ldapsearch on RODC
Published: June 9, 2020 - 2:24 PM
Hello,
I just created a RODC connected to an AD1, both running version 4.11.6, and I would like to be able to connect my applications via LDAP to the RODC.
Is this possible?
Thank you in advance for sharing your experiences, as it's not working in my tests at the moment. I'm getting this kind of response on my ldapsearch command:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 40, v1db1
and this kind of log:
[2020/06/09 12:18:46.845786, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2020/06/09 12:18:46.850433, 3] ../../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [(null)]\[adm-test@domain.local]@[(null)]
auth_check_password_send: user is: [DOMAIN]\[adm-test]@[(null)]
[2020/06/09 12:18:46.852915, 1] ../../source4/dsdb/samdb/ldb_modules/rootdse.c:518(rootdse_add_dynamic)
rootdse_add_dynamic: Failed to convert GUID into full DN in rootDSE for dsServiceName:
[2020/06/09 12:18:46.853228, 1] ../../source4/dsdb/common/util.c:1397(samdb_ntds_settings_dn)
Searching for dsServiceName in rootDSE failed: Failed to find full DN for dsServiceName:
[2020/06/09 12:18:46.853401, 1] ../../source4/dsdb/common/util.c:1418(samdb_ntds_settings_dn)
Failed to find our own NTDS Settings DN in the ldb!
[2020/06/09 12:18:46.853660, 3] ../../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
../../source4/dsdb/repl/drepl_secret.c:145: started secret replication for CN=adm-test,OU=SYSTEM,OU=USERS,OU=YS,DC=domain,DC=local
[2020/06/09 12:18:46.854850, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855007, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855255, 5] ../../source3/winbindd/winbindd_irpc.c:210(wb_irpc_SamLogon)
wb_irpc_SamLogon called
[2020/06/09 12:18:46.866485, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of idmap.ldb
[2020/06/09 12:18:46.949594, 3] ../../source4/dsdb/repl/drepl_secret.c:53(drepl_repl_secret_callback)
../../source4/dsdb/repl/drepl_secret.c:53: repl secret failed for user CN=adm-test,OU=SYSTEM,OU=USERS,OU=YS,DC=domain,DC=local - WERR_DS_DRA_BAD_DN: extended_ret[0x0
[2020/06/09 12:18:50.424578, 0] ../../source3/winbindd/winbindd_irpc.c:55(wb_irpc_forward_callback)
RPC callback failed for winbind_SamLogon - NT_STATUS_CONNECTION_DISCONNECTED
[2020/06/09 12:18:50.426286, 2] ../../source4/auth/ntlm/auth.c:472(auth_check_password_recv)
auth_check_password_recv: winbind authentication for user [DOMAIN\adm-test] FAILED with error NT_STATUS_CONNECTION_DISCONNECTED, authoritative=1
[2020/06/09 12:18:50.426364, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [LDAP,simple bind/TLS] user [(null)]\[adm-test@domain.local] at [Tue, 09 Jun 2020 12:18:50.426344 UTC] with [Plaintext] status [NT_STATUS_CONNECTION_DISCONNECTED] workstation [(null)] remote host [ipv4:127.0.0.1:57600] mapped to [DOMAIN]\[adm-test]. local host [ipv4:127.0.1.1:389]
{"timestamp": "2020-06-09T12:18:50.426440+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status": "NT_STATUS_CONNECTION_DISCONNECTED", "localAddress": "ipv4:127.0.1.1:389", "remoteAddress": "ipv4:127.0.0.1:57600", "serviceDescription": "LDAP", "authDescription": "simple bind/TLS", "clientDomain": null, "clientAccount": "adm-test@domain.local", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "adm-test", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "duration": 3576941}}
[2020/06/09 12:18:50.428280, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done:get
LDAP to work.
Any help would be appreciated.
I just created a RODC connected to an AD1, both running version 4.11.6, and I would like to be able to connect my applications via LDAP to the RODC.
Is this possible?
Thank you in advance for sharing your experiences, as it's not working in my tests at the moment. I'm getting this kind of response on my ldapsearch command:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 40, v1db1
and this kind of log:
[2020/06/09 12:18:46.845786, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2020/06/09 12:18:46.850433, 3] ../../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [(null)]\[adm-test@domain.local]@[(null)]
auth_check_password_send: user is: [DOMAIN]\[adm-test]@[(null)]
[2020/06/09 12:18:46.852915, 1] ../../source4/dsdb/samdb/ldb_modules/rootdse.c:518(rootdse_add_dynamic)
rootdse_add_dynamic: Failed to convert GUID into full DN in rootDSE for dsServiceName:
[2020/06/09 12:18:46.853228, 1] ../../source4/dsdb/common/util.c:1397(samdb_ntds_settings_dn)
Searching for dsServiceName in rootDSE failed: Failed to find full DN for dsServiceName:
[2020/06/09 12:18:46.853401, 1] ../../source4/dsdb/common/util.c:1418(samdb_ntds_settings_dn)
Failed to find our own NTDS Settings DN in the ldb!
[2020/06/09 12:18:46.853660, 3] ../../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
../../source4/dsdb/repl/drepl_secret.c:145: started secret replication for CN=adm-test,OU=SYSTEM,OU=USERS,OU=YS,DC=domain,DC=local
[2020/06/09 12:18:46.854850, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855007, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855255, 5] ../../source3/winbindd/winbindd_irpc.c:210(wb_irpc_SamLogon)
wb_irpc_SamLogon called
[2020/06/09 12:18:46.866485, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of idmap.ldb
[2020/06/09 12:18:46.949594, 3] ../../source4/dsdb/repl/drepl_secret.c:53(drepl_repl_secret_callback)
../../source4/dsdb/repl/drepl_secret.c:53: repl secret failed for user CN=adm-test,OU=SYSTEM,OU=USERS,OU=YS,DC=domain,DC=local - WERR_DS_DRA_BAD_DN: extended_ret[0x0
[2020/06/09 12:18:50.424578, 0] ../../source3/winbindd/winbindd_irpc.c:55(wb_irpc_forward_callback)
RPC callback failed for winbind_SamLogon - NT_STATUS_CONNECTION_DISCONNECTED
[2020/06/09 12:18:50.426286, 2] ../../source4/auth/ntlm/auth.c:472(auth_check_password_recv)
auth_check_password_recv: winbind authentication for user [DOMAIN\adm-test] FAILED with error NT_STATUS_CONNECTION_DISCONNECTED, authoritative=1
[2020/06/09 12:18:50.426364, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [LDAP,simple bind/TLS] user [(null)]\[adm-test@domain.local] at [Tue, 09 Jun 2020 12:18:50.426344 UTC] with [Plaintext] status [NT_STATUS_CONNECTION_DISCONNECTED] workstation [(null)] remote host [ipv4:127.0.0.1:57600] mapped to [DOMAIN]\[adm-test]. local host [ipv4:127.0.1.1:389]
{"timestamp": "2020-06-09T12:18:50.426440+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status": "NT_STATUS_CONNECTION_DISCONNECTED", "localAddress": "ipv4:127.0.1.1:389", "remoteAddress": "ipv4:127.0.0.1:57600", "serviceDescription": "LDAP", "authDescription": "simple bind/TLS", "clientDomain": null, "clientAccount": "adm-test@domain.local", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "adm-test", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "duration": 3576941}}
[2020/06/09 12:18:50.428280, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done:get
LDAP to work.
Any help would be appreciated.