missing /usr/local/samba/private/dns
Daniele Dario
d.dario76 at gmail.com
Wed Apr 4 04:24:59 MDT 2012
Hi Michael
On Tue, 2012-04-03 at 13:42 +0200, Michael Wood wrote:
> On 3 April 2012 01:58, Amitay Isaacs <amitay at gmail.com> wrote:
> > On Mon, Apr 2, 2012 at 7:45 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >> Hi Amitay,
> >>
> >> On Mon, 2012-04-02 at 12:51 +1000, Amitay Isaacs wrote:
> >>> On Sat, Mar 31, 2012 at 12:03 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >>> > On Tue, 2012-03-27 at 09:27 +1100, Amitay Isaacs wrote:
> >>> >> On Mon, Mar 26, 2012 at 10:44 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >>> >> > Hi Amitay,
> >>> >> >
> >>> >> > On Tue, 2012-03-13 at 20:03 +1100, Amitay Isaacs wrote:
> >>> >> >> Hi Daniele,
> >>> >> >>
> >>> >> >> On Tue, Mar 13, 2012 at 6:40 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >>> >> >> > Hi Amitay,
> >>> >> >> >
> >>> >> >> > On Tue, 2012-03-13 at 12:13 +1100, Amitay Isaacs wrote:
> >>> >> >> >> Hi Greg,
> >>> >> >> >>
> >>> >> >> >> On Sat, Mar 10, 2012 at 2:45 PM, Greg Dickie <greg at justaguy.ca> wrote:
> >>> >> >> >> >
> >>> >> >> >> > Sounds great. Totally ready to be the guinea pig, just let me know what
> >>> >> >> >> > you need. One small question though. Is the ultimate goal to use a
> >>> >> >> >> > builtin DNS server? I thought this bind9 implementation was pretty cool.
> >>> >> >> >> > Is it missing anything that's required?
> >>> >> >> >> >
> >>> >> >> >> > Thanks for the quick response guys,
> >>> >> >> >> > Greg
> >>> >> >> >>
> >>> >> >> >> I have updated samba_upgradedns script now to handle upgrading dns
> >>> >> >> >> provision even after domain join. The new code is in my dns-wip
> >>> >> >> >> branch.
> >>> >> >> >>
> >>> >> >> >> git://git.samba.org/amitay/samba.git
> >>> >> >> >>
> >>> >> >> >> You can run samba_upgradedns multiple times without any side effects.
> >>> >> >> >> Let me know if that works for you.
> >>> >> >> >>
> >>> >> >> >> The ultimate goal is to use built-in dns server, so that samba does
> >>> >> >> >> not have to depend on external programs (BIND) for running. For time
> >>> >> >> >> being, BIND9 option is supported till built-in dns server becomes
> >>> >> >> >> fully operational.
> >>> >> >> >>
> >>> >> >> >> Amitay.
> >>> >> >> >
> >>> >> >> > do you mean that is possible to use upgradedns to provision the dns
> >>> >> >> > partitions on a samba4 DC already joined to a domain?
> >>> >> >>
> >>> >> >> Yes, that's correct. You can run samba_upgradedns on any provision and
> >>> >> >> it should upgrade it to use AD based backend.
> >>> >> >>
> >>> >> >> >
> >>> >> >> > If I catched I will use it on my secondary DC (primary is also samba4)
> >>> >> >> > to have also a secondary DNS. Does it also start replication of the dns
> >>> >> >> > partitions between the DCs?
> >>> >> >>
> >>> >> >> DNS partitions do get replicated, but you might have to restart the
> >>> >> >> secondary DC to get them correctly replicating. There is an issue
> >>> >> >> regarding msDs-hasMasterNCs attribute, which has yet to be resolved. I
> >>> >> >> haven't tried to set up a DNS server on a secondary DC using
> >>> >> >> replicated DNS as yet.
> >>> >> >>
> >>> >> >> > If yes, which is the best way to proceed?
> >>> >> >> > My idea is to upgrade secondary DC to latest git source, pull your
> >>> >> >> > branch to obtain upgradedns than run it from the secondary DC.
> >>> >> >>
> >>> >> >> You can use my dns-wip branch. First make sure that the partitions are
> >>> >> >> getting replicated. Once you confirm that, run samba_dnsupgrade on the
> >>> >> >> secondary DC to setup a AD database for BIND in dns/ directory.
> >>> >> >> Finally run BIND with DLZ on secondary DC. Obviously this hasn't been
> >>> >> >> tested, so your feedback is most welcome. :)
> >>> >> >>
> >>> >> >> Amitay.
> >>> >> >
> >>> > ...
> >>> >> You shouldn't have to install anything manually. All the binaries and
> >>> >> shared libraries are re-linked for install with correct rpath. So do
> >>> >> not copy any binaries/libraries from the bin/ in source directory to
> >>> >> install locations. Use make install to install all the files. If
> >>> >> something is not being installed correctly then it might be a problem
> >>> >> that needs to be fixed.
> >>> >>
> >>> >> Amitay.
> >>> >
> >>> > OK,
> >>> > I found that the problem was that problems in loading modules from the
> >>> > upgradedns script was due to the fact that PYTHONPATH does not
> >>> > contain /usr/local/samba/lib/python2.7/site-packages. Adding the path of
> >>> > the modules all seems to start.
> >>> >
> >>> > Anyway, with Version 4.0.0alpha19-GIT-e36622f this is what I get
> >>> >
> >>> > [root at kdc02:/usr/local/samba/private/dns]# samba_upgradedns
> >>> > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> >>> > params.c:pm_process() - Processing configuration file
> >>> > "/usr/local/samba/etc/smb.conf"
> >>> > Reading domain information
> >>> > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> >>> > params.c:pm_process() - Processing configuration file
> >>> > "/usr/local/samba/etc/smb.conf"
> >>> > Looking up IPv4 addresses
> >>> > Looking up IPv6 addresses
> >>> > DNS accounts already exist
> >>> > No zone file /usr/local/samba/private/dns/saitelitalia.local.zone
> >>> > DNS records will be automatically created
> >>> > Creating DNS partitions
> >>> > DN: DC=DomainDnsZones,DC=saitelitalia,DC=local is a NC
> >>> > Traceback (most recent call last):
> >>> > File "/usr/local/samba/sbin/samba_upgradedns", line 355, in <module>
> >>> > dnsadmins_sid)
> >>> > File
> >>> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/sambadns.py", line 876, in create_dns_partitions
> >>> > names.configdn, names.serverdn)
> >>> > File
> >>> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/sambadns.py", line 206, in setup_dns_partitions
> >>> > "SECDESC" : b64encode(descriptor)
> >>> > File
> >>> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/common.py", line 52, in setup_add_ldif
> >>> > ldb.add_ldif(data, controls)
> >>> > File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py",
> >>> > line 224, in add_ldif
> >>> > self.add(msg, controls)
> >>> > _ldb.LdbError: (68, 'ldb_wait: Entry already exists (68)')
> >>> >
> >>> > Daniele
> >>> >
> >>>
> >>> It looks like the check for existing DNS partitions did not succeed,
> >>> and samba_upgradedns script tries to create those partitions even
> >>> though they exist. The logic here is to check if the Configuration
> >>> schema has information about the DNS partitions. If it does not, then
> >>> assume that the partitions do not exist. This is clearly not working
> >>> in your case. Can you elaborate on how the AD database was created?
> >>> Was it from fresh provision, or joining domain? And was there any
> >>> replication involved?
> >>>
> >>> Amitay.
> >>
> >> first time I tryed samba4 I joined it to an SBS2003 domain. On december
> >> 2011 it crashed and with samba4 I was not able to keep dns partitions
> >> working so I provisioned a new samba4 installation from scratch
> >>
> >> Now I have kdc01 which an ubuntu 11.04 x86 VM on xenserver 5.6fp1 which
> >> is the primary DC where I provisioned the domain and kdc02 which is an
> >> ubuntu 11.04 x86 on a phisical server which is joined to the domain
> >> provisioned on kdc01.
> >>
> >> Both of them run samba4 Version 4.0.0alpha19-GIT-e36622f and as per your
> >> advice I started replication of Dns partitions using samba-tool drs
> >> replicate of DC=DomainDnsZones,DC=saitelitalia,DC=local and
> >> DC=ForestDnsZones,DC=saitelitalia,DC=local in both directions
> >>
> >> What I'm seeing about the replication is:
> >> [root at kdc02:~]# samba-tool drs showrepl
> >> ldb_wrap open of secrets.ldb
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'krb5' registered
> >> GENSEC backend 'fake_gssapi_krb5' registered
> >> Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
> >> Default-First-Site-Name\KDC02
> >> DSA Options: 0x00000001
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> DSA invocationId: 12ae5f8c-1ebb-4c38-942f-0bc85a132f46
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> DC=ForestDnsZones,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Mon Apr 2 11:42:40 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Mon Apr 2 11:42:40 2012 CEST
> >>
> >> DC=DomainDnsZones,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Mon Apr 2 11:42:41 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Mon Apr 2 11:42:41 2012 CEST
> >>
> >> DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Mon Apr 2 11:42:41 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Mon Apr 2 11:42:41 2012 CEST
> >>
> >> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Mon Apr 2 11:42:42 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Mon Apr 2 11:42:42 2012 CEST
> >>
> >> CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Mon Apr 2 11:42:42 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Mon Apr 2 11:42:42 2012 CEST
> >>
> >> ==== OUTBOUND NEIGHBORS ====
> >>
> >> DC=ForestDnsZones,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Wed Mar 28 16:37:47 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Wed Mar 28 16:37:47 2012 CEST
> >>
> >> DC=DomainDnsZones,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Wed Mar 28 16:37:47 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Wed Mar 28 16:37:47 2012 CEST
> >>
> >> DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Mon Apr 2 11:43:18 2012 CEST failed, result 29
> >> (WERR_WRITE_FAULT)
> >> 1180 consecutive failure(s).
> >> Last success @ Wed Mar 28 16:37:48 2012 CEST
> >>
> >> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Wed Mar 28 16:37:48 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Wed Mar 28 16:37:48 2012 CEST
> >>
> >> CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC01 via RPC
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> Last attempt @ Wed Mar 28 16:37:48 2012 CEST was successful
> >> 0 consecutive failure(s).
> >> Last success @ Wed Mar 28 16:37:48 2012 CEST
> >>
> >> ==== KCC CONNECTION OBJECTS ====
> >>
> >> Connection --
> >> Connection name: ccd53e6d-0f6e-4551-9103-064a48501322
> >> Enabled : TRUE
> >> Server DNS name : KDC02.saitelitalia.local
> >> Server DN name : CN=NTDS
> >> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >> TransportType: RPC
> >> options: 0x00000001
> >> Warning: No NC replicated for Connection!
> >>
> >> [root at kdc02:~]# samba-tool drs showrepl kdc01
> >> ldb_wrap open of secrets.ldb
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'krb5' registered
> >> GENSEC backend 'fake_gssapi_krb5' registered
> >> Using binding ncacn_ip_tcp:kdc01[,seal]
> >> Default-First-Site-Name\KDC01
> >> DSA Options: 0x00000001
> >> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> >> DSA invocationId: 788bb21f-edc8-467d-89cf-f66b67840ce1
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ Wed Mar 28 14:45:17 2012 CEST failed, result 1225
> >> (WERR_CONNECTION_REFUSED)
> >> 2 consecutive failure(s).
> >> Last success @ Wed Mar 28 14:35:17 2012 CEST
> >>
> >> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ Wed Mar 28 14:45:17 2012 CEST failed, result 1225
> >> (WERR_CONNECTION_REFUSED)
> >> 2 consecutive failure(s).
> >> Last success @ Wed Mar 28 14:35:18 2012 CEST
> >>
> >> CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ Wed Mar 28 14:45:17 2012 CEST failed, result 1225
> >> (WERR_CONNECTION_REFUSED)
> >> 2 consecutive failure(s).
> >> Last success @ Wed Mar 28 14:35:19 2012 CEST
> >>
> >> ==== OUTBOUND NEIGHBORS ====
> >>
> >> DC=ForestDnsZones,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> DC=DomainDnsZones,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Configuration,DC=saitelitalia,DC=local
> >> Default-First-Site-Name\KDC02 via RPC
> >> DSA object GUID: 6c922e83-aaac-408c-a168-3b664527fe04
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> ==== KCC CONNECTION OBJECTS ====
> >>
> >> Connection --
> >> Connection name: fef8d418-7309-4c61-9f21-0a9149c99ac2
> >> Enabled : TRUE
> >> Server DNS name : kdc01.saitelitalia.local
> >> Server DN name : CN=NTDS
> >> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >> TransportType: RPC
> >> options: 0x00000001
> >> Warning: No NC replicated for Connection!
> >>
> >> Which tells me that something is wrong between replication, isn't it?
> >>
> >> Daniele.
> >
> > May be someone else on the list can comment about the replication issue.
> >
> > Can you check if two DCs have the same partition information?
> > Specifically DNS partition details.
> >
> > ldbsearch -H ../path/to/sam.ldb -b
> > "CN=Partitions,CN=Configuration,DC=saitelitalia,DC=local"
> >
> > Amitay.
>
> Maybe "samba-tool ldapcmp" will be useful for this?
>
how should I use samba-tool ldapcmp?
samba-tool ldapcmp ldap://kdc01 ldap://kdc02 dnsdomain is the right way
to compare DomainDns partition?
Thanks,
Daniele
More information about the samba-technical
mailing list