Bug 53592 - WERR_DS_DRA_BAD_DN - after setting connector/ad/mapping/user/password/kinit
WERR_DS_DRA_BAD_DN - after setting connector/ad/mapping/user/password/kinit
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-18 17:26 CEST by stefan.bauer
Modified: 2021-07-23 12:50 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description stefan.bauer 2021-07-18 17:26:32 CEST
Hi,

We have UCS Domain Master (latest 4.4) that recenctly took over server2012R2.

A UCS member-server with kopano (latest 4.4) is a member-server. sync is working.

As user-passwords are not synced as it seems from Master to domain-member (Kopano) i used:

ucr set connector/ad/ldap/binddn=sync-benutzer-im-ad
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
touch /etc/univention/connector/password
chmod 600 /etc/univention/connector/password
echo -n "vergebenes kennwort fuer sync-benutzer" > /etc/univention/connector/password
ucr set connector/ad/mapping/user/password/kinit=false

This works - in general - fine with a windows DC.

But UCS complains:

18.07.2021 16:24:24.025 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
18.07.2021 16:24:24.026 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1374, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/password.py", line 503, in password_sync
    nt_hash, krb5Key = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn']), reconnect=True)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/password.py", line 283, in get_password_from_ad
    (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8)
WERRORError: (8439, 'WERR_DS_DRA_BAD_DN')

What am i doing wrong?
Comment 1 stefan.bauer 2021-07-23 07:57:45 CEST
Can someone please clarify, if the password sync process only works with microsoft Domain Controller or also with a UCS DC, that _took over_ a Microsoft DC? 

The latter is our setup and we fail to sync passwords.
Comment 2 Felix Botner univentionstaff 2021-07-23 11:38:46 CEST
yes, seems so, i also get 


23.07.2021 11:14:25.140 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=join-backup,cn=users,DC=five,DC=local
23.07.2021 11:14:25.151 LDAP        (WARNING): sync failed, saved as rejected
	/var/lib/univention-connector/ad/1627030267.897414
23.07.2021 11:14:25.151 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 817, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, object_old):
  File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 2327, in sync_from_ucs
    post_con_modify_function(self, property_type, object)
  File "/usr/lib/python3/dist-packages/univention/connector/ad/password.py", line 381, in password_sync_ucs
    nt_hash, krb5Key = get_password_from_ad(connector, object['dn'])
  File "/usr/lib/python3/dist-packages/univention/connector/ad/password.py", line 281, in get_password_from_ad
    (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8)
samba.WERRORError: (8439, 'WERR_DS_DRA_BAD_DN')

on my UCS master samba DC with the ad connector

log.samba:
[2021/07/23 07:40:56.027382,  3, pid=7901, effective(0, 0), real(0, 0), class=drs_repl] ../../source4/rpc_server/drsuapi/getncchanges.c:1205(getncchanges_repl_secret)
  ../../source4/rpc_server/drsuapi/getncchanges.c:1205: DRSUAPI_EXOP_REPL_SECRET extended op on CN=dns-master,CN=Users,DC=four,DC=five

...

[2021/07/23 07:40:56.033669, 10, pid=7901, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: OU=Domain Controllers,DC=four,DC=five
   scope: base
   expr: (|(objectClass=*)(distinguishedName=*))
   attr: serverReference
   control: 1.2.840.113556.1.4.529  crit:1  data:yes
  
[2021/07/23 07:40:56.038027, 10, pid=7901, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: ldb_asprintf/set_errstring: Cannot find attribute serverReference of OU=Domain Controllers,DC=four,DC=five to calculate reference dn
[2021/07/23 07:40:56.038061,  2, pid=7901, effective(0, 0), real(0, 0), class=drs_repl] ../../source4/rpc_server/drsuapi/getncchanges.c:1372(getncchanges_repl_secret)
  ../../source4/rpc_server/drsuapi/getncchanges.c:1372: Failed single secret replication for (null) by RODC S-1-5-21-2862311440-2092257086-639877991-500
[2021/07/23 07:40:56.038083,  1, pid=7901, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       drsuapi_DsGetNCChanges: struct drsuapi_DsGetNCChanges
          out: struct drsuapi_DsGetNCChanges
              level_out                : *
                  level_out                : 0x00000006 (6)
              ctr                      : *
                  ctr                      : union drsuapi_DsGetNCChangesCtr(case 6)
                  ctr6: struct drsuapi_DsGetNCChangesCtr6
                      source_dsa_guid          : e47cbc65-0fe9-486f-b919-95b978149feb
                      source_dsa_invocation_id : 553e5c02-bdae-46bf-aa9e-a82fad4c6b42
                      naming_context           : NULL
                      old_highwatermark: struct drsuapi_DsReplicaHighWaterMark
                          tmp_highest_usn          : 0x0000000000000000 (0)
                          reserved_usn             : 0x0000000000000000 (0)
                          highest_usn              : 0x0000000000000000 (0)
                      new_highwatermark: struct drsuapi_DsReplicaHighWaterMark
                          tmp_highest_usn          : 0x0000000000000000 (0)
                          reserved_usn             : 0x0000000000000000 (0)
                          highest_usn              : 0x0000000000000000 (0)
                      uptodateness_vector      : NULL
                      mapping_ctr: struct drsuapi_DsReplicaOIDMapping_Ctr
                          num_mappings             : 0x00000000 (0)
                          mappings                 : NULL
                      extended_ret             : DRSUAPI_EXOP_ERR_NONE (0x0)
                      object_count             : 0x00000000 (0)
                      __ndr_size               : 0x000000c7 (199)
                      first_object             : NULL
                      more_data                : 0x00000000 (0)
                      nc_object_count          : 0x00000000 (0)
                      nc_linked_attributes_count: 0x00000000 (0)
                      linked_attributes_count  : 0x00000000 (0)
                      linked_attributes        : *
                          linked_attributes: ARRAY(0)
                      drs_error                : WERR_OK
              result                   : WERR_DS_DRA_BAD_DN

this

  Cannot find attribute serverReference of OU=Domain Controllers,DC=four,DC=five to calculate reference dn
  Failed single secret replication for (null) by RODC S-1-5-21-2862311440-2092257086-639877991-500

is suspicious
Comment 3 stefan.bauer 2021-07-23 12:50:51 CEST
Too bad. As this was working with the previous windows domain controller, after the take-over, it does not anymore.

It would be helpful to also have at least a note in the AD-takeover documentation to mention this limitation for now.

thank you.