status of DRS efforts in Samba4 (and a developer tutorial)

tridge at samba.org tridge at samba.org
Fri Sep 18 12:01:33 MDT 2009 

Hi Chris,

 > I'm having some problems testing this out - I can vampire successfully
 > from the second server, and ldbsearch's are successful against each
 > sam.ldb, but the two daemon's fail to replicate (see
 > attached for logs).  I'm doing this on Ubuntu 9.04.

Nice to see that some people are trying this!

 > I was just curious to know how many others have tried this, whether
 > you were successful getting the replication working, and whether
 > anyone has experienced the errors like in the attached logs and can
 > provide advice on debugging or troubleshooting?

The logs show me that there are two problems:


 1) you need to edit your DNS zone file to add the 2nd computer. The
 clue is this line in the log:

 > dns child failed to find name '67ed30f3-4375-4fbb-b38c-4e51eabab098._msdcs.four.zoran.cgb' of type A


You will have something like this in a file called four.zoran.cgb.zone:

  xxx        IN A    10.0.0.1
  gc._msdcs		IN CNAME	xxx
  4c9599b3-f661-4015-afc0-076e087d873d._msdcs	IN CNAME	xxx

where 'xxx' is the name of the first DC, and that GUID will be
different. You need to add two lines like this:

  yyy	   IN A   192.168.242.NNN
  67ed30f3-4375-4fbb-b38c-4e51eabab098._msdcs IN CNAME yyy

where 'yyy' is the 2nd DC, and NNN is the final part of its IP.

Then you need to either restart bind, or run "rndc reload" and "rndc
flush".

eventually we will automate that part, but for now you need to do it
manually. Sorry about that!

2) the 2nd problem is a bug that I introduced in the last couple of
days. I'm hoping to fix it today, but if I haven't fixed it by the
time you try this again then you need to remove the chunks of code in
rpc_server/drsuapi/*.c that look like this:

	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
	    SECURITY_DOMAIN_CONTROLLER) {
		DEBUG(0,("DsReplicaSync refused for security token\n"));
		return WERR_DS_DRA_ACCESS_DENIED;
	}

I added this to lock down the DRS services (ie. to not allow any
anonymous user to do DRS synchronisation), and it works fine when you
are vampiring from windows, but from s4<->s4 it currently fails as we
are not populating the user secuity token with the
SID_NT_ENTERPRISE_DCS SID correctly. Andrew and I are looking into why
at the moment.

Otherwise wait for a few hours for Andrew and I to work out why we're
not getting the token right.

Cheers, Tridge

More information about the samba-technical mailing list