samba4 multimaster DC setup - show stoppers

Thorsten Trautwein-Veit thorsten.trautwein-veit at schulergroup.com
Fri Nov 14 11:10:48 GMT 2008 

Dear all,
i try to setup samba4 as multimaster DC. I am working with git,
v4-0-test db2acaf46fdc38078b6b28b68909e289f6c9e0ec ( pulled today ).
I followed the instructions on :
http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP
http://www.archivum.info/samba-technical@lists.samba.org/2008-09/msg00283.html
and http://wiki.samba.org/index.php/Samba4/LDAP_Backend/Fedora_DS

2 Problems i encountered :
on both machines
./setup/provision --realm=wzbgprn1.schuler.de --domain=wzbgp
--server-role='domain controller' --ldap-backend=ldapi
--ldap-backend-type=openldap --password=bluemoon --username=samba-admin

gave the following error :
--------------------------------------------------------------------
# ./setup/provision --realm=wzbgprn1.schuler.de --domain=wzbgp
--server-role='domain controller' --ldap-backend=ldapi
--ldap-backend-type=openldap --password=bluemoon --username=samba-admin
Setting up secrets.ldb
Setting up the registry
Setting up templates db
Setting up idmap db
schema_fsmo_init: no schema dn present: (skip schema loading)
naming_fsmo_init: no partitions dn present: (skip loading of naming
contexts details)
pdc_fsmo_init: no domain dn present: (skip loading of domain details)
schema_fsmo_init: no schema dn present: (skip schema loading)
naming_fsmo_init: no partitions dn present: (skip loading of naming
contexts details)
pdc_fsmo_init: no domain dn present: (skip loading of domain details)
Setting up sam.ldb attributes
Setting up sam.ldb rootDSE
Erasing data from partitions
schema_fsmo_init: no schema head present: (skip schema loading)
naming_fsmo_init: no partitions dn present: (skip loading of naming
contexts details)
pdc_fsmo_init: no domain object present: (skip loading of domain details)
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=wzbgprn1,DC=schuler,DC=de (permitted to fail)
Modifying DomainDN: DC=wzbgprn1,DC=schuler,DC=de
Traceback (most recent call last):
  File "./setup/provision", line 158, in ?
    ldap_backend_type=opts.ldap_backend_type)
  File "bin/python/samba/provision.py", line 1025, in provision
    ldap_backend_type=ldap_backend_type)
  File "bin/python/samba/provision.py", line 781, in setup_samdb
    setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
  File "bin/python/samba/provision.py", line 175, in setup_modify_ldif
    ldb.modify_ldif(data)
  File "bin/python/samba/__init__.py", line 196, in modify_ldif
    self.modify(msg)
_ldb.LdbError: (21, 'LDAP error 21 LDAP_INVALID_ATTRIBUTE_SYNTAX - 
<wellKnownObjects: value #0 invalid per syntax> <>')
zsh: exit 1     ./setup/provision --realm=wzbgprn1.schuler.de --domain=wzbgp
--------------------------------------------------------------------
The backend provision worked and seems to be ok.
I had an look into that _ldb.LdbError but did not find a point to bring
it to success. I think it has something to do with
provision_basedn_modify.ldif but i can not find any solution. Any help
would be nice.

The second thing is wired ....
on one machine the initial start of samba hangs. Here is a stack trace
from gdb :
--------------------------------------------------------------------
(tgdb) info stack
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7c8a0fd in select () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7b9be50 in gcry_random_bytes () from /usr/lib/libgcrypt.so.11
#3  0xb7b766f9 in gcry_random_add_bytes () from /usr/lib/libgcrypt.so.11
#4  0xb7b76af2 in gcry_random_add_bytes () from /usr/lib/libgcrypt.so.11
#5  0xb7b7730e in gcry_create_nonce () from /usr/lib/libgcrypt.so.11
#6  0xb7ba263c in gcry_mpi_randomize () from /usr/lib/libgcrypt.so.11
#7  0xb7b7469c in gcry_prime_release_factors () from
/usr/lib/libgcrypt.so.11
#8  0xb7b75716 in gcry_prime_release_factors () from
/usr/lib/libgcrypt.so.11
#9  0xb7b91bd9 in gcry_random_bytes () from /usr/lib/libgcrypt.so.11
#10 0xb7b6fcf6 in gcry_pk_genkey () from /usr/lib/libgcrypt.so.11
#11 0xb7d56403 in _gnutls_rsa_generate_params (resarr=0x8bf37b0,
resarr_len=0xbfee9bc8, bits=1024) at gnutls_rsa_export.c:77
#12 0xb7d70543 in gnutls_x509_privkey_generate (key=0x8bf37b0,
algo=GNUTLS_PK_RSA, bits=0, flags=0) at privkey.c:1368
#13 0x08692f0c in tls_cert_generate (mem_ctx=0x8bd8d28,
keyfile=0x8bd8c08 "/usr/local/samba-4/private/tls/key.pem",
certfile=0x8bd8c68 "/usr/local/samba-4/private/tls/cert.pem",
cafile=0x8bd8cc8 "/usr/local/samba-4/private/tls/ca.pem") at
lib/tls/tlscert.c:74
#14 0x08691ec9 in tls_initialise (mem_ctx=0x8bd7bc8, lp_ctx=0x8b823e8)
at lib/tls/tls.c:379
#15 0x08458acb in ldapsrv_task_init (task=0x8bcccc8) at
ldap_server/ldap_server.c:536
#16 0x085b3362 in task_server_callback (event_ctx=0x8b930e0,
lp_ctx=0x8b823e8, server_id={id = 1, id2 = 4, node = 0},
private=0x8bd82c8) at smbd/service_task.c:80
#17 0x08989dda in single_new_task (ev=0x8b930e0, lp_ctx=0x8b823e8,
service_name=0x8a58537 "ldap", new_task=0x85b323c
<task_server_callback>, private=0x8bd82c
8) at smbd/process_single.c:93
#18 0x085b33f1 in task_server_startup (event_ctx=0x8b930e0,
lp_ctx=0x8b823e8, service_name=0x8a58537 "ldap", model_ops=0x8b90460,
task_init=0x84589e3 <ldapsrv_task_init>) at smbd/service_task.c:100
#19 0x085b1485 in server_service_init (name=0x8b83c68 "ldap",
event_context=0x8b930e0, lp_ctx=0x8b823e8, model_ops=0x8b90460) at
smbd/service.c:63
#20 0x085b15f4 in server_service_startup (event_ctx=0x8b930e0,
lp_ctx=0x8b823e8, model=0x8b838f0 "single", server_services=0x8b83ce8)
at smbd/service.c:95
#21 0x080dd8b4 in binary_smbd_main (binary_name=0x89b4fc7 "smbd",
argc=6, argv=0xbfeeb1d4) at smbd/server.c:352
#22 0x080dd996 in main (argc=0, argv=0x40000) at smbd/server.c:372
--------------------------------------------------------------------
The first machine were samba starts ok is a domU in xen with an Linux
version 2.6.21-xen (root at sctgc2) (gcc version 4.1.1 (Gentoo 4.1.1)) #6
SMP Sat Jun 21 17:24:52 DFT 2008.

The second machine where the problem is is : Linux version
2.6.24-etchnhalf.1-686 (Debian 2.6.24-6~etchnhalf.6) (dannf at debian.org)
(gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Mon
Oct 13 07:27:05 UTC 2008.

All libraries are identical.

I belive it is an problem gathering enthropy by libgnutls13. I installed :
--------------------------------------------------------------------
root at wzbgprn1 /usr/src/samba-master/source4
 # dpkg -l | grep tls
ii  gnutls-bin             1.4.4-3+etch1                            the
GNU TLS library - commandline utilities
ii  libcurl3-gnutls        7.15.5-1etch1                           
Multi-protocol file transfer library
ii  libgnutls-dev          1.4.4-3+etch1                            the
GNU TLS library - development files
ii  libgnutls11            1.0.16-13.2sarge2                        GNU
TLS library - runtime library
ii  libgnutls13            1.4.4-3+etch1                            the
GNU TLS library - runtime library
--------------------------------------------------------------------
on both machines.

Is there a way to get around this issue ? Or may i create the certs by
hand ?

I try to test samba4 in our cooperate network. What worked so far
without any problems :
- samba4 as DC http://wiki.samba.org/index.php/Samba4/HOWTO
- joining a second samba4 DC with net join bdc

Thanks a lot to have an look on this topics.




-- 
Freundliche Grüße / Best regards

Thorsten Trautwein-Veit
Dipl.-Ing. (FH)

Schuler Cartec GmbH & Co. KG
EDV
Bahnhofstraße 41
73033 Göppingen

More information about the samba-technical mailing list