Bug 12012 - security descriptor issue blocking AD DC replication
Summary: security descriptor issue blocking AD DC replication
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.4
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-06 09:47 UTC by Denis Cardon
Modified: 2017-04-20 00:08 UTC (History)
3 users (show)

See Also:

Attachments
diagnostic patch (1.11 KB, patch)
2016-07-11 04:36 UTC, Andrew Bartlett 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2016-07-06 09:47:36 UTC 
When replicating between DC, I've hit a few times on different domains a blocking replication issue related to incorrect security descriptor (still there in 4.4.4).

When replicating an object, one may get the error below "ldb: descriptor_modify: Could not find SD for". Note : the DN mentionned here is actually the PARENT of the entry being replicated at that moment.

Most of the time, you can get around moving the entry, deleting the parent object and recreate it, and put the entry back into the OU, or in the case of GPO, exporting and recreating. An extreme way of resolving is to re-import all the But it is not very convenient and not satisfactory.

The problem seems to be related to SD inheritance calculation (disabling inheritence on the entry bypass the issue). I am not sure if the bug that creates that issue is still in master, but it was at least in 4.3.0. And I have no clue on what trigger this issue either (sorry for the loosy bug report).

The only place I can see the "descriptor_modify: Could not find SD for" is in ./source4/dsdb/samdb/ldb_modules/descriptor.c line 779.

I'll be glad to give anymore information, and a sample of the SD hierarchy if someone is interested to dive into this one. 

[2016/04/18 16:06:16.998291,  6] ../libcli/security/create_descriptor.c:256(process_user_acl)
  ../libcli/security/create_descriptor.c:256: acl revision 4
[2016/04/18 16:06:16.998358,  6] ../libcli/security/create_descriptor.c:256(process_user_acl)
  ../libcli/security/create_descriptor.c:256: acl revision 4
[2016/04/18 16:06:16.998844,  1] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: descriptor_modify: Could not find SD for CN={945CAECE-A8E6-4A95-B573-F3C98259425D},CN=Policies,CN=System,DC=domaine,DC=fr
  
[2016/04/18 16:06:16.999808,  0] ../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
  ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit of transaction: operations error at ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
[2016/04/18 16:06:17.001556,  0] ../source4/dsdb/repl/drepl_out_helpers.c:773(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Comment 1 Andrew Bartlett 2016-07-06 22:36:03 UTC 
Checking on master would be a big help, due to the things we have recently fixed in replication, particularly in strictly enforcing object paternity.
Comment 2 Andrew Bartlett 2016-07-11 04:36:19 UTC 
Created attachment 12267 [details]
diagnostic patch

Running with this patch may give better information.
Comment 3 Andrew Bartlett 2016-08-01 19:43:56 UTC 
Any news on what the underlying error is, using my patch?
Comment 4 Garming Sam 2017-04-20 00:08:19 UTC 
This bug looks entirely due to the missing parent issues we sorted out a while back. Without the parent, it just wouldn't be able to recursively calculate security-descriptor.