samba_upgradedns issues on secondary DC

Amitay Isaacs amitay at gmail.com
Tue Apr 17 21:21:35 MDT 2012 

Hi Daniele,

On Tue, Apr 17, 2012 at 11:39 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> Hallo Amitay,
> I'm trying to follow the execution of the samba_upgradedns script to
> understand why it doesn't work for me:
>
> at line 404, in the "Mark that we are hosting DNS partitions" block, the
> script looks for NCs which are masters or has partial replicas of
> partitions right?
>
> Trying to reproduce the call with ldbsearch I see
>
> [root at kdc02:/usr/local/samba/private]# ldbsearch -H sam.ldb -b
> "CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local" "(objectclass=nTDSDSa)" "hasPartialReplicaNCs" "msDS-hasMasterNCs"
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> # record 1
> dn: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: CN=Configuration,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: DC=DomainDnsZones,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: DC=ForestDnsZones,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: DC=saitelitalia,DC=local
>
> # record 2
> dn: CN=NTDS
> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: CN=Configuration,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> msDS-hasMasterNCs: DC=saitelitalia,DC=local
> hasPartialReplicaNCs: DC=DomainDnsZones,DC=saitelitalia,DC=local
> hasPartialReplicaNCs: DC=ForestDnsZones,DC=saitelitalia,DC=local
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
> now samba-tool drs showrepl says that there are no failures and
> replication seems to be OK.
>
> ldbsearch tells me that for the DNS zones I have only a partial replica
> on the secondary DC.
> I've also seen that the replica is partial because samba-tool dns query
> on the secondary DC now doesn't fail but shows me an incomplete content:
>
> [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc02
> _msdcs.saitelitalia.local @ ALL -U administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc02[,sign]
> Password for [SAITELITALIA\administrator]:
>  Name=, Records=0, Children=0
>  Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
>  Name=dc, Records=0, Children=2
>  Name=domains, Records=0, Children=1
>  Name=edc6129d-b286-47f3-ae02-c7f17d211370, Records=0, Children=0
>  Name=gc, Records=0, Children=2
>  Name=kdc01, Records=0, Children=0
>  Name=pdc, Records=0, Children=1
>
> Is it normal to have only partial replicas on secondary DCs? Is this
> condition something due to an error in the replication or in the DBs?
> Would it become a full replica at some point?

Well they should start out as partial replicas but after successful
replication should be marked in msDs-hasMasterNCs. But the replication
code in samba does not do that. I haven't yet figured out at what
point an NC is moved from hasPartialReplicaNCs to msDs-hasMasterNCs.
So samba_upgradedns, for now, hacks that attribute. But the assumption
here is that you have replication working between primary and
secondary DCs. This won't fix any replication issues.

I haven't had sufficient spare time to delve into replication
documentation and code to figure out at what point this should happen.

> Back to the script: once found the list of ncs with full and partial
> replicas (and adding a little debug info to the script I've seen that
> them are not empty as said by ldbsearch) the script will try to update
> attributes on the db and for me it fails there when running
> ldb.MessageElement(master_nclist, ldb.FLAG_MOD_REPLACE,
> "msDS-hasMasterNCs")
> but I'm not able to find sources of that function. Obviously the error
> is not in the function but I will understand what goes wrong so can you
> point me to what I should search for?

I have an idea of why you are seeing ldb Operations Error. I will put
together a patch which you can test.

Amitay.

More information about the samba-technical mailing list