KDC not works in configuration with trusted domain

Evgeny Sinelnikov sin at altlinux.org
Mon Oct 9 23:28:25 UTC 2017 

2017-10-09 21:53 GMT+04:00 Rowland Penny via samba-technical
<samba-technical at lists.samba.org>:
> On Mon, 9 Oct 2017 17:55:07 +0400
> Evgeny Sinelnikov via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
>>
>> # Local Data on Samba DC
>> [root at samba-dc ~]# ldbsearch -k yes -H
>> /var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
>> -b CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
>> trustParent -d0 | grep -B1 -A2 'OMSU'
>> # record 7
>> dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
>> nCName:
>> <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
>> 29258221-3996020766>;DC=omsu,DC=adm72,DC=local dnsRoot:
>> omsu.adm72.local nETBIOSName: OMSU
>> trustParent:
>> <GUID=251e4849-921f-4d28-ad6a-da8aa4348925>;CN=ADM72,CN=Partition
>> s,CN=Configuration,DC=adm72,DC=local
>>
>
> I cannot really help with this, except to point out two things:
>
> One: the above search is wrong, you should never search, or even
> worse change something, in sam.ldb.d. This search on a DC should work:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> CN=Partitions,CN=Configuration,DC=adm72,DC=local
> '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust
> trustParent -d0 | grep -B1 -A2 'OMSU'
>
> It does for me:
> ldbsearch -H /usr/local/samba/private/sam.ldb -b CN=Partitions,CN=Configuration,DC=samdom,DC=example,dc=com '(&(objectClass=crossRef))' dnsRoot nETBIOSName ncName rootTrust trustParent -d0 | grep -B1 -A2 'SAMDOM'

This is not right internal LDAP request. Try
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))',
please.


> # record 5
> dn: CN=SAMDOM,CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com
> nCName: DC=samdom,DC=example,DC=com
> dnsRoot: samdom.example.com
> nETBIOSName: SAMDOM
>
> Which brings me to
>
> Two: if 'nCName' isn't being returned, is it actually there ? Have
> you tried dumping the entire object.

I found reproducible scenario for this problem:
https://bugzilla.samba.org/show_bug.cgi?id=13078

        ret = dsdb_search(sam_ctx, partitions_dn, &cross_res2,
                          partitions_dn, LDB_SCOPE_ONELEVEL,
                          cross_attrs2,
                          DSDB_SEARCH_SHOW_EXTENDED_DN,
                          "(&(objectClass=crossRef)"
                           "(systemFlags:%s:=%u))",
                          LDB_OID_COMPARATOR_AND,
                          SYSTEM_FLAG_CR_NTDS_DOMAIN);


# Samba DC
[user at samba-dc ~]$ ldbsearch -k yes -H ldap://samba-dc -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


# WIndows DC
[user at samba-dc ~]$ ldbsearch -k yes -H ldap://dc-resp142 -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: DC=omsu,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


# Internal request
[root at samba-dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/ -b
CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
DC=ADM72,DC=LOCAL.ldb
DC=FORESTDNSZONES,DC=ADM72,DC=LOCAL.ldb
CN=SCHEMA,CN=CONFIGURATION,DC=ADM72,DC=LOCAL.ldb
DC=DOMAINDNSZONES,DC=ADM72,DC=LOCAL.ldb           metadata.tdb
[root at samba-dc ~]# ldbsearch -H
/var/lib/samba/private/sam.ldb.d/CN\=CONFIGURATION\,DC\=ADM72\,DC\=LOCAL.ldb
-b CN=Partitions,CN=Configuration,DC=adm72,DC=local
'(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=2))'
nCName systemFlags -d0
# record 1
dn: CN=ADM72,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=20f2eac9-426d-4003-b9c8-0f2737f982f9>;<SID=S-1-5-21-3196609985-6
 36931310-2637777318>;DC=adm72,DC=local
systemFlags: 3

# record 2
dn: CN=OMSU,CN=Partitions,CN=Configuration,DC=adm72,DC=local
nCName: <GUID=2db28977-e989-4528-bb73-af31dfaad9a7>;<SID=S-1-5-21-925305307-17
 29258221-3996020766>;DC=omsu,DC=adm72,DC=local
systemFlags: 3

# returned 2 records
# 2 entries
# 0 referrals


-- 
Sin (Sinelnikov Evgeny)

More information about the samba-technical mailing list