2 Samba4-DCs with OpenLDAP 2.4.8 in Multi-Master-Replication

Oliver Liebel oliver at itc.li
Sat Apr 5 13:50:28 GMT 2008


Used Versions:
OpenLDAP 2.4.8
Samba4 from git  (Fri Apr 4 16:03:54 2008 +0200)
Rev-Info
7fccd85
1207317834
7fccd85cc673c139bc1d57915e0fccd22316998c


Setup First DC1 (hostname samba4) with OL as Backend.
Backend-Provisioning with:
#> bin/smbpython setup/provision-backend --realm=LDAP.LOCAL.SITE 
--domain=LDAP --ldap-manager-pass=linux --ldap-backend-type=openldap 
--simple-bind-dn="cn=Manager,dc=ldap,dc=local,dc=site"

- slapd.conf creation only works correct if an smb.conf with the wanted 
settings exist, otherwise the hostname [cn=samba4]  is used as Base-DN, 
tested it several times

started slapd on DC1 listening on port 9000,
then started provison with:
#> bin/smbpython setup/provision  --realm=LDAP.LOCAL.SITE --domain=LDAP 
--ldap-backend-type=openldap 
--ldap-backend='ldap://samba4.ldap.local.site:9000/' 
--simple-bind-dn='cn=Manager,dc=ldap,dc=local,dc=site' 
--server-role='domain controller' --adminpass=linux

 - final provisioning only seems to work if the previous used smb.conf 
is removed, otherwise the provision failed with:

/...
Setting up sam.ldb data
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb index
Traceback (most recent call last):
  File "setup/provision", line 151, in <module>
    ldap_backend_type=opts.ldap_backend_type)
  File "bin/../scripting/python/samba/provision.py", line 1003, in provision
    "{" + policyguid + "}")
  File "/usr/lib/python2.5/posixpath.py", line 62, in join
    elif path == '' or path.endswith('/'):
AttributeError: 'NoneType' object has no attribute 'endswith'
/
summary: backend-provision and final provision ok (except the mentioned 
things above),
dns configured and working.
started slapd and smbd on DC1 in debug-mode, everything ok.

after that, same procedure on DC2 (samba4dc2),
using the domain-sid from DC1 for provision,
with second slapd listening on DC2 on port 9000, everything ok.
after that, stopped smbd an slapd on DC2, then tried to join DC1, where 
the following error occurs:

/#> net join LDAP BDC -U administrator -d 4
....
failed to get principal from default ccache: No such file or directory: 
open(/tmp/krb5cc_0): No such file or directory
GENSEC backend 'sasl-DIGEST-MD5' registered
....
We still need to perform a DsAddEntry() so that we can create the 
CN=NTDS Settings container.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INTERNAL ERROR: Signal 11 in pid 5695 (4.0.0alpha4-GIT-UNKNOWN)
Please read the file BUGS.txt in the distribution
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PANIC: internal error
BACKTRACE: 23 stack frames:
 #0 net(call_backtrace+0x2b) [0x84a7e23]
 #1 net(smb_panic+0x266) [0x84a815d]
 #2 net [0x84a82f8]
 #3 net(fault_setup+0) [0x84a832d]
 #4 [0xffffe420]
 #5 /usr/local/samba/lib/samba/ldb/update_keytab.so(config_path+0x1d) 
[0xb77ed2b0]
 #6 
/usr/local/samba/lib/samba/ldb/update_keytab.so(smb_krb5_init_context+0x141) 
[0xb758e13c]
 #7 
/usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_get_krb5_context+0x67) 
[0xb7568263]
 #8 
/usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_set_keytab_name+0x42) 
[0xb756922b]
 #9 
/usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_set_secrets+0x6e9) 
[0xb7567641]
 #10 /usr/local/samba/lib/samba/ldb/update_keytab.so [0xb756538d]
 #11 /usr/local/samba/lib/samba/ldb/update_keytab.so [0xb756554d]
 #12 net(ldb_request+0x1ec) [0x84dd38c]
 #13 net [0x84dcf4f]
 #14 net(ldb_delete+0x87) [0x84de252]
 #15 net [0x80bb141]
 #16 net(libnet_Join+0x6e) [0x80bb5d3]
 #17 net(net_join+0x212) [0x80b3836]
 #18 net(net_run_function+0xc5) [0x80b2a19]
 #19 net [0x80b2eba]
 #20 net(main+0x22) [0x80b2f59]
 #21 /lib/libc.so.6(__libc_start_main+0xe0) [0xb7d65fe0]
 #22 net [0x80b28f1]
Aborted/

despite of the above listed errors, the entry:
/dn: cn=SAMBA4DC2,ou=Domain Controllers,dc=ldap,dc=local,dc=site/
in the tree of DC1 seems to be correctly created, only missing attribute 
ssems to be
the boolean-field  /isCriticalSystemObject/.

after that, i added cn=NTDS entry for samba4dc2  to the DC1-Tree, no 
errrors.

then i synced the databases, either slurpd-style (copying bdb-files and 
transaction logs)
or initial content load from dc1 to dc2 with syncrepl works for all 
contexts (config, schema, users.)
Replication is working perfect in both directions

when i try to join the domain with a w2k3 server, i got this 
smbd-debug-messages from  DC2
 (DC2 started after DC1)during the join operation, which finally failed.
/Kerberos: TGS-REQ administrator at LDAP.LOCAL.SITE from 192.168.198.203 
for cifs/SAMBA4DC2 at LDAP.LOCAL.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2008-04-05T15:05:19 starttime: 
2008-04-05T15:05:19 endtime: 2037-09-13T04:48:05 renew till: unset
switch message SMBsesssetupX (task_id 6140)
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text): 
Decrypt integrity check failed
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE/

after copying the secrets.keytab from DC1 to DC2, everything works.
the entry for the w2k3 machine is created correct and replicated on both 
machines.

calling dsa.msc on the win-server for administering the domain, i cant 
see the tree-subentry 'domain controllers' any more
(change to previous versions? the entrys for the both DCs are definitely 
still in the tree)
when i try to connect to DC2 with dsa.msc (failing with "rpc server not 
available"),
i got this smbd-error:

/Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text): 
Failed to find SAMBA4DC2$@LDAP.LOCAL.SITE(kvno 1) in keytab 
FILE:/usr/local/samba/var/lib/samba/private/secrets.keytab 
(arcfour-hmac-md5)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
/
which means in consequence, that the domain wont be reachable any more,
if DC1 is down. (Tested it, domain is still working with DC2 kicked off)

so: can we find a way to get the keytabs on both DCs synchronized?
except of that, all other stuff is working good and stable
(even the re-synchonization of DC2 after re-enabling the DC again). 

Greetings and a nice Weekend,
Oliver








____________
Virus checked by G DATA AntiVirusKit
Version: AVK 18.3320 from 05.04.2008
Virus news: www.antiviruslab.com




More information about the samba-technical mailing list