Andrej Gessel
2017-Nov-09 12:24 UTC
[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Hello list,
I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in additional
Site where only Samba RODC exists.
When I start samba_kcc on first RODC it run’s without errors. If I start
samba_kcc on RODC in additional Site it fails with:
/usr/local/samba/sbin/samba_kcc: Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc:
attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
line 2644, in run
/usr/local/samba/sbin/samba_kcc: all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
line 1883, in intersite
/usr/local/samba/sbin/samba_kcc: all_connected =
self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc: part, True)
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc: partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc: lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py",
line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc: connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc: File
"/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py",
line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc: (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add
nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS
Settings,CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com)
- (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc -
NT_STATUS_ACCESS_DENIED
root at buildhost /home/andrej/gitrepos/samba (git)-[samba-4.7.1] # samba-tool
drs showrepl -UAdministrator
Testsite\BUILDHOST
DSA Options: 0x00000025
DSA object GUID: 6a61584e-a6c8-435a-8e20-39a25d6a3232
DSA invocationId: d5ac7a08-9dcd-41ec-a39f-42fd906530e8
==== INBOUND NEIGHBORS ===
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: RODC Connection (FRS)
Enabled : TRUE
Server DNS name : test-dc.2a-net.local
Server DN name : CN=NTDS
Settings,CN=TEST-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=com
TransportType: RPC
options: 0x00000041
Warning: No NC replicated for Connection!
Replication works correctly.
As I can understand RODC generates its own topology and should create an
intersite connection, because the replication server is in the other site.
Is this code/binary tested somewhere?
Andrej
Rowland Penny
2017-Nov-09 13:04 UTC
[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
On Thu, 9 Nov 2017 12:24:49 +0000 Andrej Gessel via samba <samba at lists.samba.org> wrote:> Hello list, > > I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in > additional Site where only Samba RODC exists. > > When I start samba_kcc on first RODC it run’s without errors. If I > start samba_kcc on RODC in additional Site it fails with: >What do you mean by 'When I start samba_kcc' ?? You don't start this manually. Rowland
Andrej Gessel
2017-Nov-09 13:42 UTC
[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Hello Rowland, of course it will be started by samba, I saw this output if I run "samba -i". But I can trigger this output also by starting samba_kcc manually. Andrej -----Ursprüngliche Nachricht----- Von: Rowland Penny [mailto:rpenny at samba.org] Gesendet: Donnerstag, 9. November 2017 14:04 An: samba at lists.samba.org Cc: Andrej Gessel <Andrej.Gessel at janztec.com> Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED On Thu, 9 Nov 2017 12:24:49 +0000 Andrej Gessel via samba <samba at lists.samba.org> wrote:> Hello list, > > I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in > additional Site where only Samba RODC exists. > > When I start samba_kcc on first RODC it run’s without errors. If I > start samba_kcc on RODC in additional Site it fails with: >What do you mean by 'When I start samba_kcc' ?? You don't start this manually. Rowland