samba4 from BDC to PDC
Amitay Isaacs
amitay at gmail.com
Thu Dec 29 14:46:13 MST 2011
On Fri, Dec 30, 2011 at 12:09 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> Hi Amitay,
>
> On Thu, 2011-12-29 at 23:22 +1100, Amitay Isaacs wrote:
>> Hi Daniele,
>>
>> On Thu, Dec 29, 2011 at 10:18 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
>>
>> > I finished to prepare the VM and joined samba4 to the domain.
>> > As in the past, after the domain join no dns.keytab will be present in
>> > the private directory.
>> >
>> > As said by Gemes Geza, I exported the keytab using
>> > [root at kdc01:/usr/local/samba/private]# samba-tool domain exportkeytab
>> > dns.keytab
>> > [root at kdc01:/usr/local/samba/private]# samba-tool user add dns-kdc02
>> > --random-password
>> > [root at kdc01:/usr/local/samba/private]# samba-tool spn add
>> > DNS/kdc02.saitelitalia.local dns-kdc02
>> >
>> > At this point, if I start named
>> > [root at kdc01:~]# named -u bind -d 10 -g -c /etc/bind/named.conf
>> > it fails
>> > ...
>> > 29-Dec-2011 11:54:43.328 generating session key for dynamic DNS
>> > 29-Dec-2011 11:54:43.328 sizing zone task pool based on 5 zones
>> > 29-Dec-2011 11:54:43.329 decrement_reference: delete from rbt:
>> > 0xb6d2d548 .
>> > 29-Dec-2011 11:54:43.330 Loading 'AD DNS Zone' using driver dlopen
>> > 29-Dec-2011 11:54:43.330 Loading SDLZ driver.
>> > 29-Dec-2011 11:54:43.515 samba_dlz: Unable to get basedn
>> > for /usr/local/samba/private/dns/sam.ldb - NULL Base DN invalid for a
>> > base search
>> > 29-Dec-2011 11:54:43.515 dlz_dlopen of 'AD DNS Zone' failed
>> > 29-Dec-2011 11:54:43.515 SDLZ driver failed to load.
>> > 29-Dec-2011 11:54:43.515 DLZ driver failed to load.
>> > 29-Dec-2011 11:54:43.516 load_configuration: failure
>> > 29-Dec-2011 11:54:43.516 loading configuration: failure
>> > 29-Dec-2011 11:54:43.516 exiting (due to fatal error)
>> > ...
>> >
>> > What am I missing?
>> > If bind does not start I won't be able to see the AD DNS from windows (I
>> > use XP to doublecheck what I'm doing) so I can't check if I can add the
>> > reversed zone.
>>
>> It appears that dlz_bind9 is unable to access the DNS partitions. May be there
>> is something wrong with the copy of samdb in private/dns directory.
>> private/dns/sam.ldb should be a copy of private/sam.ldb. Can you confirm that?
>> Does private/dns/sam.ldb.d have all files similar to private/sam.ldb.d?
>>
>> Amitay.
>
> No, it was not. I copied private/sam.ldb and private/sam.ldb.d/* into
> private/dns/ and changed permissions and now bind started, thank you.
>
> If I try to nslookup on this DNS it fails and same happens with
> [root at kdc02:~]# samba-tool dns query kdc02
> saitelitalia.local .saitelitalia.local ALL -U administrator
> Password for [SAITELITALIA\administrator]:
> ERROR(runtime): uncaught exception - (9717,
> 'WERR_DNS_ERROR_DS_UNAVAILABLE')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 167, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 789, in run
> None)
>
> Looking in private/sam.ldb.d/ or private/dns/sam.ldb.d/ it seems that
> the DC=DOMAINDNSZONES,DC=SAITELITALIA,DC=LOCAL.ldb and the
> DC=FORESTDNSZONES,DC=SAITELITALIA,DC=LOCAL.ldb aren't present on the
> second DC (the one where dns query fails).
>
> How do I replicate them?
>
> Daniele.
>
That means when you joined the domain, samba-tool did not provision for DNS.
What was the command did you use to join the domain?
If you join as a domain controller, it's supposed to provision for DNS
(create the
DNS partitions DomainDnsZones and ForestDnsZones) and create a partial
copy of sam.
Unfortunately you cannot just copy the files (It's not an exact copy,
but a partial one).
That will create a separate copy of sam, which will not be the same as
seen by samba
and bind. Since bind requires modify access to only DomainDnsZones and
ForestDnsZones
partitions, those partitions are actually linked to the files in main
sam.ldb.d. Similarly the
main sam.ldb file is also linked. Configuration and Schema are copies.
Domain partition
is newly created and has only minimal amount of information about the domain.
I would prefer to fix the samba-tool domain join command, rather than
having you to copy
the database manually.
Amitay.
More information about the samba-technical
mailing list