[Samba] Domain join failure - error during DRS repl ADD: No objectClass found in replPropertyMetaData
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Nov 23 14:32:37 UTC 2015
On 23/11/15 14:15, Matthew Delfino wrote:
>
> On 2015.11.23, at 3:58 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>
>> On 23/11/15 00:09, Matthew Delfino wrote:
>>>
>>> On 2015.11.22, at 4:43 PM, Matthew Delfino
>>> <mdelfino.list.samba at KNOCKinc.com
>>> <mailto:mdelfino.list.samba at KNOCKinc.com>
>>> <mailto:mdelfino.list.samba at KNOCKinc.com>> wrote:
>>>
>>>>
>>>> On 2015.11.22, at 2:27 PM, Rowland Penny
>>>> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>
>>>> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>>>>
>>>>> On 22/11/15 19:49, Matthew Delfino wrote:
>>>>>> I have 3 domain controllers, running Samba 4.1.6 on Ubuntu
>>>>>> 14.04.3 LTS in a VMware virtual machine (part of the package
>>>>>> install available from the "apt-get install samba" command). My
>>>>>> approach was to do a non-FSMO first, the other non-FSMO second,
>>>>>> then the FSMO last.
>>>>>>
>>>>>> I started by shutting down all of these three VMs and doing a
>>>>>> snapshot.
>>>>>>
>>>>>> Next, I needed to backup the files and purge the system of all
>>>>>> traces of Samba:
>>>>>>
>>>>>> sudo -s
>>>>>> service samba stop
>>>>>> service samba-ad-dc stop
>>>>>> service nmbd stop
>>>>>>
>>>>>> cp -Rp /etc/samba/*
>>>>>> /root/backup_queue/2015.11.22-SAMBA/root/etc/samba/.
>>>>>> cp -Rp /var/lib/samba/*
>>>>>> /root/backup_queue/2015.11.22-SAMBA/root/var/lib/samba/.
>>>>>>
>>>>>> apt-get purge ^samba.*
>>>>>>
>>>>>> Then, I download all the important packages for compiling from
>>>>>> source on Ubuntu:
>>>>>>
>>>>>> apt-get install acl attr autoconf bison build-essential debhelper
>>>>>> dnsutils docbook-xml docbook-xsl flex gdb krb5-user libacl1-dev
>>>>>> libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev
>>>>>> libgnutls28-dev libjson-perl libldap2-dev libncurses5-dev
>>>>>> libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl
>>>>>> perl-modules pkg-config python-all-dev python-dev
>>>>>> python-dnspython python-crypto xsltproc zlib1g-dev
>>>>>>
>>>>>> And don’t forget to exit because you don’t want to be root for
>>>>>> the next commands:
>>>>>>
>>>>>> exit
>>>>>>
>>>>>> Prepare for, download and unpack the source:
>>>>>>
>>>>>> mkdir source
>>>>>> cd source
>>>>>> wget https://download.samba.org/pub/samba/stable/samba-4.3.1.tar.gz
>>>>>> tar -zxf samba-4.3.1.tar.gz
>>>>>>
>>>>>> Configure and compile (compiles always took, like 15 minutes on
>>>>>> my system):
>>>>>>
>>>>>> cd samba-4.3.1/
>>>>>> ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
>>>>>> --localstatedir=/var --enable-debug
>>>>>> make
>>>>>>
>>>>>> Install it:
>>>>>>
>>>>>> sudo -s
>>>>>> make install
>>>>>>
>>>>>> Recover from those backups:
>>>>>>
>>>>>> cp -Rp /root/backup_queue/2015.11.22-SAMBA/root/etc/samba/*
>>>>>> /etc/samba/.
>>>>>> cp -Rp /root/backup_queue/2015.11.22-SAMBA/root/var/lib/samba/*
>>>>>> /var/lib/samba/.
>>>>>>
>>>>>> Download the upstart conf and init script from samba wiki (as per
>>>>>> https://wiki.samba.org/index.php/Samba4/InitScript):
>>>>>>
>>>>>> wget -O /etc/init/samba-ad-dc.conf
>>>>>> 'http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD'
>>>>>> <http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD%27>
>>>>>> <http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD%27>
>>>>>> wget
>>>>>> "http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD"
>>>>>> -O /etc/init.d/samba-ad-dc
>>>>>> chmod 755 /etc/init.d/samba-ad-dc
>>>>>> update-rc.d samba-ad-dc defaults
>>>>>>
>>>>>> Restart:
>>>>>>
>>>>>> shutdown -r now
>>>>>>
>>>>>> Log back in at restart. Make sure it’s running:
>>>>>>
>>>>>> service samba-ad-dc status
>>>>>>
>>>>>> In my case, it was running each time (samba-ad-dc start/running,
>>>>>> process X). Now it’s time to fix stuff:
>>>>>>
>>>>>> sudo samba-tool dbcheck —fix
>>>>>>
>>>>>> It found hundreds of issues and fixed them all. Lastly, I went on
>>>>>> to check all my work:
>>>>>>
>>>>>> sudo samba-tool drs showrepl
>>>>>>
>>>>>> Says inbound and outbound updates are successful, so looked good….
>>>>>>
>>>>>> samba-tool ldapcmp ldap://dc00 ldap://dc01 -Uadministrator
>>>>>>
>>>>>> Everything checked out EXCEPT "whenChanged," which was off on
>>>>>> scores of records. So, to make myself feel better, I did this:
>>>>>>
>>>>>> samba-tool ldapcmp --filter="whenChanged" ldap://dc01 ldap://dc00
>>>>>> -Uadministrator
>>>>>>
>>>>>> I have tested the authentication systems on a few services that
>>>>>> were bound to these DCs and they all work - so far so good on
>>>>>> that front.
>>>>>>
>>>>>> I repeated the above steps for the second non-FSMO DC, then the
>>>>>> FSMO DC. Every one of them is now on Samba 4.3.1.
>>>>>>
>>>>>> But the final test I did, after all the upgrades, was this:
>>>>>>
>>>>>> sudo samba-tool fsmo show
>>>>>>
>>>>>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
>>>>>> such element'
>>>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>>>> line 175, in _run
>>>>>> return self.run(*args, **kwargs)
>>>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
>>>>>> line 395, in run
>>>>>> domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
>>>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
>>>>>> line 42, in get_fsmo_roleowner
>>>>>> master_owner = res[0]["fSMORoleOwner"][0]
>>>>>>
>>>>>> Which concerns me. What could I do here to get me out of this
>>>>>> pickle? Do I have to (re)seize FSMO responsibilities? I did run
>>>>>> this on the DC that was the FSMO before all these shenanigans:
>>>>>>
>>>>>> samba-tool fsmo seize --role=all
>>>>>
>>>>> Did you just enter 'samba-tool fsmo seize --role=all' ?
>>>>> If so, you need to add an adminuser & password i.e.
>>>>> -UAdministrator and then enter the password when prompted.
>>>>>
>>>>> Rowland
>>>>
>>>> Indeed I did. Hoping you were onto something and this was going to
>>>> be an easy fix, here’s what I did...
>>>>
>>>> samba-tool fsmo seize --role=all -Uadministrator
>>>>
>>>> This DC already has the 'rid' FSMO role
>>>> This DC already has the 'pdc' FSMO role
>>>> This DC already has the 'naming' FSMO role
>>>> This DC already has the 'infrastructure' FSMO role
>>>> This DC already has the 'schema' FSMO role
>>>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>>>> element'
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>> return self.run(*args, **kwargs)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 345, in run
>>>> versionopts, force)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 301, in seize_dns_role
>>>> master_owner = get_fsmo_roleowner(samdb, m.dn)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 42, in get_fsmo_roleowner
>>>> master_owner = res[0]["fSMORoleOwner"][0]
>>>>
>>
>> You do need the adminuser and password for the dns fsmo roles, but
>> after revisiting the python code, I don't think this is your problem.
>> When you try to show or transfer or seize a role, they all run this:
>>
>> res = samdb.search(roledn,
>> scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> assert len(res) == 1
>> master_owner = res[0]["fSMORoleOwner"][0]
>> return master_owner
>>
>> This is where it seems to be choking for you, but only on the DNS
>> fsmo roles, can you try running these commands on your DC (as root) ,
>> changing them to match your setup:
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> "CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s
>> base '(fSMORoleOwner=*)' fSMORoleOwner
>>
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> "CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com" -s
>> base '(fSMORoleOwner=*)' fSMORoleOwner
>>
>> You should get something like this back for each command:
>>
>> # record 1
>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>> fSMORoleOwner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
>> N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> Rowland
>
> Thanks for sticking with me on this one, Rowland. Here are the
> commands, followed by their output, on the DC that should be the FSMO,
> run as root:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=mycompany,DC=lan" -s base
> '(fSMORoleOwner=*)' fSMORoleOwner
>
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=mycompany,DC=lan
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=ForestDnsZones,DC=mycompany,DC=lan" -s base
> '(fSMORoleOwner=*)' fSMORoleOwner
>
> # record 1
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=mycompany,DC=lan
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Matthew
>
>
> ------------------------------------------------------------------------
>
OK, try again, but this time, remove the <fSMORoleOwner> from the end of
the command, this will dump the entire AD object, I am sure you will
find that there is no 'fSMORoleOwner' attribute. This is your actual
problem, why do you not have this FSMO role ?
You have however found a bug in the code, it should print an error
message if no role owner is found.
Rowland
More information about the samba
mailing list