thr3ads.net - samba - [Samba] Samba4 KDC - no such entry found in hdb [Oct 2012]

If this information is useful, please help other people find it:
Share via:

Dmitry Khromov

2012-Oct-01 06:43 UTC

[Samba] Samba4 KDC - no such entry found in hdb

Hello.
Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. At least 6
accounts behave like this:
Kerberos: AS-REQ techgroup at KLIN.KIFATO-MK.COM from ipv4:192.168.1.31:33822
for krbtgt/KLIN.KIFATO-MK.COM at KLIN.KIFATO-MK.COM
ldb: ldb_trace_request: SEARCH
 dn: <rootDSE>
 scope: sub
 expr: (&(objectClass=user)(userPrincipalName=techgroup at
KLIN.KIFATO-MK.COM))
 control: 1.2.840.113556.1.4.1340  crit:1  data:yes

ldb: ldb_trace_request: (resolve_oids)->search
ldb: ldb_trace_next_request: (rootdse)->search
ldb: ldb_trace_next_request: (schema_load)->search
ldb: ldb_trace_next_request: (lazy_commit)->search
ldb: ldb_trace_next_request: (dirsync)->search
ldb: ldb_trace_next_request: (paged_results)->search
ldb: ldb_trace_next_request: (ranged_results)->search
ldb: ldb_trace_next_request: (anr)->search
ldb: ldb_trace_next_request: (server_sort)->search
ldb: ldb_trace_next_request: (asq)->search
ldb: ldb_trace_next_request: (extended_dn_in)->search
ldb: ldb_trace_next_request: (descriptor)->search
ldb: ldb_trace_next_request: (acl)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (schema_data)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: CN=??????????? ?????????,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com



ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: SEARCH
 dn: CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
 scope: one
 expr:
(&(objectClass=crossRef)(dnsRoot=klin.kifato-mk.com)(systemFlags:1.2.840.113556.1.4.803:=2))
 attr: ncName
 attr: dnsRoot
 control: <NONE>

ldb: ldb_trace_request: (resolve_oids)->search
ldb: ldb_trace_next_request: (rootdse)->search
ldb: ldb_trace_next_request: (schema_load)->search
ldb: ldb_trace_next_request: (lazy_commit)->search
ldb: ldb_trace_next_request: (dirsync)->search
ldb: ldb_trace_next_request: (paged_results)->search
ldb: ldb_trace_next_request: (ranged_results)->search
ldb: ldb_trace_next_request: (anr)->search
ldb: ldb_trace_next_request: (server_sort)->search
ldb: ldb_trace_next_request: (asq)->search
ldb: ldb_trace_next_request: (extended_dn_in)->search
ldb: ldb_trace_next_request: (descriptor)->search
ldb: ldb_trace_next_request: (acl)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (schema_data)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: CN=MK_KLIN,CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
nCName: DC=klin,DC=kifato-mk,DC=com
dnsRoot: klin.kifato-mk.com



ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: SEARCH
 dn: DC=klin,DC=kifato-mk,DC=com
 scope: base
 expr: (|(objectClass=*)(distinguishedName=*))
 control: <NONE>

ldb: ldb_trace_request: (resolve_oids)->search
ldb: ldb_trace_next_request: (rootdse)->search
ldb: ldb_trace_next_request: (schema_load)->search
ldb: ldb_trace_next_request: (lazy_commit)->search
ldb: ldb_trace_next_request: (dirsync)->search
ldb: ldb_trace_next_request: (paged_results)->search
ldb: ldb_trace_next_request: (ranged_results)->search
ldb: ldb_trace_next_request: (anr)->search
ldb: ldb_trace_next_request: (server_sort)->search
ldb: ldb_trace_next_request: (asq)->search
ldb: ldb_trace_next_request: (extended_dn_in)->search
ldb: ldb_trace_next_request: (descriptor)->search
ldb: ldb_trace_next_request: (acl)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: DC=klin,DC=kifato-mk,DC=com



ldb: ldb_trace_response: DONE
error: 0

gendb_search_v: DC=klin,DC=kifato-mk,DC=com NULL -> 1
ldb: ldb_trace_request: SEARCH
 dn: CN=??????????? ?????????,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com
 scope: base
 expr: (objectClass=*)
 attr: objectClass
 attr: sAMAccountName
 attr: userPrincipalName
 attr: servicePrincipalName
 attr: msDS-KeyVersionNumber
 attr: msDS-SecondaryKrbTgtNumber
 attr: msDS-SupportedEncryptionTypes
 attr: supplementalCredentials
 attr: msDS-AllowedToDelegateTo
 attr: dBCSPwd
 attr: unicodePwd
 attr: userAccountControl
 attr: objectSid
 attr: pwdLastSet
 attr: accountExpires
 attr: logonHours
 attr: userWorkstations
 attr: displayName
 attr: scriptPath
 attr: profilePath
 attr: homeDirectory
 attr: homeDrive
 attr: lastLogon
 attr: lastLogoff
 attr: accountExpires
 attr: badPwdCount
 attr: logonCount
 attr: primaryGroupID
 attr: memberOf
 control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
 control: 1.2.840.113556.1.4.529  crit:1  data:yes

ldb: ldb_trace_request: (resolve_oids)->search
ldb: ldb_trace_next_request: (rootdse)->search
ldb: ldb_trace_next_request: (schema_load)->search
ldb: ldb_trace_next_request: (lazy_commit)->search
ldb: ldb_trace_next_request: (dirsync)->search
ldb: ldb_trace_next_request: (paged_results)->search
ldb: ldb_trace_next_request: (ranged_results)->search
ldb: ldb_trace_next_request: (anr)->search
ldb: ldb_trace_next_request: (server_sort)->search
ldb: ldb_trace_next_request: (asq)->search
ldb: ldb_trace_next_request: (extended_dn_in)->search
ldb: ldb_trace_next_request: (descriptor)->search
ldb: ldb_trace_next_request: (acl)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn:
<GUID=314022f9-1f59-418a-a1d2-7ada0f2f6e60>;<SID=S-1-5-21-98486140-92642785-846719952-1283>;CN=???????????
?????????,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
displayName::
0KLQtdGF0L3QuNGH0LXRgdC60LDRjyDQv9C+0LTQtNC10YDQttC60LAuserAccountControl: 512
# dBCSPwd::: REDACTED SECRET ATTRIBUTElogonHours:: ////////////////////////////
# unicodePwd::: REDACTED SECRET ATTRIBUTEpwdLastSet: 129069970834375000
primaryGroupID: 513
# supplementalCredentials::: REDACTED SECRET ATTRIBUTEobjectSid:
S-1-5-21-98486140-92642785-846719952-1283
accountExpires: 0
sAMAccountName: techgroup
userPrincipalName: techgroup at klin.kifato-mk.com
memberOf:
<GUID=7ee0eccc-f4cf-4df5-bb6f-39be7d8d695f>;<SID=S-1-5-21-98486140-9
 2642785-846719952-63836>;CN=vlan332,OU=VLANs,OU=Organizational,DC=klin,DC=kif
 ato-mk,DC=com
memberOf:: PEdVSUQ9ZjdkZmUwYjItNzQwNC00Yzc4LWI5ZjAtMDdjOGU2NmY4M2ZiPjs8U0lEPVM
 tMS01LTIxLTk4NDg2MTQwLTkyNjQyNzg1LTg0NjcxOTk1Mi02MzgzMj47Q0490JvQvtC60LDQu9GM
 0L3Ri9C1INCw0LTQvNC40L3QuNGB0YLRgNCw0YLQvtGA0YssT1U9SVQsT1U9RGVwYXJ0bWVudHMsR
 EM9a2xpbixEQz1raWZhdG8tbWssREM9Y29t
memberOf:
<GUID=ffd72e00-9c15-4b46-bcce-f232c7a772b4>;<SID=S-1-5-21-98486140-9
 2642785-846719952-63819>;CN=Plant
B,OU=Locations,OU=Organizational,DC=klin,DC
 =kifato-mk,DC=com
msDS-KeyVersionNumber: 3



ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: SEARCH
 dn: DC=klin,DC=kifato-mk,DC=com
 scope: base
 expr: (|(objectClass=*)(distinguishedName=*))
 attr: maxPwdAge
 control: <NONE>

ldb: ldb_trace_request: (resolve_oids)->search
ldb: ldb_trace_next_request: (rootdse)->search
ldb: ldb_trace_next_request: (schema_load)->search
ldb: ldb_trace_next_request: (lazy_commit)->search
ldb: ldb_trace_next_request: (dirsync)->search
ldb: ldb_trace_next_request: (paged_results)->search
ldb: ldb_trace_next_request: (ranged_results)->search
ldb: ldb_trace_next_request: (anr)->search
ldb: ldb_trace_next_request: (server_sort)->search
ldb: ldb_trace_next_request: (asq)->search
ldb: ldb_trace_next_request: (extended_dn_in)->search
ldb: ldb_trace_next_request: (descriptor)->search
ldb: ldb_trace_next_request: (acl)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_next_request: (aclread)->search
ldb: ldb_trace_next_request: (operational)->search
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: DC=klin,DC=kifato-mk,DC=com
maxPwdAge: -9223372036854775808



ldb: ldb_trace_response: DONE
error: 0

gendb_search_v: DC=klin,DC=kifato-mk,DC=com NULL -> 1
ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
[0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b... .... . .
[0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
Kerberos: UNKNOWN -- techgroup at KLIN.KIFATO-MK.COM: no such entry found in hdb

What's wrong with them?
-- 
Best regards,
Dmitry Khromov

Dmitry Khromov

2012-Oct-01 07:48 UTC

head link

[Samba] Samba4 KDC - no such entry found in hdb

On Mon, 1 Oct 2012 10:43:59 +0400
Dmitry Khromov <icechrome at gmail.com> wrote:
> Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. At least
6 accounts behave like this:
> Kerberos: AS-REQ techgroup at KLIN.KIFATO-MK.COM from
ipv4:192.168.1.31:33822 for krbtgt/KLIN.KIFATO-MK.COM at KLIN.KIFATO-MK.COM
...> Kerberos: UNKNOWN -- techgroup at KLIN.KIFATO-MK.COM: no such entry found
in hdb
This disappears once you reset the password on Windows DC, however not on Samba
DC:
$ bin/samba-tool user setpassword dummyuser --newpassword=password
--URL=ldap://sambadc -U someadminuser%someadminpassword # We hadn't reset
password on Windows DC yet
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
ERROR: Failed to set password for user 'dummyuser': (1, 'LDAP error
1 LDAP_OPERATION
S_ERROR -  <00002020: setup_supplemental_field: failed to pull old
supplementalCr
edentialsBlob: NT_STATUS_BUFFER_TOO_SMALL> <>')
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/user.py",
lin
e 547, in run
    username=username)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
459,
 in setpassword
    self.modify_ldif(setpw)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
line 2
35, in modify_ldif
    self.modify(msg, controls)

Resetting password on Windows DC enables samba-tool to reset password for this
account on Samba DC, too.
Somewhat broken DB on Windows? Any suggestions on how to fix such accounts in
order to be able to reset passwords when Windows DC will be demoted?

--
Regards,
Dmitry Khromov

Maybe Matching Threads

Search for more possibly parallel threads

samba - Oct 2012 - Samba4 KDC - no such entry found in hdb

[Samba] Samba4 KDC - no such entry found in hdb

[Samba] Samba4 KDC - no such entry found in hdb

Maybe Matching Threads