Bug 44115 – RODC doesn't replicate via DRS after server-password-change

Bug 44115 - RODC doesn't replicate via DRS after server-password-change


Summary:	RODC doesn't replicate via DRS after server-password-change

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Duplicates:	33151 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-28 16:28 CEST by Arvid Requate
Modified:	2020-07-03 20:51 CEST (History)
CC List:	1 user (show)

See Also:	49444
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
RODC_server_password_change.patch (793 bytes, patch) 2017-03-28 17:49 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-03-28 16:28:56 CEST

UCS 4.2 product tests show that a Samba 4.6.1 RODC doesn't replicate Samba/AD data beyond what has been pulled during the initial join.
See also Bug 44114 Comment 5


The showrepl output doesn't show any inbound traffic (don't know if it should), even though the other Samba/AD DCs in that domain list outgoing connections to the RODC.


root@slave104rodc:~# samba-tool drs showrepl -UAdministrator%univention
Default-First-Site-Name\SLAVE104RODC
DSA Options: 0x00000025
DSA object GUID: 95168814-9a9b-4ec9-9d1f-f011ff55898d
DSA invocationId: 7743f88a-af67-4d97-bc03-aaa302f91d80

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 8c641d58-8fb2-4988-9ad1-6038d46f24f3
        Enabled        : TRUE
        Server DNS name : slave102.ar41pt1.qa
        Server DN name  : CN=NTDS Settings,CN=SLAVE102,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar41pt1,DC=qa
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: c6de97a6-81b7-4223-8a1e-a9f56fff13ba
        Enabled        : TRUE
        Server DNS name : backup101.ar41pt1.qa
        Server DN name  : CN=NTDS Settings,CN=BACKUP101,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar41pt1,DC=qa
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: RODC Connection (FRS)
        Enabled        : TRUE
        Server DNS name : master100.ar41pt1.qa
        Server DN name  : CN=NTDS Settings,CN=MASTER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar41pt1,DC=qa
                TransportType: RPC
                options: 0x00000041

Comment 1 Arvid Requate

2017-03-28 17:49:46 CEST

Created attachment 8672 [details]
RODC_server_password_change.patch

It's a problem of server password change on the RODC. The attached patch fixes this.


Debugging details: I noticed that the RODC already had kvno 3 in /etc/krb5.keytab but the other DCs still had msds-keyversionnumber 2. Since it's machine.secret worked against OpenLDAP I assume that the server-password-change didn't work properly. This is what the log showed:
=====================================================================
Starting server password change (Tue Mar 28 01:01:51 CEST 2017)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Object modified: cn=slave104rodc,cn=dc,cn=computers,dc=ar41pt1,dc=qa
Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange
Restarting nscd (via systemctl): nscd.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange
Modified 1 records successfully
ERROR: Failed to set password for user 'slave104rodc$': (1, 'Invalid LDB reply type 1')
done (Tue Mar 28 01:02:09 CEST 2017)
=====================================================================


Replication started to work again after


root@slave104rodc:~# samba-tool user setpassword -UAdministrator%univention \
  -H ldap://master100.ar41pt1.qa "$(hostname)\$" \
  --newpassword=qSqlP2CYto35Uqcw3mYJ
Changed password OK

root@slave104rodc:~# /etc/init.d/samba restart
[ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
[ ok ] Stopping smbd (via systemctl): smbd.service.
[ ok ] Stopping nmbd (via systemctl): nmbd.service.
[ ok ] Starting nmbd (via systemctl): nmbd.service.
[ ok ] Starting smbd (via systemctl): smbd.service.
[ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service


The drs showrepl output doesn't look any different though.

Comment 2 Arvid Requate

2017-04-20 18:03:21 CEST

*** Bug 33151 has been marked as a duplicate of this bug. ***

Comment 3 Ingo Steuwer

2020-07-03 20:51:42 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.