Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD
Aubrey Ekstrom
aekstrom at proclivitysystems.com
Thu Dec 1 14:22:09 MST 2011
Sending again in case it got missed yesterday at the end of the month ;)
What I really need to know is how do I find the _msdcs #s below (from the
existing PDC) for the new DC so I can test if setting up DNS on the new box
fixes my replication issues?
Hi Ted and everyone,
>
> Thanks again Ted for your help and suggestions.
>
> Hosts file is fine on new DC. DNS resolves both DCs fine. Same error still:
>
> newdc0:/usr/local/samba/sbin# ./samba-tool drs showrepl
> ERROR(runtime): DRS connection to newdc0.not.our.domain failed -
> (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
>
> I did not set up the Bind/DNS server on the new DC since that was not
> indicated in the join domain instructions, and the necessary files get
> generated from running the provisioning. It occurs to me though that for
> the kerberos stuff, that is probably needed, at least on the existing PDC
> DNS server if not on both. When I look at the DNS files for the current PDC
> though, there are 2 entries that look like GUIDs (the exact same format and
> number of characters), but are not the actual GUID of the server (the
> actual GUID of both servers I was able to locate in the Windows GUI):
>
> #1: b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs IN CNAME
> #2: _ldap._tcp.a3d53761-ad10-49af-9c68-9f08ebf3fb88.domains._msdcs
> IN SRV 0 100 389
>
> Does anyone know how I can find those equivalent entries (or
> generate/populate them) for the new DC? Based on the above error I am
> thinking that it may just be the kerberos and other services are not
> resolving to the new server correctly. If that is the case then it should
> be fixable by me if I can get those GUID like strings for the new server,
> whereas an ldap db corruption from replicating OS X schema, probably not
> fixable by me (if that is the problem).
>
> As always, any ideas or suggestion are most welcome and appriciated.
> Thanks!
>
> Cheers,*
>
> Aubrey Ekstrom | *Systems Administrator
> Proclivity Systems
> 22 West 19th St., Ninth Floor
> New York, NY 10011
> p 646.380.2416
> aekstrom at proclivitysystems.com
> www.proclivitysystems.com
>
> *Proclivity® | We Value Your Customers™*
>
>
> This message is the property of Proclivity Systems, Inc. and is intended
> only for the use of the addressee(s), and may contain material that is
> confidential and privileged for the sole use of the intended recipient. If
> you are not the intended recipient, reliance or forwarding without express
> permission is strictly prohibited; please contact the sender and delete all
> copies.
>
>
>
>
>
>
>
> On Tue, Nov 29, 2011 at 2:43 PM, Ted Salmon <tass2001 at hotmail.com> wrote:
>
>> Aubrey,
>>
>> First thing to check, in /etc/hosts is newdc0.not.our.domain mapped to
>> your local IP? If not, please add it and re-run `samba-tool drs showrepl`.
>> Another thing you'll want to check is if it's propagated to DNS. On the PDC
>> run dig @localhost axfr not.our.domain and see if the new DC is listed
>> there, it's not likely to be. I had this issue with my second DC but I have
>> been unable to figure out what's preventing it from being propagated and so
>> far the easiest solution is to hardcode it into DNS.
>>
>> ------------------------------
>> From: aekstrom at proclivitysystems.com
>> Date: Tue, 29 Nov 2011 11:47:38 -0500
>> Subject: Re: Reporting success this past year + new Issues Adding a new
>> Samba 4 DC to existing Samba 4 AD
>> To: tass2001 at hotmail.com
>> CC: samba-technical at lists.samba.org
>>
>> Hi Ted & everyone,
>>
>> I built a new server using Debian 6.x (instead of CENT OS) and compiled
>> 4.0.0alpha17 (instead of Alpha 18), set up DNS and kerberos and tested
>> kerberos:
>>
>> admin at newdc0:/usr/local/samba/bin# kinit administrator
>> Password for administrator at not.our.domain:
>> admin at newdc0:/usr/local/samba/bin#
>>
>> So far so good. Then I joined it to the existing domain:
>>
>> sbin# ./samba-tool domain join not.our.domain DC -Uadministrator
>> --realm=not.our.domain
>> Finding a writeable DC for domain 'not.our.domain'
>> Found DC originalpdc0.not.our.domain
>> Password for [WORKGROUP\administrator]:
>> workgroup is not.our
>> realm is not.our.domain
>> checking samaccountname
>> Adding CN=NDC0,OU=Domain Controllers,DC=not.our,DC=domain
>> Adding
>> CN=NDC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=not.our,DC=domain
>> Adding CN=NTDS
>> Settings,CN=NDC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=not.our,DC=domain
>> Adding CN=NDC0,CN=Topology,CN=Domain System
>> Volume,CN=DFSR-GlobalSettings,CN=System,DC=not.our,DC=domain
>> Adding SPNs to CN=NDC0,OU=Domain Controllers,DC=not.our,DC=domain
>> Setting account password for NDC0$
>> Enabling account
>> Calling bare provision
>> No IPv6 address will be assigned
>> Provision OK for domain DN DC=not.our,DC=domain
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
>> objects[402/1596] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
>> objects[402/1596] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
>> objects[402/1596] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
>> objects[390/1596] linked_values[0/0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=not.our,DC=domain] objects[402/1618]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=not.our,DC=domain] objects[804/1618]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=not.our,DC=domain] objects[1206/1618]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=not.our,DC=domain] objects[1608/1618]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=not.our,DC=domain] objects[1618/1618]
>> linked_values[30/0]
>> Partition[DC=not.our,DC=domain] objects[338/338] linked_values[39/0]
>> Committing SAM database
>> Setting isSynchronized and dsServiceName
>> Setting up secrets database
>> Joined domain not.our (SID S-1-5-21-4146741504-651221647-XXXXXXXXXX) as a
>> DC
>>
>> Again, so far so good (this also looked good up to this point with Alpha
>> 18 on CENT OS). Then I start Samba and go to test the replication:
>>
>> root at newdc0:/usr/local/samba/sbin# ./samba
>> root at newdc0:/usr/local/samba/sbin# ps -A | grep samba
>> 31646 ? 00:00:00 samba
>> 31647 ? 00:00:00 samba
>> 31648 ? 00:00:00 samba
>> 31649 ? 00:00:00 samba
>> 31650 ? 00:00:00 samba
>> 31651 ? 00:00:02 samba
>> 31652 ? 00:00:00 samba
>> 31653 ? 00:00:00 samba
>> 31654 ? 00:00:00 samba
>> 31655 ? 00:00:00 samba
>> 31656 ? 00:00:00 samba
>> 31657 ? 00:00:00 samba
>> 31658 ? 00:00:00 samba
>> root at newdc0:/usr/local/samba/sbin# ./samba-tool drs showrepl
>> ERROR(runtime): DRS connection to newdc0.not.our.domain failed -
>> (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
>>
>>
>> And in the Windows GUI "Sites and Services" snap in, while I see the new
>> server (and the Alpha 18 server that I can't delete), it shows it as
>> unavailable (see attached screen shot) and I can't connect to it.
>>
>> Looks like the same issue. The new DC becomes corrupted somehow. I am
>> wondering if the schema extensions I did for the Apple schema last year on
>> the existing Alpha 14 PDC are corrupting the ldap db on the new server
>> when they replicate. Is it possible that even though the new schema worked
>> and I can manage our OS X workstations using Apple's Workgroup Manager GUI
>> on the existing Samba 4 PDC, that the replication process was not written
>> with schema changes on that scale taken into consideration? I know the
>> Samba 4 dev team's priority is to make the Windows A/D users happy, but I
>> can assure you all that from my many years of experience, Windows admins
>> everywhere will be extremely happy if they can easily extend the Samba 4
>> schema to support OS X and manage any Apple's on their networks with Samba
>> 4, AND be able to replicate those schema changes to both other Samba 4 DCs
>> as well as Windows DCs.
>>
>> Any other ideas, suggestions or thoughts are VERY welcome :). Thanks
>> again for your help, and in advance for any further help.
>>
>> Cheers,*
>>
>> Aubrey Ekstrom | *Systems Administrator
>> Proclivity Systems
>> 22 West 19th St., Ninth Floor
>> New York, NY 10011
>> p 646.380.2416
>> aekstrom at proclivitysystems.com
>> www.proclivitysystems.com
>>
>> *Proclivity® | We Value Your Customers™*
>>
>>
>> This message is the property of Proclivity Systems, Inc. and is intended
>> only for the use of the addressee(s), and may contain material that is
>> confidential and privileged for the sole use of the intended recipient. If
>> you are not the intended recipient, reliance or forwarding without express
>> permission is strictly prohibited; please contact the sender and delete all
>> copies.
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Nov 28, 2011 at 2:50 PM, Ted Salmon <tass2001 at hotmail.com> wrote:
>>
>> Aubrey,
>>
>> Interesting. I joined a VM to my Samba 4 AD (both running the same
>> version of Samba 4 - Alpha 17). The join went well as seen below:
>>
>> realm is domain.network.local
>> checking samaccountname
>> Adding CN=NETW2-DEV,OU=Domain Controllers,DC=domain,DC=network,DC=local
>> Adding
>> CN=NETW2-DEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=local
>> Adding CN=NTDS
>> Settings,CN=NETW2-DEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=local
>> Adding CN=NETW2-DEV,CN=Topology,CN=Domain System
>> Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=network,DC=local
>> Adding SPNs to CN=NETW2-DEV,OU=Domain
>> Controllers,DC=domain,DC=network,DC=local
>> Setting account password for NETW2-DEV$
>> Enabling account
>> Calling bare provision
>> No IPv6 address will be assigned
>> Provision OK for domain DN DC=domain,DC=network,DC=local
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[402/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[402/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[402/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[344/1550] linked_values[0/0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[402/1613] linked_values[0/0]
>> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[804/1613] linked_values[0/0]
>> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[1206/1613] linked_values[0/0]
>> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[1608/1613] linked_values[0/0]
>> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
>> objects[1613/1613] linked_values[20/0]
>> Partition[DC=domain,DC=network,DC=local] objects[287/287]
>> linked_values[47/0]
>> Committing SAM database
>> Setting isSynchronized and dsServiceName
>> Setting up secrets database
>> Joined domain NETWORK (SID ) as a DC
>>
>> However I don't think you can demote/remove a DC from the AD once it has
>> been joined as I am unable to do so in the AD snap-in or via any of the
>> Samba-tool menu's. I think your issue is the new DC and I would actually
>> recommend pulling down Alpha 17 and building that as sometimes the latests
>> GITs can be broken (at least in my experience). Btw, when you joined your
>> new DC, did you receive the same output as I did? Additionally, I recommend
>> renaming your new DC so that it can be joined to the AD like new once you
>> reinstall Samba4. If all else fails I would upgrade your Alpha 14 box
>> (upgradeprovision works nicely). I'm afraid past this I'm out of ideas :/.
>> Good luck!
>>
>>
>> ------------------------------
>> From: aekstrom at proclivitysystems.com
>> Date: Mon, 28 Nov 2011 14:07:33 -0500
>> Subject: Re: Reporting success this past year + new Issues Adding a new
>> Samba 4 DC to existing Samba 4 AD
>> To: tass2001 at hotmail.com
>> CC: samba-technical at lists.samba.org
>>
>> Hi Ted,
>>
>> I didn't blow it away yet... but getting ready to soon.
>>
>> samba-tool dbcheck does not exist in Alpha 14. Gives me a long list of
>> options when I try to run that, but dbcheck is not one of them.
>>
>> samba-tool drs showrepl on the new DC (Alpha 18) returns the following
>> error:
>>
>> ERROR(runtime): DRS connection to npdc0. failed - (-1073741801, 'Memory
>> allocation error')
>>
>> Tried using ldbedit -e nano -H /usr/local/samba/private/sam.ldb after
>> backing it up. The entire domain vanished from the A/D Sites and Services
>> GUI snap in, even though I am sure I only removed references to the new
>> server. Restored the backed up file. Had to reboot to get the domain back,
>> but it's there again, including the new DC (which also probably has a bad
>> SID since I blew away the install that joined the domain on the 1st try).
>>
>> Anyways, based on the above error for samba-tool drs showrepl, I am
>> guessing that the new DC is the one it can't write to. Wondering if that
>> may be because of the old SID associated with that server name when it
>> joined previously, or if it just is corrupted.
>>
>> I will wait to see if there are other suggestions before I blow it away
>> again and start from scratch.
>>
>> Cheers,*
>>
>> Aubrey Ekstrom | *Systems Administrator
>> Proclivity Systems
>> 22 West 19th St., Ninth Floor
>> New York, NY 10011
>> p 646.380.2416
>> aekstrom at proclivitysystems.com
>> www.proclivitysystems.com
>>
>> *Proclivity® | We Value Your Customers™*
>>
>>
>> This message is the property of Proclivity Systems, Inc. and is intended
>> only for the use of the addressee(s), and may contain material that is
>> confidential and privileged for the sole use of the intended recipient. If
>> you are not the intended recipient, reliance or forwarding without express
>> permission is strictly prohibited; please contact the sender and delete all
>> copies.
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Nov 28, 2011 at 12:20 PM, Ted Salmon <tass2001 at hotmail.com>wrote:
>>
>> Aubrey,
>>
>> I'm not sure if Samba Alpha 14 had this option as I think it's fairly
>> new, but I would try to run 'samba-tool dbcheck' on the PDC. In addition,
>> from your new DC, can you run `samba-tool drs showrepl` if you haven't
>> blown it out of the water yet? As a last resort you can easily remove the
>> entry for the new DC from the AD by using ldbedit -e nano -H
>> /usr/var/lib/samba/private/sam.ldb (note this file may be in another
>> location) then removing the entry. You should probably cp sam.ldb elsewhere
>> prior to making any edits.
>>
>> -Ted
>>
>> ------------------------------
>> From: aekstrom at proclivitysystems.com
>> Date: Mon, 28 Nov 2011 12:04:21 -0500
>> Subject: Re: Reporting success this past year + new Issues Adding a new
>> Samba 4 DC to existing Samba 4 AD
>> To: tass2001 at hotmail.com
>> CC: samba-technical at lists.samba.org
>>
>> Hi Ted,
>>
>> I re-enabled the generic Administrator account and tried using that. Same
>> error.
>>
>> Also, as I said in my original post, the new server was able to join the
>> 1st time, and gave me errors only when I checked the replication and tried
>> to replicate again. After I blew it away and reinstalled it gave me the
>> error I put in the post right away, instead of after the fact. Since I can
>> see the new server name in the Windows GUI, I wonder if that is causing me
>> problems, but the GUI won't let me delete it.
>>
>> Does anyone know the proper syntax to delete a DC with the command line
>> tools? I see "ldbdel" in the Samba bin directory, but that server shows up
>> in the currently active production A/D, so I don't want to play around and
>> mess that up. Thanks!
>>
>> In the mean time I will try to reinstall with the build i downloaded from
>> Git today and see if I have better luck.
>>
>> Cheers,*
>>
>> Aubrey Ekstrom | *Systems Administrator
>> Proclivity Systems
>> 22 West 19th St., Ninth Floor
>> New York, NY 10011
>> p 646.380.2416
>> aekstrom at proclivitysystems.com
>> www.proclivitysystems.com
>>
>> *Proclivity® | We Value Your Customers™*
>>
>>
>> This message is the property of Proclivity Systems, Inc. and is intended
>> only for the use of the addressee(s), and may contain material that is
>> confidential and privileged for the sole use of the intended recipient. If
>> you are not the intended recipient, reliance or forwarding without express
>> permission is strictly prohibited; please contact the sender and delete all
>> copies.
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Nov 28, 2011 at 11:20 AM, Ted Salmon <tass2001 at hotmail.com>wrote:
>>
>> I've got a couple basic questions that may or may not help.
>> First, Are you sure the 'admin' user has the ability to write to the
>> 'Domain Controller' OU?
>> Have you tried using the generic "Administrator" user for this join?
>> I'm guessing you don't have issues writing regular objects to the DC,
>> correct?
>>
>> Thanks!
>>
>> > From: aekstrom at proclivitysystems.com
>> > Date: Mon, 28 Nov 2011 10:42:08 -0500
>> > Subject: Reporting success this past year + new Issues Adding a new
>> Samba 4 DC to existing Samba 4 AD
>> > To: samba-technical at lists.samba.org
>> >
>> > Hi All,
>> >
>> > >
>> > > First let me report back that we are still running Samba 4 as our
>> primary
>> > > (i.e. 'only') ldap/AD authentication in our small (30-40 person,
>> depending
>> > > on the month) tech start up company. It has been over a year since
>> you all
>> > > helped me when I ran into trouble extending the Samba 4 schema to
>> support
>> > > Apple OS X extensions. We have been authenticating all our Windows and
>> > > Apple computers against the Samba 4 AD, and it has been rock solid,
>> > > including GPO for Windows and Apple's equivalent functionality through
>> > > Workgroup Manager.
>> > >
>> > > That being said, I have been singing it's praises to our new IT
>> Director,
>> > > and while he prefers Windows to open source for such things as Active
>> > > Directory, he is well versed in Linux and open source and so is
>> willing to
>> > > keep using Samba 4. In fact he wants to put not only all our developer
>> > > Linux workstations on Samba 4, but our production Linux servers as
>> well. As
>> > > part of that effort he asked me to set up another Samba 4 DC in our
>> > > production environment and then join it to the existing domain.
>> > >
>> > >
>> > >
>> _______________________________________________________________________________________________________________________________________________
>> > >
>> > > So I downloaded the latest and greatest from GIT, installed all the
>> > > packages, configured it (./configure.developer) compiled it, tested it
>> > > (make quicktest) and installed it. Then following the online
>> instructions (
>> > > http://wiki.samba.org/index.php/Samba4_joining_a_domain), joined it
>> to
>> > > our existing domain. All looked good. When I tried to test the
>> replication
>> > > however I started getting errors. Then I tested the local db and got
>> more
>> > > errors. Then it wouldn't talk to the pre-existing DC any more, so I
>> blew it
>> > > away and reinstalled (even rebooted both servers at one point,
>> although I
>> > > doubted that would fix anything, but just in case).
>> > >
>> > > Still won't talk directly to the existing DC. I get errors like this:
>> > >
>> > > [root at newdc bin]# ./samba-tool domain join not-our.domain DC -Uadmin
>> > > --realm=NOT-OUR.DOMAIN
>> > > Finding a writeable DC for domain 'not-our.domain'
>> > > ERROR(exceptions.Exception): uncaught exception - Failed to find a
>> > > writeable DC for domain 'not-our.domain'
>> > > File
>> > >
>> "/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py",
>> > > line 167, in _run
>> > > return self.run(*args, **kwargs)
>> > > File
>> > >
>> "/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/domain.py", line
>> > > 121, in run
>> > > domain_critical_only=domain_critical_only)
>> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py",
>> line
>> > > 913, in join_DC
>> > > ctx = dc_join(server, creds, lp, site, netbios_name, targetdir,
>> domain)
>> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py",
>> line
>> > > 65, in __init__
>> > > ctx.server = ctx.find_dc(domain)
>> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py",
>> line
>> > > 200, in find_dc
>> > > raise Exception("Failed to find a writeable DC for domain '%s'" %
>> > > domain)
>> > >
>> > > Now the new DC is a over a year newer than the existing version of
>> Samba 4
>> > > (I have been loath to touch the old one since it is our only DC and
>> has
>> > > been rock solid), AND we want to standardize on CENT OS now, so the
>> new DC
>> > > is also on CENT OS 5.6, while the existing Samba 4 is on Debian 5.x.
>> I did
>> > > have a lot more trouble getting all the packages for CENT OS 5 than I
>> > > remember having for Debian. Some of them were only available in Yum
>> as part
>> > > of larger packages that had different names, but once they were all
>> there
>> > > it compiled, tested and installed without error.
>> > >
>> > > *Existing Samba 4:*
>> > >
>> > > Debian 5.x 64bit (don't remember subversion, used a 5.6 live CD, but
>> then
>> > > upgraded... was still 5 though)
>> > >
>> > > Samba Version 4.0.0alpha14-GIT-800a76d
>> > >
>> > >
>> > > *New Samba 4:*
>> > >
>> > > CENT OS 5.6.1 32bit
>> > >
>> > > Samba Version 4.0.0alpha18-GIT-UNKNOWN
>> > >
>> > > It does see the other DC. I can ping both by name from each other, and
>> > > kinit from the new DC resolves the existing DC and authenticates.
>> Before I
>> > > ran into trouble and blew it away, it said it joined and replicated...
>> > >
>> > > [root at newdc bin]# kinit admin
>> > > Password for admin at NOT-OUR.DOMAIN:
>> > > [root at newdc bin]#
>> > >
>> > >
>> > > Not sure what to try next. Thanks in advance!
>> > >
>> > >
>> > > Cheers,*
>> > >
>> > > Aubrey Ekstrom | *Systems Administrator
>> > > Proclivity Systems
>> > > 22 West 19th St., Ninth Floor
>> > > New York, NY 10011
>> > > p 646.380.2416
>> > > aekstrom at proclivitysystems.com
>> > > www.proclivitysystems.com
>> > >
>> > > *Proclivity® | We Value Your Customers™*
>> > >
>> > >
>> > > This message is the property of Proclivity Systems, Inc. and is
>> intended
>> > > only for the use of the addressee(s), and may contain material that is
>> > > confidential and privileged for the sole use of the intended
>> recipient. If
>> > > you are not the intended recipient, reliance or forwarding without
>> express
>> > > permission is strictly prohibited; please contact the sender and
>> delete all
>> > > copies.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>>
>>
>>
>>
>>
>
More information about the samba-technical
mailing list