KDC not works in configuration with trusted domain
Evgeny Sinelnikov
sin at altlinux.org
Mon Oct 9 13:55:07 UTC 2017
Hello,
last week I got a strange problem with not works KDC (samba-4.6.8).
kinit for users works, but when I use this KDC for TGS request I got a
strange error.
[root at samba-dc ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: basealt at ADM72.LOCAL
Valid starting Expires Service principal
08.10.2017 15:54:57 09.10.2017 01:54:57 krbtgt/ADM72.LOCAL at ADM72.LOCAL
renew until 15.10.2017 15:54:43
[root at samba-dc ~]# smbclient -k -L //samba-dc.adm72.local
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/samba-dc.adm72.local
failed (next[(null)]): NT_STATUS_NO_LOGON_SERVERS
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_NO_LOGON_SERVERS
log.samba during this strange error:
[2017/10/03 17:52:06.314034, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ basealt at ADM72.LOCAL from ipv4:10.142.170.14:52384
for cifs/alt-srv-dc-02 at ADM72.LOCAL [canonicalize]
[2017/10/03 17:52:06.316473, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: target does not have secrets at this KDC, need to proxy
[2017/10/03 17:52:06.316570, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:10.142.170.14:52384
[2017/10/03 17:52:06.316651, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: proxying requested when not RODC'
[2017/10/03 17:52:06.316719, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: proxying requested when not RODC]
_____________________
Step by step I localize the problem - dsdb_trust_routing_table_load() failed:
[2017/10/07 16:43:28.773650, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: start flags=0010
[2017/10/07 16:43:28.773676, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: set HDB_F_KVNO_SPECIFIED for kvno: 3
[2017/10/07 16:43:28.773689, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: try to hdb_open for 0 config record
[2017/10/07 16:43:28.773706, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: hdb_fetch_kvno flags=0091 (kvno 3)
[2017/10/07 16:43:28.773720, 4] ../source4/kdc/db-glue.c:2321(samba_kdc_fetch)
samba_kdc_fetch with kvno: 3 (flags=0091)
[2017/10/07 16:43:28.773764, 4]
../source4/kdc/db-glue.c:2091(samba_kdc_lookup_realm)
samba_kdc_lookup_realm for krbtgt/ADM72.LOCAL at ADM72.LOCAL with 2 components
[2017/10/07 16:43:28.773780, 4] ../source4/kdc/db-glue.c:2331(samba_kdc_fetch)
samba_kdc_fetch set default ret as 36150275
[2017/10/07 16:43:28.773790, 4] ../source4/kdc/db-glue.c:2350(samba_kdc_fetch)
samba_kdc_fetch for tgt
[2017/10/07 16:43:28.773805, 4]
../source4/kdc/db-glue.c:1702(samba_kdc_fetch_krbtgt)
samba_kdc_fetch_krbtgt with kvno: 3
[2017/10/07 16:43:28.773820, 4]
../source4/kdc/db-glue.c:1721(samba_kdc_fetch_krbtgt)
samba_kdc_fetch_krbtgt with default_realm_dn: DC=adm72,DC=local and
realm_from_princ ADM72.LOCAL
[2017/10/07 16:43:28.773832, 3]
../source4/kdc/db-glue.c:1732(samba_kdc_fetch_krbtgt)
samba_kdc_fetch_krbtgt: is_my_domain_or_realm!
[2017/10/07 16:43:28.773845, 3]
../source4/kdc/db-glue.c:1751(samba_kdc_fetch_krbtgt)
samba_kdc_fetch_krbtgt: krbtgt_number = 0
[2017/10/07 16:43:28.773855, 4]
../source4/kdc/db-glue.c:1754(samba_kdc_fetch_krbtgt)
samba_kdc_fetch_krbtgt: dsdb_search_one LDB_SCOPE_BASE on
CN=krbtgt,CN=Users,DC=adm72,DC=local: "(objectClass=user)"
[2017/10/07 16:43:28.774289, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: hdb_close ret=0
[2017/10/07 16:43:28.774315, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: hdb_fetch_kvno() done
[2017/10/07 16:43:28.774419, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ basealt at ADM72.LOCAL from ipv4:10.142.170.24:59038
for cifs/samba-dc.adm72.local at ADM72.LOCAL [canonicalize]
[2017/10/07 16:43:28.774441, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: tgs_build_reply: _kdc_db_fetch() with HDB_F_GET_SERVER
[2017/10/07 16:43:28.774480, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: start flags=2028
[2017/10/07 16:43:28.774497, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: not kvno specified
[2017/10/07 16:43:28.774514, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: try to hdb_open for 0 config record
[2017/10/07 16:43:28.774530, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: hdb_fetch_kvno flags=2029 (kvno 0)
[2017/10/07 16:43:28.774544, 4] ../source4/kdc/db-glue.c:2321(samba_kdc_fetch)
samba_kdc_fetch with kvno: 0 (flags=2029)
[2017/10/07 16:43:28.774558, 4]
../source4/kdc/db-glue.c:2091(samba_kdc_lookup_realm)
samba_kdc_lookup_realm for cifs/samba-dc.adm72.local at ADM72.LOCAL
with 2 components
[2017/10/07 16:43:28.774571, 4]
../source4/kdc/db-glue.c:2101(samba_kdc_lookup_realm)
samba_kdc_lookup_realm with SDB_F_GET_SERVER
[2017/10/07 16:43:28.774581, 4]
../source4/kdc/db-glue.c:2103(samba_kdc_lookup_realm)
samba_kdc_lookup_realm with SDB_F_FOR_TGS_REQ (check_realm = true)
[2017/10/07 16:43:28.774594, 4]
../source4/kdc/db-glue.c:2119(samba_kdc_lookup_realm)
samba_kdc_lookup_realm() for realm ADM72.LOCAL
[2017/10/07 16:43:28.774605, 4]
../source4/kdc/db-glue.c:2134(samba_kdc_lookup_realm)
samba_kdc_lookup_realm() copy the realm.
[2017/10/07 16:43:28.774618, 4]
../source4/kdc/db-glue.c:2185(samba_kdc_lookup_realm)
samba_kdc_lookup_realm for SDB_F_GET_SERVER
[2017/10/07 16:43:28.774628, 4]
../source4/kdc/db-glue.c:2208(samba_kdc_lookup_realm)
samba_kdc_lookup_realm for SDB_F_GET_SERVER with 2 components
[2017/10/07 16:43:28.774642, 4]
../source4/kdc/db-glue.c:2216(samba_kdc_lookup_realm)
samba_kdc_lookup_realm got service_realm samba-dc.adm72.local
[2017/10/07 16:43:28.774652, 4]
../source4/kdc/db-glue.c:2231(samba_kdc_lookup_realm)
samba_kdc_lookup_realm try dsdb_trust_routing_table_load()
[2017/10/07 16:43:28.776134, 4] ../source4/kdc/db-glue.c:2326(samba_kdc_fetch)
samba_kdc_fetch: samba_kdc_lookup_realm() failed
[2017/10/07 16:43:28.776229, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: hdb_close ret=36150287
[2017/10/07 16:43:28.776260, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: _kdc_db_fetch: hdb_fetch_kvno() = 36150287
[2017/10/07 16:43:28.776278, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: target cifs/samba-dc.adm72.local at ADM72.LOCAL does not have
secrets at this KDC, need to proxy
[2017/10/07 16:43:28.776300, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:10.142.170.24:59038
[2017/10/07 16:43:28.776329, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: proxying requested when not RODC'
[2017/10/07 16:43:28.776345, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: proxying requested when not RODC]
_____________________
Next part of this story - why it failed?
Step by step again I found that problem in
dsdb_trust_xref_forest_info() and looks it in gdb:
[2017/10/09 12:15:15.859384, 5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
Starting GENSEC mechanism gssapi_krb5
[2017/10/09 12:15:15.860051, 3]
../auth/credentials/credentials_krb5.c:406(cli_credentials_get_named_ccache)
Ticket in credentials cache for SAMBA-DC$@ADM72.LOCAL will shortly
expire (272 secs), will refresh
[2017/10/09 12:15:15.860122, 5]
../auth/credentials/credentials_krb5.c:417(cli_credentials_get_named_ccache)
Ticket in credentials cache for SAMBA-DC$@ADM72.LOCAL will expire in 272 secs
[2017/10/09 12:15:18.864288, 5]
../source4/auth/kerberos/krb5_init_context.c:146(smb_krb5_request_timeout)
Timed out smb_krb5 packet
[2017/10/09 12:15:21.867498, 5]
../source4/auth/kerberos/krb5_init_context.c:146(smb_krb5_request_timeout)
Timed out smb_krb5 packet
[2017/10/09 12:15:24.868825, 5]
../source4/auth/kerberos/krb5_init_context.c:146(smb_krb5_request_timeout)
Timed out smb_krb5 packet
[2017/10/09 12:15:24.869059, 4]
../auth/credentials/credentials_krb5.c:585(cli_credentials_get_client_gss_creds)
Failed to get kerberos credentials: kinit for SAMBA-DC$@ADM72.LOCAL
failed (Cannot contact any KDC for requested realm)
[2017/10/09 12:15:24.869130, 3]
../source4/auth/gensec/gensec_gssapi.c:333(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (null) : kinit for
SAMBA-DC$@ADM72.LOCAL failed (Cannot contact any KDC for requested
realm)
[...]
[2017/10/09 12:17:59.736199, 3]
../source4/dsdb/common/util_trusts.c:936(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info for 0x563e561e8918
[...]
[2017/10/09 12:19:02.333151, 3]
../source4/dsdb/common/util_trusts.c:952(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info with partitions dn
CN=Partitions,CN=Configuration,DC=adm72,DC=local
[2017/10/09 12:19:07.331948, 3]
../source4/dsdb/common/util_trusts.c:961(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info try dsdb_search()
[2017/10/09 12:19:19.898405, 3]
../source4/dsdb/common/util_trusts.c:976(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info sort the domains as trees
[2017/10/09 12:19:19.898499, 3]
../source4/dsdb/common/util_trusts.c:983(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info find uPNSuffixes
[2017/10/09 12:19:19.898516, 3]
../source4/dsdb/common/util_trusts.c:988(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info find msDS-SPNSuffixes
[2017/10/09 12:19:19.898528, 3]
../source4/dsdb/common/util_trusts.c:993(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info try ldb_msg_normalize()
[2017/10/09 12:19:19.898580, 3]
../source4/dsdb/common/util_trusts.c:999(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info find __tln__
[2017/10/09 12:19:19.898624, 3]
../source4/dsdb/common/util_trusts.c:1002(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info sort the domains as trees with tln element
[2017/10/09 12:19:19.898642, 3]
../source4/dsdb/common/util_trusts.c:1010(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info cross2 cycle with 2 counts
[2017/10/09 12:19:19.898662, 3]
../source4/dsdb/common/util_trusts.c:1024(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info cross2 0-th cycle
[2017/10/09 12:19:20.146552, 4]
../source4/dsdb/common/util_trusts.c:1042(dsdb_trust_xref_forest_info)
dsdb_trust_xref_forest_info cross2 ncName not found
[2017/10/09 12:19:20.146760, 3]
../source4/dsdb/common/util_trusts.c:2873(dsdb_trust_routing_table_load)
dsdb_trust_routing_table_load dsdb_trust_xref_forest_info() failed:
NT_STATUS_INTERNAL_DB_CORRUPTION
(gdb) backtrace
#0 ldb_dn_validate (dn=dn at entry=0x563e5603b4f0) at ../common/ldb_dn.c:744
#1 0x00007f2fc35fc300 in ldb_dn_add_child (dn=0x563e539d5e00,
child=0x563e5603b4f0) at ../common/ldb_dn.c:1500
#2 0x00007f2fc35fc625 in ldb_dn_add_child_fmt
(dn=dn at entry=0x563e539d5e00, child_fmt=child_fmt at entry=0x7f2fc3c6997a
"CN=Partitions") at ../common/ldb_dn.c:1600
#3 0x00007f2fc3c58fc8 in samdb_partitions_dn
(sam_ctx=sam_ctx at entry=0x563e539a9a00,
mem_ctx=mem_ctx at entry=0x563e552d5e50) at
../source4/dsdb/common/util.c:1160
#4 0x00007f2fc3c624e6 in dsdb_trust_xref_forest_info
(mem_ctx=mem_ctx at entry=0x563e561e8900,
sam_ctx=sam_ctx at entry=0x563e539a9a00,
_info=_info at entry=0x563e561e8918) at
../source4/dsdb/common/util_trusts.c:946
#5 0x00007f2fc3c65c8e in dsdb_trust_routing_table_load
(sam_ctx=0x563e539a9a00, mem_ctx=mem_ctx at entry=0x563e539d5b80,
_table=_table at entry=0x7ffd395d4ff8) at
../source4/dsdb/common/util_trusts.c:2871
#6 0x00007f2fbab6bf0c in samba_kdc_lookup_realm
(kdc_db_ctx=0x563e553eaf90, kdc_db_ctx=0x563e553eaf90,
mem_ctx=0x563e55a706a0, entry_ex=0x7ffd395d5060, flags=8201,
principal=0x563e54c10ab0, context=0x563e56737020)
at ../source4/kdc/db-glue.c:2232
#7 samba_kdc_fetch (context=context at entry=0x563e56737020,
kdc_db_ctx=0x563e553eaf90, principal=principal at entry=0x563e54c10ab0,
flags=flags at entry=8201, kvno=kvno at entry=0,
entry_ex=entry_ex at entry=0x7ffd395d5060)
at ../source4/kdc/db-glue.c:2323
#8 0x00007f2fbb192a86 in hdb_samba4_fetch_kvno
(context=0x563e56737020, db=<optimized out>, principal=0x563e54c10ab0,
flags=8201, kvno=0, entry_ex=0x563e54f1cd90) at
../source4/kdc/hdb-samba4.c:98
#9 0x00007f2fbb3aa149 in _kdc_db_fetch
(context=context at entry=0x563e56737020,
config=config at entry=0x563e54c1d970, principal=0x563e54c10ab0,
flags=<optimized out>, flags at entry=8200, kvno_ptr=kvno_ptr at entry=0x0,
db=db at entry=0x0,
h=0x7ffd395d52b8) at ../source4/heimdal/kdc/misc.c:103
#10 0x00007f2fbb3a2ae1 in tgs_build_reply
(context=context at entry=0x563e56737020,
config=config at entry=0x563e54c1d970, req=req at entry=0x7ffd395d5860,
b=b at entry=0x7ffd395d5870, krbtgt=0x563e540a24e0,
krbtgt_etype=krbtgt_etype at entry=KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
replykey=0x563e5599a620, rk_is_subkey=1, ticket=0x563e552d5610,
reply=0x7ffd395d59d0, from=0x563e54f1da90 "ipv4:10.142.170.24:46638",
e_text=0x7ffd395d5738,
auth_data=0x7ffd395d5720, from_addr=0x7ffd395d59e0) at
../source4/heimdal/kdc/krb5tgs.c:1632
#11 0x00007f2fbb3a5d59 in _kdc_tgs_rep
(context=context at entry=0x563e56737020,
config=config at entry=0x563e54c1d970, req=req at entry=0x7ffd395d5860,
data=data at entry=0x7ffd395d59d0, from=from at entry=0x563e54f1da90
"ipv4:10.142.170.24:46638",
from_addr=from_addr at entry=0x7ffd395d59e0, datagram_reply=0) at
../source4/heimdal/kdc/krb5tgs.c:2386
#12 0x00007f2fbb3aa5a1 in kdc_tgs_req (context=0x563e56737020,
config=0x563e54c1d970, req_buffer=<optimized out>,
reply=0x7ffd395d59d0, from=0x563e54f1da90 "ipv4:10.142.170.24:46638",
addr=0x7ffd395d59e0, datagram_reply=0,
claim=0x7ffd395d594c) at ../source4/heimdal/kdc/process.c:97
#13 0x00007f2fbb3aa828 in krb5_kdc_process_krb5_request
(context=0x563e56737020, config=config at entry=0x563e54c1d970,
buf=<optimized out>, len=<optimized out>,
reply=reply at entry=0x7ffd395d59d0,
from=0x563e54f1da90 "ipv4:10.142.170.24:46638",
addr=0x7ffd395d59e0, datagram_reply=0) at
../source4/heimdal/kdc/process.c:242
#14 0x00007f2fbb5ca84e in kdc_process (kdc=0x563e54f10280,
mem_ctx=0x563e53cc1920, input=0x563e53cc1928, reply=0x563e53cc1938,
peer_addr=0x563e53f816f0, my_addr=<optimized out>, datagram_reply=0)
at ../source4/kdc/kdc-heimdal.c:84
#15 0x00007f2fbb5c5318 in kdc_tcp_call_loop (subreq=<optimized out>)
at ../source4/kdc/kdc-server.c:290
#16 0x00007f2fbbdf4cac in tstream_read_pdu_blob_done
(subreq=<optimized out>) at ../libcli/util/tstream.c:117
#17 0x00007f2fc66f9cab in tstream_readv_done (subreq=<optimized out>)
at ../lib/tsocket/tsocket.c:604
#18 0x00007f2fc66fc150 in tstream_bsd_readv_handler
(private_data=<optimized out>) at ../lib/tsocket/tsocket_bsd.c:1877
#19 0x00007f2fc8fbfff3 in epoll_event_loop (tvalp=0x7ffd395d5bc0,
epoll_ev=0x563e5397f440) at ../tevent_epoll.c:728
#20 epoll_event_loop_once (ev=<optimized out>, location=<optimized
out>) at ../tevent_epoll.c:930
#21 0x00007f2fc8fbe407 in std_event_loop_once (ev=0x563e5397f1c0,
location=0x7f2fbdd55378 "../source4/smbd/process_standard.c:364") at
../tevent_standard.c:114
#22 0x00007f2fc8fba1bd in _tevent_loop_once
(ev=ev at entry=0x563e5397f1c0, location=location at entry=0x7f2fbdd55378
"../source4/smbd/process_standard.c:364") at ../tevent.c:721
#23 0x00007f2fc8fba3eb in tevent_common_loop_wait (ev=0x563e5397f1c0,
location=0x7f2fbdd55378 "../source4/smbd/process_standard.c:364") at
../tevent.c:844
#24 0x00007f2fc8fbe3a7 in std_event_loop_wait (ev=0x563e5397f1c0,
location=0x7f2fbdd55378 "../source4/smbd/process_standard.c:364") at
../tevent_standard.c:145
#25 0x00007f2fbdd54bd2 in standard_new_task (ev=0x563e5397f1c0,
lp_ctx=0x563e53976020, service_name=0x7f2fbb5cd3b2 "kdc",
new_task=0x7f2fca7bc950 <task_server_callback>,
private_data=0x563e53c7b870)
at ../source4/smbd/process_standard.c:364
#26 0x00007f2fca7bca7a in task_server_startup
(event_ctx=event_ctx at entry=0x563e5397f1c0,
lp_ctx=lp_ctx at entry=0x563e53976020,
service_name=service_name at entry=0x7f2fbb5cd3b2 "kdc",
model_ops=model_ops at entry=0x7f2fbdf55be0 <standard_ops>,
task_init=0x7f2fbb5c9f80 <kdc_task_init>) at
../source4/smbd/service_task.c:114
#27 0x00007f2fca7bb6d2 in server_service_init
(model_ops=0x7f2fbdf55be0 <standard_ops>, lp_ctx=0x563e53976020,
event_context=0x563e5397f1c0, name=0x563e53978d10 "kdc") at
../source4/smbd/service.c:63
#28 server_service_startup (event_ctx=0x563e5397f1c0,
lp_ctx=0x563e53976020, model=<optimized out>,
server_services=<optimized out>) at ../source4/smbd/service.c:95
#29 0x0000563e53754233 in binary_smbd_main (argc=<optimized out>,
argv=<optimized out>, binary_name=0x563e53754d28 "samba") at
../source4/smbd/server.c:489
#30 0x00007f2fc8c327f0 in __libc_start_main (main=0x563e53753000
<main>, argc=1, argv=0x7ffd395d61d8, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7ffd395d61c8) at ../csu/libc-start.c:289
#31 0x0000563e53753039 in _start () at ../sysdeps/x86_64/start.S:108
So... no one KDC request for any TGS not works if we have secondary
trusted domain if dsdb_trust_xref_forest_info() failed. And it failed
every time when nCName attribute no exists in LDAP request for it:
# Windows DC
[user at samba-dc ~]$ ldbsearch -k yes -H ldap://dc-resp142 -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName nCName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'
# record 6
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=omsu,DC=adm72,DC=local
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
# Samba DC
[user at samba-dc ~]$ ldbsearch -k yes -H ldap://samba-dc -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName nCName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'
# record 7
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
trustParent: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
# Local Data on Samba DC
[root at samba-dc ~]# ldbsearch -k yes -H
/var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
-b CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
trustParent -d0 | grep -B1 -A2 'OMSU'
# record 7
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
29258221-3996020766>;DC=omsu,DC=adm72,DC=local
dnsRoot: omsu.adm72.local
nETBIOSName: OMSU
trustParent: <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
s,CN=Configuration,DC=adm72,DC=local
_____________________
Current workaround, that I found (and it works) looks like this:
diff --git a/source4/dsdb/common/util_trusts.c
b/source4/dsdb/common/util_trusts.c
index aea3720..be2b3d1 100644
--- a/source4/dsdb/common/util_trusts.c
+++ b/source4/dsdb/common/util_trusts.c
@@ -1052,8 +1052,9 @@ NTSTATUS dsdb_trust_xref_forest_info(TALLOC_CTX *mem_ctx,
nc_dn = samdb_result_dn(sam_ctx, m, m, "nCName", NULL);
if (nc_dn == NULL) {
DEBUG(4, ("dsdb_trust_xref_forest_info cross2
nCName as result dn not found\n"));
- TALLOC_FREE(frame);
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ //TALLOC_FREE(frame);
+ //return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ continue;
}
status = dsdb_get_extended_dn_sid(nc_dn, &sid, "SID");
I want to fix it completly, but I don't understand yet why LDAP not
return nCName atrribute, that exists in Configuration partition?
PS: This is not first and second time on large AD installation, when I
got this problem.
--
Sin (Sinelnikov Evgeny)
More information about the samba-technical
mailing list