > > NT_STATUS_INVALID_BUFFER_SIZE'
> > > > > single_terminate: reason[ldapsrv_call_loop:
> > > > > tstream_read_pdu_blob_recv() - 
> > > > > NT_STATUS_INVALID_BUFFER_SIZE]
> > > > > Timed out (60 sec) waiting for working LDAP and a RID Set to
> > > > > be
> > > > > allocated by 
> > > > > DC7 PID 32142 at
> > > > > /home/asn/workspace/projects/samba/selftest/target/Samba4.pm 
> > > > > line 222.
> > > > > Samba 32142 failed to start up at
> > > > > /home/asn/workspace/projects/samba/selftest/
> > > > > target/Samba4.pm line 165.
> > > > > failed to start up environment 'fl2008r2dc' at
> > > > > /home/asn/workspace/projects/
> > > > > samba/selftest/target/Samba.pm line 49.
> > > > > samba can't start up known environment 'fl2008r2dc' at
> > > > > /home/asn/workspace/
> > > > > projects/samba/selftest/selftest.pl line 898
> > > > > 
> > > > > 
> > > > > This is what I get. I'm not sure what is really going wrong.
> > > > > Help
> > > > > would be 
> > > > > much appreciated. I will continue digging ...
> > > > 
> > > > G'Day,
> > > 
> > > Hi Andrew,
> > > 
> > > I played around a bit.
> > > 
> > > in source4/selftest/tests.py line 696
> > > 
> > > for env in ["rodc", "promoted_dc", "ad_dc", "fl2000dc",
> > > "fl2008r2dc"]:
> > > 
> > > which sets the targets for the test. If I remove the fl2000dc
> > > target,
> > > the 
> > > fl2008r2dc works just fine.
> > > 
> > > If I change the line to:
> > > 
> > > for env in ["rodc", "promoted_dc", "fl2000dc", "ad_dc"]:
> > > 
> > > sefltest fails to provision the ad_dc target.
> > > 
> > > So the fl2000dc taints the environment!
> > > 
> > > 
> > > I need to investigate further but the questions which comes to my
> > > mind is: Why 
> > > do we still support fl2000?
> > 
> > It has different behaviour on linked attributes and ACLs that we
> > have
> > code for, so we wanted to keep tests for.  Because it doesn't have
> > DNS
> > in an application partition it also happens to be a good test for
> > some
> > of the fsmo commands.  I agree with your instinct however that it
> > is
> > odd to still support it in 2016.  
> 
> With all this stdout and stderr redirection we loose a lot of
> information, 
> selftest itself prints or the binaries we execute.
> 
> It fails to provision the fl2008r2dc because the kinit uses the wrong
> REALM.
> 
> ./bin/ldbsearch -H ldap://dc7 -UAdministrator%locDCpass7 -s base -b
> "cn=RID 
> Set,cn=DC7,ou=domain controllers,DC=SAMBA2008R2,DC=EXAMPLE,DC=COM" 
> rIDAllocationPool                   
> Wrong username or password: kinit for 
> Administrator at SAMBA2000.EXAMPLE.COM 
> failed (Preauthentication failed)
> 
> I haven't figured out yet where it gets the SAMBA2000.EXAMPLE.COM
> realm from 
> ...

Probably from a krb5 ccache written by a previous test.  Currently
there is just one for the whole selftest.  

The patches in this link are not finished yet (some tests still don't
pass), but the code to set up the ccache should fix that, by pointing
at one per environment.

http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/fast-
fast-fast

git://git.catalyst.net.nz/samba.git fast-fast-fast

We did this when we noticed how much time in make test went into sha1
in the string2key function.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list