Running 2 SAMBA4 DC Replication WERR_BADFILE error
David Gonzalez
info at dghvoip.com
Thu Sep 16 07:40:45 MDT 2010
Hey Daniel,
I've managed to make this work, I just did as Tridge showed on his video and
your how-to (which I'd like to contribute to if you allow), just did the
following on my bind named.conf
zone "samba.dghvoip.com." IN {
type master;
file "/usr/local/samba/private/dns/samba.dghvoip.com.zone";
# include "/usr/local/samba/private/named.conf.update";
/*
update-policy {
grant SAMBA.DGHVOIP.COM ms-self * A AAAA;
grant administrator at SAMBA.DGHVOIP.COM wildcard * A AAAA SRV CNAME
TXT;
grant GATEWAY$@SAMBA.DGHVOIP.COM wildcard * A AAAA SRV CNAME;
grant VPNSERVER$@SAMBA.DGHVOIP.COM wildcard * A AAAA SRV CNAME;
grant *.SAMBA.DGHVOIP.COM wildcard * A AAAA SRV CNAME;
};
*/
allow-update { any; };
check-names ignore;
allow-transfer { key TRANSFER; };## .-new
};
zone "254.168.192.in-addr.arpa" {
type master;
# type slave;
file "dynamic/254.168.192.in-addr.arpa.zone";
# allow-update { key "dhcpupdate"; };
# masters { 192.168.254.100; };
notify yes;
/* update-policy {
grant *.DGHVOIP.COM wildcard *.254.168.192.in-addr.arpa. PTR;
grant *.SAMBA.DGHVOIP.COM wildcard *.254.168.192.in-addr.arpa. PTR;
};
*/
allow-update { any; };
allow-transfer { key TRANSFER; };
};
This allows update from anyone, as you can see I don't use the include that
samab recommends because it won't work that way, it doesn't add records to
zone file, reporting "denied" error.
Then on my domain zone file
Add the new objectguid:
0a791213-cbd0-4986-b5fa-a1ac0c0cb43f CNAME gateway.samba.dghvoip.com.
930d67f8-a195-4ab9-a19d-b21282a1f29c CNAME vpnserver.samba.dghvoip.com.
Restart samba and named, also remember
1. rndc freeze zone
2. edit the zone adding the record and incrementing the serial
3. rndc unfreeze zone
4. Optional: restart named
5. samba_dnsupdate --verbose
6. dig AXFR zone
you should see something like this:
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.samba.dghvoip.com.
_kerberos SRV 0 100 88 VMW2K8.samba.dghvoip.com.
SRV 0 100 88 gateway.samba.dghvoip.com.
_ldap SRV 0 100 389 VMW2K8.samba.dghvoip.com.
SRV 0 100 389 gateway.samba.dghvoip.com.
$ORIGIN _tcp.dc._msdcs.samba.dghvoip.com.
_kerberos SRV 0 100 88 VMW2K8.samba.dghvoip.com.
SRV 0 100 88 gateway.samba.dghvoip.com.
_ldap SRV 0 100 389 VMW2K8.samba.dghvoip.com.
SRV 0 100 389 gateway.samba.dghvoip.com.
$ORIGIN _msdcs.samba.dghvoip.com.
_ldap._tcp.e408cc52-b98b-4d00-9a38-3e38653d2a2f.domains SRV 0 100 389
VMW2K8.samba.dghvoip.com.
SRV 0 100 389 gateway.samba.dghvoip.com.
gc A 192.168.254.160
$ORIGIN gc._msdcs.samba.dghvoip.com.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268
VMW2K8.samba.dghvoip.com.
SRV 0 100 3268 gateway.samba.dghvoip.com.
_ldap._tcp SRV 0 100 3268 VMW2K8.samba.dghvoip.com.
SRV 0 100 3268 gateway.samba.dghvoip.com.
$ORIGIN _msdcs.samba.dghvoip.com.
$TTL 900 ; 15 minutes
_ldap._tcp.pdc SRV 0 100 389 gateway.samba.dghvoip.com.
$ORIGIN _tcp.Default-First-Site-Name._sites.samba.dghvoip.com.
$TTL 600 ; 10 minutes
_gc SRV 0 100 3268 VMW2K8.samba.dghvoip.com.
SRV 0 100 3268 gateway.samba.dghvoip.com.
_kerberos SRV 0 100 88 VMW2K8.samba.dghvoip.com.
SRV 0 100 88 gateway.samba.dghvoip.com.
_ldap SRV 0 100 389 VMW2K8.samba.dghvoip.com.
SRV 0 100 389 gateway.samba.dghvoip.com.
$ORIGIN _tcp.samba.dghvoip.com.
_gc SRV 0 100 3268 VMW2K8.samba.dghvoip.com.
SRV 0 100 3268 gateway.samba.dghvoip.com.
_kerberos SRV 0 100 88 VMW2K8.samba.dghvoip.com.
SRV 0 100 88 gateway.samba.dghvoip.com.
_kpasswd SRV 0 100 464 VMW2K8.samba.dghvoip.com.
SRV 0 100 464 gateway.samba.dghvoip.com.
_ldap SRV 0 100 389 VMW2K8.samba.dghvoip.com.
SRV 0 100 389 gateway.samba.dghvoip.com.
$ORIGIN _udp.samba.dghvoip.com.
_kerberos SRV 0 100 88 VMW2K8.samba.dghvoip.com.
SRV 0 100 88 gateway.samba.dghvoip.com.
_kpasswd SRV 0 100 464 VMW2K8.samba.dghvoip.com.
SRV 0 100 464 gateway.samba.dghvoip.com.
As you see records have been automagincally added, but the issue is that
I've only managed to do this with a Windows 2008 R2 server machine, which
keeps reporting WERR_DRA_ACCESS_DENIED. But this is the way that you can do
to make replication work.
Hope this helps you.
---
... Chi va piano va sano e va lontano.
David Gonzalez H.
DGHVoIP - OPEN SOURCE TELEPHONY SOLUTIONS
Phone Bogotá: +(57-1)289-1168
Phone Medellin: +(57-4)247-0985
Mobile: +(57)315-838-8326
MSN: david at planetaradio.net
Skype: davidgonzalezh
WEB: http://www.dghvoip.com/
Linux User #294661
On Thu, Sep 16, 2010 at 2:42 AM, Daniel Müller <mueller at tropenklinik.de>wrote:
> Can Somebody have a look !?
> Or an Idea. How bind can resolve the second cname ._mscds.
> I can take every other cname for my second samba4 but the:
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs
>
>
> NODE1 is: 02284f45-de16-4125-a795-3b614f540ef7
> NODE2 is: a441f8f9-629d-43c4-bce6-a5dfba1e4ad9
>
> So Replication from NODE2 to NODE1 works fine:
> UpdateRefs OK for
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc
> DC=tuebingen,DC=tst,DC=loc
> dreplsrv_op_pull_source(WERR_OK) ← No replication error all is ok
> !!!!!!!!!!!!!!!!
>
> Replication the other way There is an error:
> dns child failed to find name
> 'a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc' of type A
> dreplsrv_notify: Failed to send DsReplicaSync to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc for
> DC=tuebingen,DC=tst,DC=loc - NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE
> ← Error!!??
> started DsReplicaSync for
> CN=Schema,CN=Configuration,DC=tuebingen,DC=tst,DC=loc to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc
>
> Asking my bind on NODE1:
> [root at node1 etc]# host -t A
> 02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc
> 02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc is an alias
> for node1.tuebingen.tst.loc.
> node1.tuebingen.tst.loc has address 192.168.134.27
> And for a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc:
> host -t A a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc
> Host a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc not
> found: 3(NXDOMAIN)
>
> No alias record is shown for a441f8f9-629d-43c4-bce6-a5dfba1e4ad9 and
> node2!?
>
> But in my zone-file:
>
> IN NS node1
> IN NS node2
> IN A 192.168.134.27
> IN A 192.168.134.28
> node1 IN A 192.168.134.27
> node2 IN A 192.168.134.28
>
> gc._msdcs IN A 192.168.134.27
>
> 02284f45-de16-4125-a795-3b614f540ef7._msdcs IN CNAME node1
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._mscds IN CNAME node2
>
> What about this???
> Any answers out there ???
>
>
> ON NODE1:The master Samba ADS-Server
>
> queued DsReplicaSync for DC=tuebingen,DC=tst,DC=loc to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc (urgent=true)
> uSN=0:1196872
> queued DsReplicaSync for
> CN=Schema,CN=Configuration,DC=tuebingen,DC=tst,DC=loc to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc (urgent=true)
> uSN=0:3388
> queued DsReplicaSync for CN=Configuration,DC=tuebingen,DC=tst,DC=loc to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc (urgent=true)
> uSN=0:3571
> started DsReplicaSync for DC=tuebingen,DC=tst,DC=loc to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc
> dreplsrv_notify_schedule(5) scheduled for: Wed Sep 15 09:38:11 2010 CEST
> Mapped to DCERPC endpoint 135
> added interface ip=192.168.134.27 nmask=255.255.255.0
> added interface ip=192.168.134.27 nmask=255.255.255.0
> dns child failed to find name
> 'a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc' of type A
> dreplsrv_notify: Failed to send DsReplicaSync to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc for
> DC=tuebingen,DC=tst,DC=loc - NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE
> started DsReplicaSync for
> CN=Schema,CN=Configuration,DC=tuebingen,DC=tst,DC=loc to
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc
>
>
>
>
>
>
>
> ON NODE2= The second Samba ADS-Server
>
> Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success
> Completed SPN update check OK
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
> Child /usr/local/samba/sbin/samba_dnsupdate exited with status 0 - Success
> Completed DNS update check OK
> Registered NODE2<00> with 192.168.134.28 on interface 192.168.134.255
> Registered NODE2<03> with 192.168.134.28 on interface 192.168.134.255
> Registered NODE2<20> with 192.168.134.28 on interface 192.168.134.255
> Registered TUEBINGEN<1c> with 192.168.134.28 on interface 192.168.134.255
> Registered TUEBINGEN<00> with 192.168.134.28 on interface 192.168.134.255
> dreplsrv_periodic_run(): schedule pull replication
> dreplsrv_periodic_run(): run pending_ops memory=94
> dreplsrv_refresh_partition(DC=tuebingen,DC=tst,DC=loc)
> dreplsrv_out_connection_attach(02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc):
> attach
> dreplsrv_refresh_partition(CN=Configuration,DC=tuebingen,DC=tst,DC=loc)
> dreplsrv_out_connection_attach(02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc):
> attach
>
> dreplsrv_refresh_partition(CN=Schema,CN=Configuration,DC=tuebingen,DC=tst,DC=loc)
> dreplsrv_out_connection_attach(02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc):
> attach
> dreplsrv_periodic_schedule(10) scheduled for: Wed Sep 15 09:25:47 2010 CEST
> Mapped to DCERPC endpoint 135
> added interface ip=192.168.134.28 nmask=255.255.255.0
> added interface ip=192.168.134.28 nmask=255.255.255.0
> queued DsReplicaSync for DC=tuebingen,DC=tst,DC=loc to
> 02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc (urgent=true)
> uSN=0:627139
> queued DsReplicaSync for CN=Configuration,DC=tuebingen,DC=tst,DC=loc to
> 02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc (urgent=false)
> uSN=0:3524
> queued DsReplicaSync for
> CN=Schema,CN=Configuration,DC=tuebingen,DC=tst,DC=loc to
> 02284f45-de16-4125-a795-3b614f540ef7._msdcs.tuebingen.tst.loc (urgent=false)
> uSN=0:1566
> dreplsrv_notify_schedule(5) scheduled for: Wed Sep 15 09:25:42 2010 CEST
> Mapped to DCERPC endpoint 1024
> added interface ip=192.168.134.28 nmask=255.255.255.0
> added interface ip=192.168.134.28 nmask=255.255.255.0
> Starting GENSEC mechanism gssapi_krb5
> Received smb_krb5 packet of length 276
> Received smb_krb5 packet of length 1239
> Received smb_krb5 packet of length 1360
> Received smb_krb5 packet of length 1272
> gensec_gssapi: credentials were delegated
> GSSAPI Connection will be cryptographicly sealed
> ldb: start ldb transaction (nesting: 0)
> ldb: replmd_extended_replicated_objects
> linked_attributes_count=0
> DRS replication uptodate modify message:
> dn: DC=tuebingen,DC=tst,DC=loc
> changetype: modify
> replace: replUpToDateVector
> replUpToDateVector::
> AgAAAAAAAAABAAAAAAAAAP+Z3WTpaTZMv6XoFUv/7x9IQxIAAAAAAIAuF
> jGnVMsB
> -
> replace: repsFrom
> repsFrom::
> AQAAAAAAAAASAQAAAAAAAPEFoQIDAAAA8QWhAgMAAAAAAAAA0AAAAEIAAABwAAAAERE
>
> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>
> ERERERERERERERERERERERERERERERERAAAAAEhDEgAAAAAAAAAAAAAAAABIQxIAAAAAAEVPKAIW3
>
> iVBp5U7YU9UDvf/md1k6Wk2TL+l6BVL/+8fAAAAAAAAAAAAAAAAAAAAAD4AAAAwMjI4NGY0NS1kZT
> E2LTQxMjUtYTc5NS0zYjYxNGY1NDBlZjcuX21zZGNzLnR1ZWJpbmdlbi50c3QubG9jAA==
> -
>
>
> ldb: commit ldb transaction (nesting: 0)
> Replicated 0 objects (0 linked attributes) for DC=tuebingen,DC=tst,DC=loc
> UpdateRefs OK for
> a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._msdcs.tuebingen.tst.loc
> DC=tuebingen,DC=tst,DC=loc
> dreplsrv_op_pull_source(WERR_OK) ← No replication error all is ok
> !!!!!!!!!!!!!!!!
>
>
>
>
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
> Von: David Gonzalez [mailto:info at dghvoip.com]
> Gesendet: Dienstag, 14. September 2010 23:31
> An: mueller at tropenklinik.de
> Betreff: Re: Running 2 SAMBA4 DC Replication WERR_BADFILE error
>
> Well that same thing happens to me, looks like it's looking for some file,
> but which file.
>
> I get that error when I dcpromo'd a Windows 2008 R2 to make it another DC
> for my domain.
>
> I saw with my debuffing that it happens when samba can not update the DNS
> zone file, it's looking for some record on the zone that should've been
> created when the DC joined the domain.
>
> check DNS and tell us what happens.
>
> Good luck.
>
> ---
> ... Chi va piano va sano e va lontano.
> David Gonzalez H.
> DGHVoIP - OPEN SOURCE TELEPHONY SOLUTIONS
> Phone Bogotá: +(57-1)289-1168
> Phone Medellin: +(57-4)247-0985
> Mobile: +(57)315-838-8326
> MSN: david at planetaradio.net
> Skype: davidgonzalezh
> WEB: http://www.dghvoip.com/
> Linux User #294661
> On Tue, Sep 14, 2010 at 7:38 AM, Daniel Müller <mueller at tropenklinik.de>
> wrote:
> Any Idea!?
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: Daniel Müller [mailto:mueller at tropenklinik.de]
> Gesendet: Freitag, 13. August 2010 14:14
> An: 'samba at lists.samba.org'
> Betreff: Running 2 SAMBA4 DC Replication WERR_BADFILE error
>
> Hello to all,
>
> I succeded with joining a samba4 dc to an existing samba4 domain. Things
> work well but one error message coming from the master:
> Dns child failed….
> Dreplsrv_notify: Failed to sent DSReplicaSync to….”the joined samba4 DC”….
> NT_STATUS_OBJECT_NAME_NOT_FOUND: WERR_BADFILE .
> Where the joined DC succeds with: dreplserv_op_pull _source(WERR_OK).
>
> How can I get rid of the error: NT_STATUS_OBJECT_NAME_NOT_FOUND:
> WERR_BADFILE
>
> Greetings Daniel
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
>
>
More information about the samba-technical
mailing list