Well, I had a look at the python bindings and the error handling was in
shambles.
I fixed libgpo/pygpo.c and I now get:
gpos = ads.get_gpo_list(creds.get_username())
SystemError: Failed to get machine token for 'DC01$' (CN=DC01,OU=Domain
Controllers,DC=rvx,DC=is)
(the failing call is status = gp_get_machine_token(self->ads_ptr, frame,
dn,
&token);
I'm a former python core dev, so I know a bit about python c code. I've
fixed what I could find there, and will create a pull request. Meanwhile,
do you know why this may be failing? The DN does exist.
K
On Mon, 25 Feb 2019 at 13:10, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Mon, 25 Feb 2019 12:56:59 +0000
> Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> > I just upgraded to 4.8.9 and decided to give the samba_gpoupdate
> > feature a whirl.
> > However, it fails.
> > The line that's failing is "gpos > >
ads.get_gpo_list(creds.get_username())" returning None.
> >
> > This is probably a failure, since it should otherwise return an empty
> > list (if there were no gpos to return). But there is no output to
> > indicate what may be failing.
> > I have setup of three redundant domain controllers, all of them
> > similarly failing. Any thought on this, before I start digging around
> > inside gpo.so in the python module dir?
> >
> >
>
> It was renamed to 'samba_gpudate' from 4.9.0, there were other
changes
> as well, perhaps testing 4.9.x would be a good idea.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Kv,
Kristján Valur Jónsson, RVX
Ok, I've analyzed this and found that the cause is a call to getpwuid(uid) with the uid being that of the domain controller. "wbinfo --uid-info=3000074" works and returns information, but this library function fails. This is then propagated upwards as a memory error, because it is being called from getpwuid_alloc() which is a talloc variant. the api doesn't allow us to distinguish either form of error. Later, there is this code (in libgpo) new_token = create_local_nt_token(mem_ctx, &object_sid, false, num_token_sids, token_sids); ADS_ERROR_HAVE_NO_MEMORY(new_token); where the failure of create_local_nt_token() is simply assumed to be a memory failure. This pretty much destroys any finess in lower level error handling... Now, the reason getpwuid was failing was that the nsswitch.conf wasn't set up on the DCs. I fixed it and it works. But I"ve been running these DCs for three years without it. There is also no indication anywhere that it is not correctly set up. I wonder if it is possible to enhance such diagnosis. 1) ouput a warning (failur of getpwuid is currently a DEBUG macro) 2) fix error handling. Will do some tests. On Mon, 25 Feb 2019 at 14:25, Kristján Valur Jónsson <kristjan at rvx.is> wrote:> Well, I had a look at the python bindings and the error handling was in > shambles. > I fixed libgpo/pygpo.c and I now get: > gpos = ads.get_gpo_list(creds.get_username()) > SystemError: Failed to get machine token for 'DC01$' (CN=DC01,OU=Domain > Controllers,DC=rvx,DC=is) > > (the failing call is status = gp_get_machine_token(self->ads_ptr, frame, > dn, > &token); > > I'm a former python core dev, so I know a bit about python c code. I've > fixed what I could find there, and will create a pull request. Meanwhile, > do you know why this may be failing? The DN does exist. > K > > > > On Mon, 25 Feb 2019 at 13:10, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Mon, 25 Feb 2019 12:56:59 +0000 >> Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote: >> >> > Hi, >> > I just upgraded to 4.8.9 and decided to give the samba_gpoupdate >> > feature a whirl. >> > However, it fails. >> > The line that's failing is "gpos >> > ads.get_gpo_list(creds.get_username())" returning None. >> > >> > This is probably a failure, since it should otherwise return an empty >> > list (if there were no gpos to return). But there is no output to >> > indicate what may be failing. >> > I have setup of three redundant domain controllers, all of them >> > similarly failing. Any thought on this, before I start digging around >> > inside gpo.so in the python module dir? >> > >> > >> >> It was renamed to 'samba_gpudate' from 4.9.0, there were other changes >> as well, perhaps testing 4.9.x would be a good idea. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- > Kv, > Kristján Valur Jónsson, RVX >-- Kv, Kristján Valur Jónsson, RVX
On Tue, 26 Feb 2019 13:34:32 +0000 Kristján Valur Jónsson <kristjan at rvx.is> wrote:> Ok, I've analyzed this and found that the cause is a call to > getpwuid(uid) with the uid being that of the domain controller. > "wbinfo --uid-info=3000074" works and returns information, but this > library function fails. > This is then propagated upwards as a memory error, because it is being > called from getpwuid_alloc() which is a talloc variant. the api > doesn't allow us to distinguish either form of error. > Later, there is this code (in libgpo) > new_token = create_local_nt_token(mem_ctx, &object_sid, false, > num_token_sids, token_sids); > ADS_ERROR_HAVE_NO_MEMORY(new_token); > where the failure of create_local_nt_token() is simply assumed to be a > memory failure. This pretty much destroys any finess in lower level > error handling... > > Now, the reason getpwuid was failing was that the nsswitch.conf > wasn't set up on the DCs. I fixed it and it works. But I"ve been > running these DCs for three years without it. There is also no > indication anywhere that it is not correctly set up. > I wonder if it is possible to enhance such diagnosis. > 1) ouput a warning (failur of getpwuid is currently a DEBUG macro) > 2) fix error handling. Will do some tests. > >Kristjan, it is my understanding that it is actually recommended to not set up the libnss-winbind links on a DC, yet you now seem to be saying it is required. I think this would be better discussed on the samba-technical mailing list. Rowland