Andrej Gessel
2017-Nov-09 13:42 UTC
[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Hello Rowland, of course it will be started by samba, I saw this output if I run "samba -i". But I can trigger this output also by starting samba_kcc manually. Andrej -----Ursprüngliche Nachricht----- Von: Rowland Penny [mailto:rpenny at samba.org] Gesendet: Donnerstag, 9. November 2017 14:04 An: samba at lists.samba.org Cc: Andrej Gessel <Andrej.Gessel at janztec.com> Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED On Thu, 9 Nov 2017 12:24:49 +0000 Andrej Gessel via samba <samba at lists.samba.org> wrote:> Hello list, > > I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in > additional Site where only Samba RODC exists. > > When I start samba_kcc on first RODC it run’s without errors. If I > start samba_kcc on RODC in additional Site it fails with: >What do you mean by 'When I start samba_kcc' ?? You don't start this manually. Rowland
Andrej Gessel
2017-Nov-10 16:36 UTC
[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Hello list,
I try to fix my issue and found some more debug information:
1) I see error in this situation:
Default-First-Site-Name:
- TEST-DC (RWDC)
Testsite2:
- empty
Testsite:
- BUILDHOST (RODC)
If I move TEST-DC to Testsite2, it fix the error, maybe because of 2).
2) python/samba/kcc/__init__.py:create_connections function try always to
connect to Default-First-Site-Name, although Default-First-Site-Name is now
empty and TEST-DC is in Testsite2.
Get_bridgehead found just the TEST-DC from Testsite2.
@@ -1710,12 +1710,14 @@ class KCC(object):
# Utilize the IP transport only for now
transport = self.ip_transport
DEBUG("edge_list %s" % edge_list)
for e in edge_list:
+ print "--------e.vertices[0].site: %s" %
e.vertices[0].site.site_dnstr
+ print "--------e.vertices[1].site: %s" %
e.vertices[1].site.site_dnstr
# XXX more accurate comparison?
if e.directed and e.vertices[0].site is self.my_site:
continue
if e.vertices[0].site is self.my_site:
rsite = e.vertices[1].site
this changes show me always the edges between Default-First-Site-Name and
Tesite, what I think to see here is one connection to Default-First-Site-Name
and one connection to Testsite2
3) should it not be as shown below? If ldsa/lbh is ro, it will fails like show
in previous e-mail
diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index 6f973ea..46689da 100644
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -1498,13 +1498,13 @@ class KCC(object):
dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
cn.options |= \
dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
cn.set_modified(True)
# Display any modified connection
- if self.readonly:
+ if self.readonly or ldsa.is_ro():
if cn.to_be_modified:
logger.info("TO BE MODIFIED:\n%s" % cn)
ldsa.commit_connections(self.samdb, ro=True)
else:
ldsa.commit_connections(self.samdb)
@@ -1582,13 +1582,13 @@ class KCC(object):
dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE)
cn = lbh.new_connection(opt, system_flags, transport,
rbh.dsa_dnstr, link_sched)
# Display any added connection
- if self.readonly:
+ if self.readonly or lbh.is_ro():
if cn.to_be_added:
logger.info("TO BE ADDED:\n%s" % cn)
lbh.commit_connections(self.samdb, ro=True)
else:
lbh.commit_connections(self.samdb)
Please correct me if I'm wrong so I'm not looking in the wrong direction
to solve this issue.
Andrej
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Andrej
Gessel via samba
Gesendet: Donnerstag, 9. November 2017 14:43
An: Rowland Penny <rpenny at samba.org>; samba at lists.samba.org
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
Hello Rowland,
of course it will be started by samba, I saw this output if I run "samba
-i".
But I can trigger this output also by starting samba_kcc manually.
Andrej
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rpenny at samba.org]
Gesendet: Donnerstag, 9. November 2017 14:04
An: samba at lists.samba.org
Cc: Andrej Gessel <Andrej.Gessel at janztec.com>
Betreff: Re: [Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
On Thu, 9 Nov 2017 12:24:49 +0000
Andrej Gessel via samba <samba at lists.samba.org> wrote:
> Hello list,
>
> I run 2 Samba 4.7.1 RODCs. One in my Default-First-Site-Name and in
> additional Site where only Samba RODC exists.
>
> When I start samba_kcc on first RODC it run’s without errors. If I
> start samba_kcc on RODC in additional Site it fails with:
>
What do you mean by 'When I start samba_kcc' ??
You don't start this manually.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Douglas Bagnall
2017-Nov-11 00:15 UTC
[Samba] samba_kcc RODC failes with NT_STATUS_ACCESS_DENIED
hi Andrej, Yes, this is the correct fix:> diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py > index 6f973ea..46689da 100644 > --- a/python/samba/kcc/__init__.py > +++ b/python/samba/kcc/__init__.py > @@ -1498,13 +1498,13 @@ class KCC(object): > dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0): > cn.options |= \ > dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION > cn.set_modified(True) > > # Display any modified connection > - if self.readonly: > + if self.readonly or ldsa.is_ro(): > if cn.to_be_modified: > logger.info("TO BE MODIFIED:\n%s" % cn) > > ldsa.commit_connections(self.samdb, ro=True) > else: > ldsa.commit_connections(self.samdb) > @@ -1582,13 +1582,13 @@ class KCC(object): > dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE) > > cn = lbh.new_connection(opt, system_flags, transport, > rbh.dsa_dnstr, link_sched) > > # Display any added connection > - if self.readonly: > + if self.readonly or lbh.is_ro(): > if cn.to_be_added: > logger.info("TO BE ADDED:\n%s" % cn) > > lbh.commit_connections(self.samdb, ro=True) > else: > lbh.commit_connections(self.samdb) >Can you format it as a patch with a Signed-off-by and send it to samba-technical? The KCC can't really do much on an RODC (because it is read-only), but it shouldn't crash here because of the few useful things it can do, like tidy up the non-replicated repsFrom objects. Samba has no automatic way of managing the replication links for RODCs, and we are not really sure how Windows does it. cheers, Douglas