[Samba] replPropertyMetaData & KCC issues after updating to Samba 4.5.0
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Mon Sep 26 14:54:29 UTC 2016
On 9/23/2016 8:08 PM, garming at catalyst.net.nz wrote:
> On 2016-09-24 06:53, lingpanda101 at gmail.com wrote:
>> On 9/22/2016 6:31 PM, Garming Sam wrote:
>>> On 23/09/16 00:59, lingpanda101 at gmail.com wrote:
>>>> For clarification I'll add a few things.
>>>>
>>>> I initially deleted all the NTDS site links for each site and allowed
>>>> the new KCC to create them. However it did not create them I believe
>>>> correctly. By that I mean it defined what appeared to be a bridgehead
>>>> server at each site. So I disabled the new KCC
>>>> 'kccsrv:samba_kcc=false' in my smb.conf and allowed the full mesh to
>>>> be used again. After all site links were recreated. I then switched
>>>> the 'kccsrv:samba_kcc=true' in my smb.conf and that's what prompted
>>>> the following errors above.
>>>>
>>>> To further expand on my Topology, I have 3 sites. I'll call them A,B
>>>> and C. Each site contains 2 DC's. Sites use different subnets and are
>>>> connected via. fiber. Sites B and C should not be replication
>>>> partners. They should only replicate with Site
>>>> A(Default-First-Site-Name). With the new KCC after deleting all the
>>>> NTDS links, Sites B and C Domain Controller #1 becomes the bridgehead
>>>> server for that site. Domain Controller #2 at sites B and C only
>>>> replicates with Domain Controller #1 at it's respective site. So if
>>>> the bridgehead server goes down, Domain Controller #2 at sites B and C
>>>> will no longer receive changes.
>>>>
>>>> The new KCC does prevent sites B and C from replicating with each
>>>> other. That is correct. This isn't a huge issue for me. I can continue
>>>> using the old KCC for now. The full mesh isn't detrimental to my
>>>> network. Don't want to take up too much of your time. Thanks
>>>>
>>>>
>>> The KCC has been my pet project for the last little bit, so I am very
>>> interested in how it functions in general. But as far as I can tell,
>>> the
>>> KCC is doing what is expected of it. What should happen, and I say
>>> should, is that if the bridgehead server dies, the bridgehead server
>>> role will transfer to the other DC. There might be a brief period of
>>> time before the KCC re-runs where the sites are disconnected, but in
>>> general, the failovers should be relatively stable. With only a small
>>> number of sites (and DCs), this might be more trouble than it's worth,
>>> like you say. In either case, I appreciate your input.
>>>
>>>
>>> Thanks,
>>>
>>> Garming
>>
>> I went ahead and enabled the new KCC. I deleted all the automatically
>> generated NTDS links and let Samba create them. I did this through the
>> Microsoft Active Directory Sites and Services tool. I didn't see the
>> option to delete with 'samba-tool drs options --help'. I did run
>> 'samba-tool drs kcc' to force the check and not wait. I see all the
>> automatically generated site links are created as you say they should.
>>
>> I shutdown one of the bridgehead servers in a site (killall samba). In
>> my case it's SOLDC1 in Site B. I ran 'samba-tool drs kcc' on all DC's
>> to see if a new KCC connection would be created on SOLDC2 in site B.
>> It never was. So I restarted SOLDC2 in site B and no connection was
>> ever created. This is all with SOLDC1 in site B still down. This tells
>> me SOLDC2 becomes an island without anyway to replicate.
>>
>> One strange thing is 'samba-tool drs showrepl' begs to differ.
>>
>> root at soldc2:~# samba-tool drs showrepl
>> site-b\SOLDC2
>> DSA Options: 0x00000001
>> DSA object GUID: 25055641-49e7-4b3f-a7e3-9d206375306c
>> DSA invocationId: d11890e8-6b90-4e94-aca4-6d7a940f47b5
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> CN=Configuration,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ Fri Sep 23 14:40:18 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:40:18 2016 EDT
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ Fri Sep 23 14:42:24 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:42:24 2016 EDT
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> Default-First-Site-Name\PFDC2 via RPC
>> DSA object GUID: e6284e90-f964-4643-b6a6-5baafdd7ba36
>> Last attempt @ Fri Sep 23 14:42:34 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:42:34 2016 EDT
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> site-c\DUNDC1 via RPC
>> DSA object GUID: a216e718-488f-4821-8d9c-a399e6789222
>> Last attempt @ Fri Sep 23 14:42:32 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:42:32 2016 EDT
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> site-c\DUNDC2 via RPC
>> DSA object GUID: 3c08db42-9416-40df-99ad-6d0c0ec554a6
>> Last attempt @ Fri Sep 23 14:41:00 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:41:00 2016 EDT
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> Default-First-Site-Name\PFDC1 via RPC
>> DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
>> Last attempt @ Fri Sep 23 14:40:58 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:40:58 2016 EDT
>>
>> CN=Schema,CN=Configuration,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ Fri Sep 23 14:40:19 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:40:19 2016 EDT
>>
>> DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ Fri Sep 23 14:40:20 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:40:20 2016 EDT
>>
>> DC=ForestDnsZones,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ Fri Sep 23 14:40:18 2016 EDT was
>> successful
>> 0 consecutive failure(s).
>> Last success @ Fri Sep 23 14:40:18 2016 EDT
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> CN=Configuration,DC=domain,DC=local
>> site-c\DUNDC2 via RPC
>> DSA object GUID: 3c08db42-9416-40df-99ad-6d0c0ec554a6
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=domain,DC=local
>> Default-First-Site-Name\PFDC1 via RPC
>> DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=domain,DC=local
>> Default-First-Site-Name\PFDC2 via RPC
>> DSA object GUID: e6284e90-f964-4643-b6a6-5baafdd7ba36
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=domain,DC=local
>> site-c\DUNDC1 via RPC
>> DSA object GUID: a216e718-488f-4821-8d9c-a399e6789222
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> site-c\DUNDC2 via RPC
>> DSA object GUID: 3c08db42-9416-40df-99ad-6d0c0ec554a6
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> Default-First-Site-Name\PFDC1 via RPC
>> DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> Default-First-Site-Name\PFDC2 via RPC
>> DSA object GUID: e6284e90-f964-4643-b6a6-5baafdd7ba36
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=DomainDnsZones,DC=domain,DC=local
>> site-c\DUNDC1 via RPC
>> DSA object GUID: a216e718-488f-4821-8d9c-a399e6789222
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=domain,DC=local
>> site-c\DUNDC2 via RPC
>> DSA object GUID: 3c08db42-9416-40df-99ad-6d0c0ec554a6
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=domain,DC=local
>> Default-First-Site-Name\PFDC1 via RPC
>> DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=domain,DC=local
>> Default-First-Site-Name\PFDC2 via RPC
>> DSA object GUID: e6284e90-f964-4643-b6a6-5baafdd7ba36
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=domain,DC=local
>> site-c\DUNDC1 via RPC
>> DSA object GUID: a216e718-488f-4821-8d9c-a399e6789222
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=domain,DC=local
>> Default-First-Site-Name\PFDC1 via RPC
>> DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=domain,DC=local
>> site-c\DUNDC2 via RPC
>> DSA object GUID: 3c08db42-9416-40df-99ad-6d0c0ec554a6
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=domain,DC=local
>> Default-First-Site-Name\PFDC2 via RPC
>> DSA object GUID: e6284e90-f964-4643-b6a6-5baafdd7ba36
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=domain,DC=local
>> site-c\DUNDC1 via RPC
>> DSA object GUID: a216e718-488f-4821-8d9c-a399e6789222
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=domain,DC=local
>> site-c\DUNDC2 via RPC
>> DSA object GUID: 3c08db42-9416-40df-99ad-6d0c0ec554a6
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=domain,DC=local
>> Default-First-Site-Name\PFDC1 via RPC
>> DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=domain,DC=local
>> site-b\SOLDC1 via RPC
>> DSA object GUID: 55e069f5-4f47-415b-8fa4-a398948235aa
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=domain,DC=local
>> Default-First-Site-Name\PFDC2 via RPC
>> DSA object GUID: e6284e90-f964-4643-b6a6-5baafdd7ba36
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=domain,DC=local
>> site-c\DUNDC1 via RPC
>> DSA object GUID: a216e718-488f-4821-8d9c-a399e6789222
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: 7b7ddab7-4377-44f4-9831-8fe7feb55115
>> Enabled : TRUE
>> Server DNS name : SOLDC1.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=SOLDC1,CN=Servers,CN=site-b,CN=Sites,CN=Configuration,DC=domain,DC=local
>>
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>> I have what appears to still be a full mesh replication. Shouldn't the
>> outbound and inbound neighbors be reflective of the KCC connection
>> objects? I would expect to find only inbound and outbound connections
>> for SOLDC1. Maybe I'm completely misinterpreting the intended
>> behavior.
>
> There's likely at least some stale entries (repsFrom). The KCC builds
> the inbound connections for each DC. Then as a separate step
> translates the connections to replication links. The outbound links
> are mostly the other DCs problem (likely an old repsFrom pulling from
> SOLDC1). I've taken quite a few steps to rid the DCs of as many old
> repsFrom entries as possible from within the KCC, but based on time
> delays and use of the old KCC, this may not be enough in its current
> state to be equivalent to a fresh domain.
>
> I've taken another look and it's plausible that the failover for
> inbound connections won't occur for 2 hours thanks to the default of
> the interSiteTopologyFailover variable on the site objects. I would be
> interested as to result if you set the variable (which I think is in
> minutes) to something much lower.
>
> This area is definitely not simple. And has a lot of room to improve
> (One bug I see here is 'Last attempt @ NTTIME(0) was successful' which
> has an unmerged fix to get the right time I believe). But it is a vast
> improvement on the old code, especially at scale.
>
>
> Cheers,
>
> Garming
I should point out for reference how I was trying to query the
interSiteTopologyFailover variable.
ldbsearch -H usr/local/samba/private/sam.ldb
'(&(objectclass=person)(name=Guest))' name intersiteTopologyFailover
# record 1
dn: CN=Guest,CN=Users,DC=domain,DC=local
name: Guest
# Referral
ref: ldap://domain.local/CN=Configuration,DC=domain,DC=local
# Referral
ref: ldap://domain.local/DC=DomainDnsZones,DC=domain,DC=local
# Referral
ref: ldap://domain.local/DC=ForestDnsZones,DC=domain,DC=local
# returned 4 records
# 1 entries
# 3 referrals
Is this correct?
--
-James
More information about the samba
mailing list