Issues Adding a new Samba 4 DC to existing Samba 4 AD

Aubrey Ekstrom aekstrom at proclivitysystems.com
Tue Nov 22 17:25:51 MST 2011 

Hi All,

First let me report back that we are still running Samba 4 as our primary
(i.e. 'only') ldap/AD authentication in our small (30-40 person, depending
on the month) tech start up company. It has been over a year since you all
helped me when I ran into trouble extending the Samba 4 schema to support
Apple OS X extensions. We have been authenticating all our Windows and
Apple computers against the Samba 4 AD, and it has been rock solid,
including GPO for Windows and Apple's equivalent functionality through
Workgroup Manager.

That being said, I have been singing it's praises to our new IT Director,
and while he prefers Windows to open source for such things as Active
Directory, he is well versed in Linux and open source and so is willing to
keep using Samba 4. In fact he wants to put not only all our developer
Linux workstations on Samba 4, but our production Linux servers as well. As
part of that effort he asked me to set up another Samba 4 DC in our
production environment and then join it to the existing domain.

_______________________________________________________________________________________________________________________________________________

So I downloaded the latest and greatest from GIT, installed all the
packages, configured it (./configure.developer) compiled it, tested it
(make quicktest) and installed it. Then following the online instructions (
http://wiki.samba.org/index.php/Samba4_joining_a_domain), joined it to our
existing domain. All looked good. When I tried to test the replication
however I started getting errors. Then I tested the local db and got more
errors. Then it wouldn't talk to the pre-existing DC any more, so I blew it
away and reinstalled (even rebooted both servers at one point, although I
doubted that would fix anything, but just in case).

Still won't talk directly to the existing DC. I get errors like this:

[root at newdc bin]# ./samba-tool domain join not-our.domain DC -Uadmin
--realm=NOT-OUR.DOMAIN
Finding a writeable DC for domain 'not-our.domain'
ERROR(exceptions.Exception): uncaught exception - Failed to find a
writeable DC for domain 'not-our.domain'
  File
"/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py",
line 167, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/domain.py", line
121, in run
    domain_critical_only=domain_critical_only)
  File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
913, in join_DC
    ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain)
  File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
65, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
200, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" %
domain)

Now the new DC is a over a year newer than the existing version of Samba 4
(I have been loath to touch the old one since it is our only DC and has
been rock solid), AND we want to standardize on CENT OS now, so the new DC
is also on CENT OS 5.6, while the existing Samba 4 is on Debian 5.x. I did
have a lot more trouble getting all the packages for CENT OS 5 than I
remember having for Debian. Some of them were only available in Yum as part
of larger packages that had different names, but once they were all there
it compiled, tested and installed without error.

*Existing Samba 4:*

Debian 5.x 64bit (don't remember subversion, used a 5.6 live CD, but then
upgraded... was still 5 though)

Samba Version 4.0.0alpha14-GIT-800a76d


*New Samba 4:*

CENT OS 5.6.1 32bit

Samba Version 4.0.0alpha18-GIT-UNKNOWN

It does see the other DC. I can ping both by name from each other, and
kinit from the new DC resolves the existing DC and authenticates. Before I
ran into trouble and blew it away, it said it joined and replicated...

[root at newdc bin]# kinit admin
Password for admin at NOT-OUR.DOMAIN:
[root at newdc bin]#


Not sure what to try next. Thanks in advance!


Cheers,*

Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com

*Proclivity® | We Value Your Customers™*


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.

More information about the samba-technical mailing list