Replication fails with openchange attributes
Andrew Bartlett
abartlet at samba.org
Sun Apr 29 15:45:15 MDT 2012
On Sat, 2012-04-28 at 22:35 -0700, Matthieu Patou wrote:
> On 04/24/2012 06:06 AM, Karsten Bandlow wrote:
> > Am 23.04.2012 00:07, schrieb Matthieu Patou:
> >> On 04/10/2012 12:39 AM, K. Bandlow wrote:
> >>> Hello,
> >>> I want to add a secondary DC to my domain. But replication does not
> >>> work since I add openchange Attributes.
> >>>
> >>> My machine was Debian sid. Samba alpha 18-4.
> >>>
> >>> Here is my command, at the end the last lines with -d5 switch
> >>>
> >>>
> >>>
> >>> root at pdc:/usr/share/samba/setup# samba-tool domain join cxx-br.local
> >>> DC -Uadministrator --realm=cxx-br.local
> >>> Finding a writeable DC for domain 'cxx-br.local'
> >>> Found DC pdc2.cxx-br.local
> >>> Password for [BRHH\administrator]:
> >>> workgroup is BRHH
> >>> realm is cxx-br.local
> >>> checking sAMAccountName
> >>> Adding CN=PDC,OU=Domain Controllers,DC=cxx-br,DC=local
> >>> Adding
> >>> CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
> >>> Adding CN=NTDS
> >>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
> >>> Adding SPNs to CN=PDC,OU=Domain Controllers,DC=cxx-br,DC=local
> >>> Setting account password for PDC$
> >>> Enabling account
> >>> Calling bare provision
> >>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> >>> No IPv6 address will be assigned
> >>> partition_metadata: Migrating partition metadata
> >>> Provision OK for domain DN DC=cxx-br,DC=local
> >>> Starting replication
> >>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
> >>> objects[402/2619] linked_values[0/0]
> >>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
> >>> objects[804/2619] linked_values[0/0]
> >>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
> >>> objects[1206/2619] linked_values[0/0]
> >>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
> >>> objects[1608/2619] linked_values[0/0]
> >>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
> >>> objects[2010/2619] linked_values[0/0]
> >>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
> >>> objects[2412/2619] linked_values[0/0]
> >>> Join failed - cleaning up
> >>> checking sAMAccountName
> >>> Deleted CN=PDC,OU=Domain Controllers,DC=cxx-br,DC=local
> >>> Deleted CN=NTDS
> >>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
> >>> Deleted
> >>> CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
> >>> ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
> >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> >>> line 162, in _run
> >>> return self.run(*args, **kwargs)
> >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> >>> line 180, in run
> >>> machinepass=machinepass)
> >>> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 967,
> >>> in join_DC
> >>> ctx.do_join()
> >>> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 874,
> >>> in do_join
> >>> ctx.join_replicate()
> >>> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 674,
> >>> in join_replicate
> >>> replica_flags=ctx.replica_flags)
> >>> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> >>> 250, in replicate
> >>> (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
> >>> req_level, req)
> >>> root at pdc:/usr/share/samba/setup#
> >>>
> >>> Here the last lines with -d5
> >>>
> >>>
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000001 (1)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015da (5594)
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000001 (1)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015da (5594)
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000001 (1)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015da (5594)
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000001 (1)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015da (5594)
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000001 (1)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015da (5594)
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000001 (1)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015da (5594)
> >>> meta_data: struct
> >>> drsuapi_DsReplicaMetaData
> >>> version
> >>> : 0x00000002 (2)
> >>> originating_change_time
> >>> : Fri Apr 6 12:56:07 2012 CEST
> >>>
> >>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
> >>> originating_usn
> >>> : 0x00000000000015db (5595)
> >>> more_data : 0x00000000 (0)
> >>> nc_object_count : 0x00000000 (0)
> >>> nc_linked_attributes_count: 0x00000000 (0)
> >>> linked_attributes_count : 0x00000000 (0)
> >>> linked_attributes : NULL
> >>> drs_error : WERR_OK
> >>> result : WERR_GENERAL_FAILURE
> >> We need more informations.
> >>
> >> My guess is that the update require an attribute / class that doesn't
> >> exists yet because it's in the following changes.
> >>
> >> A full log might help us.
> >>
> >> Matthieu.
> >>
> > Here comes the logfile http://178.77.77.98/debug.log.tar.gz compressed
> > size ~ 6MB original Size ~ 100MB
> >
> > I did call following command
> >
> > ./bin/samba-tool domain join cxx-br.local DC -Uadministrator
> > --password Password -d10 > debug.log 2>&1
> >
> > Without openchange attributes replication works fine.
> So after all checks just one attribute is missing:
> ms-Exch-Proxy-Gen-Options
>
> You should be able to load this ldif in your provision and then after
> the replication should work
>
> #
> dn: CN=msExch-Proxy-Gen-Options,${SCHEMADN}
> objectClass: top
> objectClass: attributeSchema
> cn: msExch-Proxy-Gen-Options
> attributeID: 1.2.840.113556.1.4.7000.102.50044
> attributeSyntax: 2.5.5.9
> isSingleValued: TRUE
> showInAdvancedViewOnly: TRUE
> adminDisplayName: msExch-Proxy-Gen-Options
> adminDescription: msExch-Proxy-Gen-Options
> oMSyntax: 2
> searchFlags: 0
> lDAPDisplayName: msExchProxyGenOptions
> name: msExch-Proxy-Gen-Options
> schemaIDGUID: 974c9a02-33fc-11d3-aa6e-00c04f8eedd8
> isMemberOfPartialAttributeSet: FALSE
> objectCategory: CN=Attribute-Schema,${SCHEMADN}
>
> Don't forget to set "dsdb:schema update allowed" to yes in the smb.conf
> while trying to load this ldif.
One of the additional problems here is that the application of the
schema during the DRS replication isn't full or correct. It loops over
the chunk to try and complete the schema. However, as a chunk may not
contain the whole schema, so it can fail to set it up (because it cannot
covert all the elements).
I need to look at this again, but if I recall, I was at one point trying
to permit an incomplete conversion (not converting mayContain when we
just need to sort out attribute ID -> name mappings).
Hopefully these hints help us improve our behaviour here.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list