How to get DRS working in Samba4

Weiss, Benjamin Benjamin.Weiss at osbi.ok.gov
Fri Dec 4 12:36:15 MST 2009


I’ve been trying to get replication working on Samba4 for a couple of
weeks, with no success.  I’ve tried the latest rsync’s, and the Alpha9. 
I’m running on 64-bit Ubuntu 9.10 server, fully patched.

 

I’ve tried to replicate the procedure as set forth by Tridge here:
http://lists.samba.org/archive/samba-technical/2009-September/066753.htm
l

 

My test network is 172.16.1.0, gateway 172.16.1.1, netmask
255.255.255.0.  In that post he has two virtual interfaces, which I
couldn’t work right, so I am using two physical interfaces.  Eth0 is
172.16.1.5, eth1 is 172.16.1.6.

 

I prefer to do everything from the command line, including making
changes to configuration files, when possible.  This lets me post what
I’ve done to either documentation or to help forums such as this. ;)  So
below I have all of the steps I’ve taken to attempt to make this work.

 

The first instance seems to come up just fine the first time, but when I
then try the vampire the first time from the second instance, I get :

 

libnet_BecomeDC() failed - NT code 0xc00020ee

Vampire of domain failed: NT code 0xc00020ee

return code = -1

 

Then I stop the first instance to see what’s going on.  If I start it
again, I start getting errors about :

 

dreplsrv_notify_schedule(5) scheduled for: Thu Dec  3 14:27:45 2009 CST

dns child failed to find name
'2e4b0881-0548-4a23-a7de-fab3e24088ca._msdcs.local.osbi.ok.gov' of type
A

dreplsrv_op_pull_source(WERR_BADFILE/NT_STATUS_NO_SUCH_DEVICE)
failures[1]

Mapped to DCERPC endpoint 135

 

If I then try to do the vampire again from the second  instance,  I get:

 

Vampire of domain failed: Connection to SAMR pipe of PDC for
local.osbi.ok.gov failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT

return code = -1

 

I’m not sure what you guys need me to post, or the appropriate way to
grab debugging logs, nor the appropriate way to post them here.  So,
below is my set of commands.  If other files would help, I’d be happy to
post them.  Hopefully somebody can help me!

 

sudo sh -c "echo 'HISTSIZE=10000' >> /etc/profile"

sudo apt-get update

sudo apt-get -y upgrade

sudo apt-get -y install ufw

sudo ufw allow ssh/tcp

sudo ufw enable

sudo ufw status numbered

sudo apt-get -y install attr autoconf gcc \

                python python-dev bind9 dnsutils \

                libattr1-dev libblkid-dev libgnutls-dev \

                libreadline5-dev dhcp3-server

sudo mv /etc/fstab /etc/fstab.000

sudo sh -c "sed -e 's/errors=remount-ro/user_xattr,errors=remount-ro/' \

                < /etc/fstab.000 > /etc/fstab"

sudo reboot

 

wget http://samba.org/samba/ftp/samba4/samba-4.0.0alpha9.tar.gz

tar -zxvf samba-4.0.0alpha9.tar.gz

cd samba-4.0.0alpha9/source4/

./autogen.sh

./configure.developer --prefix=$HOME/prefix.s4

make > $HOME/samba4-make.log  2>&1

make install

sudo ./setup/provision --realm=local.osbi.ok.gov \

                --domain=OSBI --host-name=sm-dc-fsc01 \

                --host-ip=172.16.1.5 --adminpass=HelloSamba \

                --server-role="domain controller"

sudo ufw allow 53

sudo ufw allow 88

sudo ufw allow 445/tcp

sudo ufw allow 1024/tcp

sudo ufw allow 1025/tcp

sudo ufw allow 1026/tcp

sudo ufw allow 3268/tcp

sudo ufw allow 389

sudo ufw allow 135/tcp

sudo ufw allow 137/udp

sudo ufw allow 138/udp

sudo ufw allow 139/tcp

sudo ufw allow 464

sudo ufw status numbered

sudo cp $HOME/prefix.s4/private/local.osbi.ok.gov.zone /etc/bind

sudo mv /etc/bind/named.conf.options /etc/bind/named.conf.options.000

 

sudo sh -c "sed -e '/listen-on-v6/ aforwarders { 192.168.1.5; };' \

                -e '/listen-on-v6/ aallow-recursion { 172.16.0.0/16; };'
\

                -e '/listen-on-v6/ atkey-gssapi-credential
\"DNS/local.osbi.ok.gov\";' \

                -e '/listen-on-v6/ atkey-domain \"LOCAL.OSBI.OK.GOV\";'
\

                < /etc/bind/named.conf.options.000 >
/etc/bind/named.conf.options"

 

sudo sh -c "echo 'export KRB5_KTNAME=\"/etc/krb5.keytab\"' >>
/etc/default/bind9"

sudo cp $HOME/prefix.s4/private/dns.keytab /etc/krb5.keytab

sudo chgrp bind /etc/krb5.keytab

sudo chmod g+r /etc/krb5.keytab

sudo cp $HOME/prefix.s4/private/krb5.conf /etc/krb5.conf

sudo cp /etc/bind/named.conf.local /etc/bind.named.conf.local.000

sudo sh -c "echo 'zone \"local.osbi.ok.gov.\" IN {' >>
/etc/bind/named.conf.local"

sudo sh -c "echo ' type master;' >> /etc/bind/named.conf.local"

sudo sh -c "echo ' file \"/etc/bind/local.osbi.ok.gov.zone\";' >>
/etc/bind/named.conf.local"

sudo sh -c "echo ' update-policy {' >> /etc/bind/named.conf.local"

sudo sh -c "echo ' grant LOCAL.OSBI.OK.GOV ms-self * A AAAA;' >>
/etc/bind/named.conf.local"

sudo sh -c "echo ' };' >> /etc/bind/named.conf.local"

sudo sh -c "echo '};' >> /etc/bind/named.conf.local"

sudo sh -c "echo '' >> /etc/bind/named.conf.local"

sudo mv /etc/apparmor.d/usr.sbin.named
/etc/apparmor.d/usr.sbin.named.000

sudo sh -c "sed -e '/\/etc\/bind\/krb5.keytab kr,/ a /var/tmp/ rw,' \

                < /etc/apparmor.d/usr.sbin.named.000 >>
/etc/apparmor.d/usr.sbin.named"

sudo aa-complain /etc/apparmor.d/usr.sbin.named

sudo service bind9 start

host -t SRV _ldap._tcp.local.osbi.ok.gov localhost

sudo mv $HOME/prefix.s4/etc/smb.conf $HOME/prefix.s4/etc/smb.conf.000

sudo sh -c "sed -e '/netlogon/ iinterfaces = 172.16.1.5' \

                -e '/netlogon/ ibind interfaces only = yes' \

                -e '/netlogon/ idreplsrv:periodic_interval = 10' \

                -e '/netlogon/ idreplsrv:periodic_startup_interval = 5'
\

                < $HOME/prefix.s4/etc/smb.conf.000 >
$HOME/prefix.s4/etc/smb.conf"

sudo sbin/samba -i -M single -d4 -s etc/smb.conf

sudo ufw disable

sudo sbin/samba -i -M single -d4 -s etc/smb.conf

 

mkdir $HOME/prefix.s4.2

cd $HOME/prefix.s4.2

mkdir -p private etc var var/lib var/run var/locks var/ncalrpc

 

sudo sh -c "sed -e 's/172.16.1.5/172.16.1.6/' \

                -e '/netlogon/ incalrpc dir =
$HOME/prefix.s4.2/var/ncalrpc' \

                -e '/netlogon/ iprivate dir = $HOME/prefix.s4.2/private'
\

                -e '/netlogon/ iswat directory =
$HOME/prefix.s4.2/share/swat' \

                -e '/netlogon/ ilock dir = $HOME/prefix.s4.2/var/locks'
\

                -e '/netlogon/ ipid directory =
$HOME/prefix.s4.2/var/run' \

                -e '/netlogon/ iwinbindd socket directory =
$HOME/prefix.s4.2/var/run/winbindd' \

                -e '/netlogon/ iwinbindd privileged socket directory =
$HOME/prefix.s4.2/var/lib/winbindd_privileged' \

                -e '/netlogon/ intp signd socket directory =
$HOME/prefix.s4.2/var/run/ntp_signd' \

                < $HOME/prefix.s4/etc/smb.conf >
$HOME/prefix.s4.2/etc/smb.conf"

 




More information about the samba-technical mailing list