samba_upgradedns issues on secondary DC

Fri Apr 20 02:02:39 MDT 2012

Hi Amitay,

On Fri, 2012-04-20 at 09:54 +1000, Amitay Isaacs wrote:
> On Wed, Apr 18, 2012 at 1:21 PM, Amitay Isaacs <amitay at gmail.com> wrote:
> > Hi Daniele,
> >
> > On Tue, Apr 17, 2012 at 11:39 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >> Hallo Amitay,
> >> I'm trying to follow the execution of the samba_upgradedns script to
> >> understand why it doesn't work for me:
> >>
> >> at line 404, in the "Mark that we are hosting DNS partitions" block, the
> >> script looks for NCs which are masters or has partial replicas of
> >> partitions right?
> >>
> >> Trying to reproduce the call with ldbsearch I see
> >>
> >> [root at kdc02:/usr/local/samba/private]# ldbsearch -H sam.ldb -b
> >> "CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local" "(objectclass=nTDSDSa)" "hasPartialReplicaNCs" "msDS-hasMasterNCs"
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'krb5' registered
> >> GENSEC backend 'fake_gssapi_krb5' registered
> >> # record 1
> >> dn: CN=NTDS
> >> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: CN=Configuration,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: DC=DomainDnsZones,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: DC=ForestDnsZones,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: DC=saitelitalia,DC=local
> >>
> >> # record 2
> >> dn: CN=NTDS
> >> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: CN=Configuration,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> >> msDS-hasMasterNCs: DC=saitelitalia,DC=local
> >> hasPartialReplicaNCs: DC=DomainDnsZones,DC=saitelitalia,DC=local
> >> hasPartialReplicaNCs: DC=ForestDnsZones,DC=saitelitalia,DC=local
> >>
> >> # returned 2 records
> >> # 2 entries
> >> # 0 referrals
> >>
> >> now samba-tool drs showrepl says that there are no failures and
> >> replication seems to be OK.
> >>
> >> ldbsearch tells me that for the DNS zones I have only a partial replica
> >> on the secondary DC.
> >> I've also seen that the replica is partial because samba-tool dns query
> >> on the secondary DC now doesn't fail but shows me an incomplete content:
> >>
> >> [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc02
> >> _msdcs.saitelitalia.local @ ALL -U administrator
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'krb5' registered
> >> GENSEC backend 'fake_gssapi_krb5' registered
> >> Using binding ncacn_ip_tcp:kdc02[,sign]
> >> Password for [SAITELITALIA\administrator]:
> >>  Name=, Records=0, Children=0
> >>  Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
> >>  Name=dc, Records=0, Children=2
> >>  Name=domains, Records=0, Children=1
> >>  Name=edc6129d-b286-47f3-ae02-c7f17d211370, Records=0, Children=0
> >>  Name=gc, Records=0, Children=2
> >>  Name=kdc01, Records=0, Children=0
> >>  Name=pdc, Records=0, Children=1
> >>
> >> Is it normal to have only partial replicas on secondary DCs? Is this
> >> condition something due to an error in the replication or in the DBs?
> >> Would it become a full replica at some point?
> >
> > Well they should start out as partial replicas but after successful
> > replication should be marked in msDs-hasMasterNCs. But the replication
> > code in samba does not do that. I haven't yet figured out at what
> > point an NC is moved from hasPartialReplicaNCs to msDs-hasMasterNCs.
> > So samba_upgradedns, for now, hacks that attribute. But the assumption
> > here is that you have replication working between primary and
> > secondary DCs. This won't fix any replication issues.
> >
> > I haven't had sufficient spare time to delve into replication
> > documentation and code to figure out at what point this should happen.
> >
> >> Back to the script: once found the list of ncs with full and partial
> >> replicas (and adding a little debug info to the script I've seen that
> >> them are not empty as said by ldbsearch) the script will try to update
> >> attributes on the db and for me it fails there when running
> >> ldb.MessageElement(master_nclist, ldb.FLAG_MOD_REPLACE,
> >> "msDS-hasMasterNCs")
> >> but I'm not able to find sources of that function. Obviously the error
> >> is not in the function but I will understand what goes wrong so can you
> >> point me to what I should search for?
> >
> > I have an idea of why you are seeing ldb Operations Error. I will put
> > together a patch which you can test.
> >
> > Amitay.
> 
> Hi Daniele,
> 
> Please try this patch and let me know if that fixes the ldb operations
> error in samba_upgradedns.
> 
> Amitay.

I've found a typo in the patch:

--- source4/scripting/bin/samba_upgradedns	2012-04-20 09:53:35.285776885
+0200
+++ source4/scripting/bin/samba_upgradedns	2012-04-20 09:53:09.034259436
+0200
@@ -415,7 +415,7 @@

"hasPartialReplicaNCs")
                 else:
                     m["hasPartialReplicaNCs"] = ldb.MessageElement(ncs,
-
ldb.FLAG_MOD_DELETE<
+
ldb.FLAG_MOD_DELETE,

"hasPartialReplicaNCs")
             ldbs.sam.modify(m)
     except Exception:

Correcting the '<' with the ',' it worked !!!.

Now I'll try to start bind and let you know.

Just a question:
I've seen that permissions for private/dns folder is correct
(770:root.bind) but dns.keytab is 600:root.root
Shouldn't it be 640:root.bind?

Great job Amitay.
Thanks again,
Daniele.



