[Samba] Samba Migration and AD integration
Andrew Bartlett
abartlet at samba.org
Tue Feb 6 08:21:54 UTC 2018
On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba wrote:
> Hi,
>
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
>
>
> - The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
I think you have not understood how AD DNS works. It won't create a
zone file, it will create entries in the replicated DB that you can see
over LDAP. By default the internal DNS server is used, but a DLZ
plugin for bind9 can also be used.
Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if
you wish to used bind, rather than create a zone file.
> - Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
Samba doesn't control dhcpd, but instructions for that are on the wiki.
> - When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box. The machine joins to the
> domain but there is no DNS record for it.
If Samba's DNS isn't used then dynamic updates wont work.
> - We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
While I wouldn't exactly expect this if you were not using Samba for
DNS on the Samba server, I think that is at the heart of your trouble.
> The AD user bit seems to sync ok between the servers.
>
> The samba-tool dbcheck -cross-ncs gives the following
>
>
> samba-tool dbcheck --cross-ncs
> Checking 3835 objects
> ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to
> parse dn string
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
> line 157, in run
> controls=controls, attrs=attrs)
> File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
> 198, in check_database
> error_count += self.check_object(object.dn, attrs=attrs)
> File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
> 1839, in check_object
> expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
>
>
> smb.conf
>
> [global]
> netbios name = TEST
> realm = TESTDC
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = TESTDC
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
The fact that your realm has no dots in it and is the same as the
workgroup isn't a good start. This may be a redaction, but I smell
trouble here.
> [netlogon]
> path = /var/lib/samba/sysvol/testdc/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
I hope the above helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list