Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

Aubrey Ekstrom aekstrom at proclivitysystems.com
Wed Nov 30 10:50:46 MST 2011 

Hi Ted and everyone,

Thanks again Ted for your help and suggestions.

Hosts file is fine on new DC. DNS resolves both DCs fine. Same error still:

newdc0:/usr/local/samba/sbin# ./samba-tool drs showrepl
ERROR(runtime): DRS connection to newdc0.not.our.domain failed -
(-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')

I did not set up the Bind/DNS server on the new DC since that was not
indicated in the join domain instructions, and the necessary files get
generated from running the provisioning. It occurs to me though that for
the kerberos stuff, that is probably needed, at least on the existing PDC
DNS server if not on both. When I look at the DNS files for the current PDC
though, there are 2 entries that look like GUIDs (the exact same format and
number of characters), but are not the actual GUID of the server (the
actual GUID of both servers I was able to locate in the Windows GUI):

#1: b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs    IN CNAME
#2: _ldap._tcp.a3d53761-ad10-49af-9c68-9f08ebf3fb88.domains._msdcs
 IN SRV 0 100 389

Does anyone know how I can find those equivalent entries (or
generate/populate them) for the new DC? Based on the above error I am
thinking that it may just be the kerberos and other services are not
resolving to the new server correctly. If that is the case then it should
be fixable by me if I can get those GUID like strings for the new server,
whereas an ldap db corruption from replicating OS X schema, probably not
fixable by me (if that is the problem).

As always, any ideas or suggestion are most welcome and appriciated. Thanks!

Cheers,*

Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com

*Proclivity® | We Value Your Customers™*


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.







On Tue, Nov 29, 2011 at 2:43 PM, Ted Salmon <tass2001 at hotmail.com> wrote:

>  Aubrey,
>
> First thing to check, in /etc/hosts is newdc0.not.our.domain mapped to
> your local IP? If not, please add it and re-run `samba-tool drs showrepl`.
> Another thing you'll want to check is if it's propagated to DNS. On the PDC
> run dig @localhost axfr not.our.domain and see if the new DC is listed
> there, it's not likely to be. I had this issue with my second DC but I have
> been unable to figure out what's preventing it from being propagated and so
> far the easiest solution is to hardcode it into DNS.
>
> ------------------------------
> From: aekstrom at proclivitysystems.com
> Date: Tue, 29 Nov 2011 11:47:38 -0500
> Subject: Re: Reporting success this past year + new Issues Adding a new
> Samba 4 DC to existing Samba 4 AD
> To: tass2001 at hotmail.com
> CC: samba-technical at lists.samba.org
>
> Hi Ted & everyone,
>
> I built a new server using Debian 6.x (instead of CENT OS) and compiled
> 4.0.0alpha17 (instead of Alpha 18), set up DNS and kerberos and tested
> kerberos:
>
> admin at newdc0:/usr/local/samba/bin# kinit administrator
> Password for administrator at not.our.domain:
> admin at newdc0:/usr/local/samba/bin#
>
> So far so good. Then I joined it to the existing domain:
>
> sbin# ./samba-tool domain join not.our.domain DC -Uadministrator
> --realm=not.our.domain
> Finding a writeable DC for domain 'not.our.domain'
> Found DC originalpdc0.not.our.domain
> Password for [WORKGROUP\administrator]:
> workgroup is not.our
> realm is not.our.domain
> checking samaccountname
> Adding CN=NDC0,OU=Domain Controllers,DC=not.our,DC=domain
> Adding
> CN=NDC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=not.our,DC=domain
> Adding CN=NTDS
> Settings,CN=NDC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=not.our,DC=domain
> Adding CN=NDC0,CN=Topology,CN=Domain System
> Volume,CN=DFSR-GlobalSettings,CN=System,DC=not.our,DC=domain
> Adding SPNs to CN=NDC0,OU=Domain Controllers,DC=not.our,DC=domain
> Setting account password for NDC0$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=not.our,DC=domain
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
> objects[402/1596] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
> objects[402/1596] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
> objects[402/1596] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=not.our,DC=domain]
> objects[390/1596] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=not.our,DC=domain] objects[402/1618]
> linked_values[0/0]
> Partition[CN=Configuration,DC=not.our,DC=domain] objects[804/1618]
> linked_values[0/0]
> Partition[CN=Configuration,DC=not.our,DC=domain] objects[1206/1618]
> linked_values[0/0]
> Partition[CN=Configuration,DC=not.our,DC=domain] objects[1608/1618]
> linked_values[0/0]
> Partition[CN=Configuration,DC=not.our,DC=domain] objects[1618/1618]
> linked_values[30/0]
> Partition[DC=not.our,DC=domain] objects[338/338] linked_values[39/0]
> Committing SAM database
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Joined domain not.our (SID S-1-5-21-4146741504-651221647-XXXXXXXXXX) as a
> DC
>
> Again, so far so good (this also looked good up to this point with Alpha
> 18 on CENT OS). Then I start Samba and go to test the replication:
>
> root at newdc0:/usr/local/samba/sbin# ./samba
> root at newdc0:/usr/local/samba/sbin# ps -A | grep samba
> 31646 ?        00:00:00 samba
> 31647 ?        00:00:00 samba
> 31648 ?        00:00:00 samba
> 31649 ?        00:00:00 samba
> 31650 ?        00:00:00 samba
> 31651 ?        00:00:02 samba
> 31652 ?        00:00:00 samba
> 31653 ?        00:00:00 samba
> 31654 ?        00:00:00 samba
> 31655 ?        00:00:00 samba
> 31656 ?        00:00:00 samba
> 31657 ?        00:00:00 samba
> 31658 ?        00:00:00 samba
> root at newdc0:/usr/local/samba/sbin# ./samba-tool drs showrepl
> ERROR(runtime): DRS connection to newdc0.not.our.domain failed -
> (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
>
>
> And in the Windows GUI "Sites and Services" snap in, while I see the new
> server (and the Alpha 18 server that I can't delete), it shows it as
> unavailable (see attached screen shot) and I can't connect to it.
>
> Looks like the same issue. The new DC becomes corrupted somehow. I am
> wondering if the schema extensions I did for the Apple schema last year on
> the existing Alpha 14 PDC are corrupting the ldap db on the new server
> when they replicate. Is it possible that even though the new schema worked
> and I can manage our OS X workstations using Apple's Workgroup Manager GUI
> on the existing Samba 4 PDC, that the replication process was not written
> with schema changes on that scale taken into consideration? I know the
> Samba 4 dev team's priority is to make the Windows A/D users happy, but I
> can assure you all that from my many years of experience, Windows admins
> everywhere will be extremely happy if they can easily extend the Samba 4
> schema to support OS X and manage any Apple's on their networks with Samba
> 4, AND be able to replicate those schema changes to both other Samba 4 DCs
> as well as Windows DCs.
>
> Any other ideas, suggestions or thoughts are VERY welcome :). Thanks again
> for your help, and in advance for any further help.
>
> Cheers,*
>
> Aubrey Ekstrom | *Systems Administrator
> Proclivity Systems
> 22 West 19th St., Ninth Floor
> New York, NY 10011
> p 646.380.2416
> aekstrom at proclivitysystems.com
> www.proclivitysystems.com
>
> *Proclivity® | We Value Your Customers™*
>
>
> This message is the property of Proclivity Systems, Inc. and is intended
> only for the use of the addressee(s), and may contain material that is
> confidential and privileged for the sole use of the intended recipient.  If
> you are not the intended recipient, reliance or forwarding without express
> permission is strictly prohibited; please contact the sender and delete all
> copies.
>
>
>
>
>
>
>
> On Mon, Nov 28, 2011 at 2:50 PM, Ted Salmon <tass2001 at hotmail.com> wrote:
>
>  Aubrey,
>
> Interesting. I joined a VM to my Samba 4 AD (both running the same version
> of Samba 4 - Alpha 17). The join went well as seen below:
>
> realm is domain.network.local
> checking samaccountname
>  Adding CN=NETW2-DEV,OU=Domain Controllers,DC=domain,DC=network,DC=local
> Adding
> CN=NETW2-DEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=local
> Adding CN=NTDS
> Settings,CN=NETW2-DEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=local
> Adding CN=NETW2-DEV,CN=Topology,CN=Domain System
> Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=network,DC=local
> Adding SPNs to CN=NETW2-DEV,OU=Domain
> Controllers,DC=domain,DC=network,DC=local
> Setting account password for NETW2-DEV$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=domain,DC=network,DC=local
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=network,DC=local]
> objects[344/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
> objects[402/1613] linked_values[0/0]
> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
> objects[804/1613] linked_values[0/0]
> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
> objects[1206/1613] linked_values[0/0]
> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
> objects[1608/1613] linked_values[0/0]
> Partition[CN=Configuration,DC=domain,DC=network,DC=local]
> objects[1613/1613] linked_values[20/0]
> Partition[DC=domain,DC=network,DC=local] objects[287/287]
> linked_values[47/0]
> Committing SAM database
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Joined domain NETWORK (SID ) as a DC
>
> However I don't think you can demote/remove a DC from the AD once it has
> been joined as I am unable to do so in the AD snap-in or via any of the
> Samba-tool menu's. I think your issue is the new DC and I would actually
> recommend pulling down Alpha 17 and building that as sometimes the latests
> GITs can be broken (at least in my experience). Btw, when you joined your
> new DC, did you receive the same output as I did? Additionally, I recommend
> renaming your new DC so that it can be joined to the AD like new once you
> reinstall Samba4. If all else fails I would upgrade your Alpha 14 box
> (upgradeprovision works nicely). I'm afraid past this I'm out of ideas :/.
> Good luck!
>
>
> ------------------------------
> From: aekstrom at proclivitysystems.com
> Date: Mon, 28 Nov 2011 14:07:33 -0500
> Subject: Re: Reporting success this past year + new Issues Adding a new
> Samba 4 DC to existing Samba 4 AD
> To: tass2001 at hotmail.com
> CC: samba-technical at lists.samba.org
>
> Hi Ted,
>
> I didn't blow it away yet... but getting ready to soon.
>
> samba-tool dbcheck does not exist in Alpha 14. Gives me a long list of
> options when I try to run that, but dbcheck is not one of them.
>
> samba-tool drs showrepl on the new DC (Alpha 18) returns the following
> error:
>
> ERROR(runtime): DRS connection to npdc0. failed - (-1073741801, 'Memory
> allocation error')
>
> Tried using ldbedit -e nano -H /usr/local/samba/private/sam.ldb after
> backing it up. The entire domain vanished from the A/D Sites and Services
> GUI snap in, even though I am sure I only removed references to the new
> server. Restored the backed up file. Had to reboot to get the domain back,
> but it's there again, including the new DC (which also probably has a bad
> SID since I blew away the install that joined the domain on the 1st try).
>
> Anyways, based on the above error for samba-tool drs showrepl, I am
> guessing that the new DC is the one it can't write to. Wondering if that
> may be because of the old SID associated with that server name when it
> joined previously, or if it just is corrupted.
>
> I will wait to see if there are other suggestions before I blow it away
> again and start from scratch.
>
> Cheers,*
>
> Aubrey Ekstrom | *Systems Administrator
> Proclivity Systems
> 22 West 19th St., Ninth Floor
> New York, NY 10011
> p 646.380.2416
> aekstrom at proclivitysystems.com
> www.proclivitysystems.com
>
> *Proclivity® | We Value Your Customers™*
>
>
> This message is the property of Proclivity Systems, Inc. and is intended
> only for the use of the addressee(s), and may contain material that is
> confidential and privileged for the sole use of the intended recipient.  If
> you are not the intended recipient, reliance or forwarding without express
> permission is strictly prohibited; please contact the sender and delete all
> copies.
>
>
>
>
>
>
>
> On Mon, Nov 28, 2011 at 12:20 PM, Ted Salmon <tass2001 at hotmail.com> wrote:
>
>  Aubrey,
>
> I'm not sure if Samba Alpha 14 had this option as I think it's fairly new,
> but I would try to run 'samba-tool dbcheck' on the PDC. In addition, from
> your new DC, can you run `samba-tool drs showrepl` if you haven't blown it
> out of the water yet? As a last resort you can easily remove the entry for
> the new DC from the AD by using ldbedit -e nano -H
> /usr/var/lib/samba/private/sam.ldb (note this file may be in another
> location) then removing the entry. You should probably cp sam.ldb elsewhere
> prior to making any edits.
>
> -Ted
>
> ------------------------------
> From: aekstrom at proclivitysystems.com
> Date: Mon, 28 Nov 2011 12:04:21 -0500
> Subject: Re: Reporting success this past year + new Issues Adding a new
> Samba 4 DC to existing Samba 4 AD
> To: tass2001 at hotmail.com
> CC: samba-technical at lists.samba.org
>
> Hi Ted,
>
> I re-enabled the generic Administrator account and tried using that. Same
> error.
>
> Also, as I said in my original post, the new server was able to join the
> 1st time, and gave me errors only when I checked the replication and tried
> to replicate again. After I blew it away and reinstalled it gave me the
> error I put in the post right away, instead of after the fact. Since I can
> see the new server name in the Windows GUI, I wonder if that is causing me
> problems, but the GUI won't let me delete it.
>
> Does anyone know the proper syntax to delete a DC with the command line
> tools? I see "ldbdel" in the Samba bin directory, but that server shows up
> in the currently active production A/D, so I don't want to play around and
> mess that up. Thanks!
>
> In the mean time I will try to reinstall with the build i downloaded from
> Git today and see if I have better luck.
>
> Cheers,*
>
> Aubrey Ekstrom | *Systems Administrator
> Proclivity Systems
> 22 West 19th St., Ninth Floor
> New York, NY 10011
> p 646.380.2416
> aekstrom at proclivitysystems.com
> www.proclivitysystems.com
>
> *Proclivity® | We Value Your Customers™*
>
>
> This message is the property of Proclivity Systems, Inc. and is intended
> only for the use of the addressee(s), and may contain material that is
> confidential and privileged for the sole use of the intended recipient.  If
> you are not the intended recipient, reliance or forwarding without express
> permission is strictly prohibited; please contact the sender and delete all
> copies.
>
>
>
>
>
>
>
> On Mon, Nov 28, 2011 at 11:20 AM, Ted Salmon <tass2001 at hotmail.com> wrote:
>
>  I've got a couple basic questions that may or may not help.
> First, Are you sure the 'admin' user has the ability to write to the
> 'Domain Controller' OU?
> Have you tried using the generic "Administrator" user for this join?
> I'm guessing you don't have issues writing regular objects to the DC,
> correct?
>
> Thanks!
>
> > From: aekstrom at proclivitysystems.com
> > Date: Mon, 28 Nov 2011 10:42:08 -0500
> > Subject: Reporting success this past year + new Issues Adding a new
> Samba 4 DC to existing Samba 4 AD
> > To: samba-technical at lists.samba.org
> >
> > Hi All,
> >
> > >
> > > First let me report back that we are still running Samba 4 as our
> primary
> > > (i.e. 'only') ldap/AD authentication in our small (30-40 person,
> depending
> > > on the month) tech start up company. It has been over a year since you
> all
> > > helped me when I ran into trouble extending the Samba 4 schema to
> support
> > > Apple OS X extensions. We have been authenticating all our Windows and
> > > Apple computers against the Samba 4 AD, and it has been rock solid,
> > > including GPO for Windows and Apple's equivalent functionality through
> > > Workgroup Manager.
> > >
> > > That being said, I have been singing it's praises to our new IT
> Director,
> > > and while he prefers Windows to open source for such things as Active
> > > Directory, he is well versed in Linux and open source and so is
> willing to
> > > keep using Samba 4. In fact he wants to put not only all our developer
> > > Linux workstations on Samba 4, but our production Linux servers as
> well. As
> > > part of that effort he asked me to set up another Samba 4 DC in our
> > > production environment and then join it to the existing domain.
> > >
> > >
> > >
> _______________________________________________________________________________________________________________________________________________
> > >
> > > So I downloaded the latest and greatest from GIT, installed all the
> > > packages, configured it (./configure.developer) compiled it, tested it
> > > (make quicktest) and installed it. Then following the online
> instructions (
> > > http://wiki.samba.org/index.php/Samba4_joining_a_domain), joined it to
> > > our existing domain. All looked good. When I tried to test the
> replication
> > > however I started getting errors. Then I tested the local db and got
> more
> > > errors. Then it wouldn't talk to the pre-existing DC any more, so I
> blew it
> > > away and reinstalled (even rebooted both servers at one point,
> although I
> > > doubted that would fix anything, but just in case).
> > >
> > > Still won't talk directly to the existing DC. I get errors like this:
> > >
> > > [root at newdc bin]# ./samba-tool domain join not-our.domain DC -Uadmin
> > > --realm=NOT-OUR.DOMAIN
> > > Finding a writeable DC for domain 'not-our.domain'
> > > ERROR(exceptions.Exception): uncaught exception - Failed to find a
> > > writeable DC for domain 'not-our.domain'
> > > File
> > >
> "/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py",
> > > line 167, in _run
> > > return self.run(*args, **kwargs)
> > > File
> > > "/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/domain.py",
> line
> > > 121, in run
> > > domain_critical_only=domain_critical_only)
> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
> > > 913, in join_DC
> > > ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain)
> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
> > > 65, in __init__
> > > ctx.server = ctx.find_dc(domain)
> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
> > > 200, in find_dc
> > > raise Exception("Failed to find a writeable DC for domain '%s'" %
> > > domain)
> > >
> > > Now the new DC is a over a year newer than the existing version of
> Samba 4
> > > (I have been loath to touch the old one since it is our only DC and has
> > > been rock solid), AND we want to standardize on CENT OS now, so the
> new DC
> > > is also on CENT OS 5.6, while the existing Samba 4 is on Debian 5.x. I
> did
> > > have a lot more trouble getting all the packages for CENT OS 5 than I
> > > remember having for Debian. Some of them were only available in Yum as
> part
> > > of larger packages that had different names, but once they were all
> there
> > > it compiled, tested and installed without error.
> > >
> > > *Existing Samba 4:*
> > >
> > > Debian 5.x 64bit (don't remember subversion, used a 5.6 live CD, but
> then
> > > upgraded... was still 5 though)
> > >
> > > Samba Version 4.0.0alpha14-GIT-800a76d
> > >
> > >
> > > *New Samba 4:*
> > >
> > > CENT OS 5.6.1 32bit
> > >
> > > Samba Version 4.0.0alpha18-GIT-UNKNOWN
> > >
> > > It does see the other DC. I can ping both by name from each other, and
> > > kinit from the new DC resolves the existing DC and authenticates.
> Before I
> > > ran into trouble and blew it away, it said it joined and replicated...
> > >
> > > [root at newdc bin]# kinit admin
> > > Password for admin at NOT-OUR.DOMAIN:
> > > [root at newdc bin]#
> > >
> > >
> > > Not sure what to try next. Thanks in advance!
> > >
> > >
> > > Cheers,*
> > >
> > > Aubrey Ekstrom | *Systems Administrator
> > > Proclivity Systems
> > > 22 West 19th St., Ninth Floor
> > > New York, NY 10011
> > > p 646.380.2416
> > > aekstrom at proclivitysystems.com
> > > www.proclivitysystems.com
> > >
> > > *Proclivity® | We Value Your Customers™*
> > >
> > >
> > > This message is the property of Proclivity Systems, Inc. and is
> intended
> > > only for the use of the addressee(s), and may contain material that is
> > > confidential and privileged for the sole use of the intended
> recipient. If
> > > you are not the intended recipient, reliance or forwarding without
> express
> > > permission is strictly prohibited; please contact the sender and
> delete all
> > > copies.
> > >
> > >
> > >
> > >
> > >
> > >
>
>
>
>
>

More information about the samba-technical mailing list