samba4 from BDC to PDC

Daniele Dario d.dario76 at gmail.com
Fri Dec 30 00:39:51 MST 2011


On Fri, 2011-12-30 at 08:46 +1100, Amitay Isaacs wrote:
> On Fri, Dec 30, 2011 at 12:09 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> > Hi Amitay,
> >
> > On Thu, 2011-12-29 at 23:22 +1100, Amitay Isaacs wrote:
> >> Hi Daniele,
> >>
> >> On Thu, Dec 29, 2011 at 10:18 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >>
> >> > I finished to prepare the VM and joined samba4 to the domain.
> >> > As in the past, after the domain join no dns.keytab will be present in
> >> > the private directory.
> >> >
> >> > As said by Gemes Geza, I exported the keytab using
> >> > [root at kdc01:/usr/local/samba/private]# samba-tool domain exportkeytab
> >> > dns.keytab
> >> > [root at kdc01:/usr/local/samba/private]# samba-tool user add dns-kdc02
> >> > --random-password
> >> > [root at kdc01:/usr/local/samba/private]# samba-tool spn add
> >> > DNS/kdc02.saitelitalia.local dns-kdc02
> >> >
> >> > At this point, if I start named
> >> > [root at kdc01:~]# named -u bind -d 10 -g -c /etc/bind/named.conf
> >> > it fails
> >> > ...
> >> > 29-Dec-2011 11:54:43.328 generating session key for dynamic DNS
> >> > 29-Dec-2011 11:54:43.328 sizing zone task pool based on 5 zones
> >> > 29-Dec-2011 11:54:43.329 decrement_reference: delete from rbt:
> >> > 0xb6d2d548 .
> >> > 29-Dec-2011 11:54:43.330 Loading 'AD DNS Zone' using driver dlopen
> >> > 29-Dec-2011 11:54:43.330 Loading SDLZ driver.
> >> > 29-Dec-2011 11:54:43.515 samba_dlz: Unable to get basedn
> >> > for /usr/local/samba/private/dns/sam.ldb - NULL Base DN invalid for a
> >> > base search
> >> > 29-Dec-2011 11:54:43.515 dlz_dlopen of 'AD DNS Zone' failed
> >> > 29-Dec-2011 11:54:43.515 SDLZ driver failed to load.
> >> > 29-Dec-2011 11:54:43.515 DLZ driver failed to load.
> >> > 29-Dec-2011 11:54:43.516 load_configuration: failure
> >> > 29-Dec-2011 11:54:43.516 loading configuration: failure
> >> > 29-Dec-2011 11:54:43.516 exiting (due to fatal error)
> >> > ...
> >> >
> >> > What am I missing?
> >> > If bind does not start I won't be able to see the AD DNS from windows (I
> >> > use XP to doublecheck what I'm doing) so I can't check if I can add the
> >> > reversed zone.
> >>
> >> It appears that dlz_bind9 is unable to access the DNS partitions. May be there
> >> is something wrong with the copy of samdb in private/dns directory.
> >> private/dns/sam.ldb should be a copy of private/sam.ldb. Can you confirm that?
> >> Does private/dns/sam.ldb.d have all files similar to private/sam.ldb.d?
> >>
> >> Amitay.
> >
> > No, it was not. I copied private/sam.ldb and private/sam.ldb.d/* into
> > private/dns/ and changed permissions and now bind started, thank you.
> >
> > If I try to nslookup on this DNS it fails and same happens with
> > [root at kdc02:~]# samba-tool dns query kdc02
> > saitelitalia.local .saitelitalia.local ALL -U administrator
> > Password for [SAITELITALIA\administrator]:
> > ERROR(runtime): uncaught exception - (9717,
> > 'WERR_DNS_ERROR_DS_UNAVAILABLE')
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 167, in _run
> >    return self.run(*args, **kwargs)
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> > 789, in run
> >    None)
> >
> > Looking in private/sam.ldb.d/ or private/dns/sam.ldb.d/ it seems that
> > the DC=DOMAINDNSZONES,DC=SAITELITALIA,DC=LOCAL.ldb and the
> > DC=FORESTDNSZONES,DC=SAITELITALIA,DC=LOCAL.ldb aren't present on the
> > second DC (the one where dns query fails).
> >
> > How do I replicate them?
> >
> > Daniele.
> >
> 
> That means when you joined the domain, samba-tool did not provision for DNS.
> What was the command did you use to join the domain?
> 
> If you join as a domain controller, it's supposed to provision for DNS
> (create the
> DNS partitions DomainDnsZones and ForestDnsZones) and create a partial
> copy of sam.
> 
> Unfortunately you cannot just copy the files (It's not an exact copy,
> but a partial one).
> That will create a separate copy of sam, which will not be the same as
> seen by samba
> and bind. Since bind requires modify access to only DomainDnsZones and
> ForestDnsZones
> partitions, those partitions are actually linked to the files in main
> sam.ldb.d. Similarly the
> main sam.ldb file is also linked. Configuration and Schema are copies.
> Domain partition
> is newly created and has only minimal amount of information about the domain.
> 
> I would prefer to fix the samba-tool domain join command, rather than
> having you to copy
> the database manually.
> 
> Amitay.

Hi Amitay,
the command used to join the domain was:
[root at kdc02:~/samba4/samba-master]# samba-tool domain join SAITELITALIA
DC -U administrator --realm=saitelitalia.local

Looking in the domain help I can't see any option related to the DNS
provisioning:
[root at kdc02:~]# samba-tool domain join -h
Usage: samba-tool domain join <dnsdomain> [DC|RODC|MEMBER|SUBDOMAIN]
[options]

Joins domain as either member or backup domain controller


Options:
  -h, --help            show this help message and exit
  --server=SERVER       DC to join
  --site=SITE           site to join
  --targetdir=TARGETDIR
                        where to store provision
  --parent-domain=PARENT_DOMAIN
                        parent domain to create subdomain under
  --domain-critical-only
                        only replicate critical domain objects
  --machinepass=PASSWORD
                        choose machine password (otherwise random)

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Credentials Options:
    --simple-bind-dn=DN
                        DN to use for a simple bind
    --password=PASSWORD
                        Password
    -U USERNAME, --username=USERNAME
                        Username
    -W WORKGROUP, --workgroup=WORKGROUP
                        Workgroup
    -N, --no-pass       Don't ask for a password
    -k KERBEROS, --kerberos=KERBEROS
                        Use Kerberos
    --ipaddress=IPADDRESS
                        IP address of server

  Version Options:
    --version           Display version number

Are them hidden in --option=OPTION ?

Daniele.




More information about the samba-technical mailing list