Replication fails with openchange attributes

Matthieu Patou mat at samba.org
Sun Apr 29 23:56:47 MDT 2012


On 04/29/2012 02:45 PM, Andrew Bartlett wrote:
> On Sat, 2012-04-28 at 22:35 -0700, Matthieu Patou wrote:
>> On 04/24/2012 06:06 AM, Karsten Bandlow wrote:
>>> Am 23.04.2012 00:07, schrieb Matthieu Patou:
>>>> On 04/10/2012 12:39 AM, K. Bandlow wrote:
>>>>> Hello,
>>>>> I want to add a secondary DC to my domain. But replication does not
>>>>> work since I add openchange Attributes.
>>>>>
>>>>> My machine was Debian sid. Samba alpha 18-4.
>>>>>
>>>>> Here is my command, at the end the last lines with -d5 switch
>>>>>
>>>>>
>>>>>
>>>>> root at pdc:/usr/share/samba/setup# samba-tool domain join cxx-br.local
>>>>> DC -Uadministrator --realm=cxx-br.local
>>>>> Finding a writeable DC for domain 'cxx-br.local'
>>>>> Found DC pdc2.cxx-br.local
>>>>> Password for [BRHH\administrator]:
>>>>> workgroup is BRHH
>>>>> realm is cxx-br.local
>>>>> checking sAMAccountName
>>>>> Adding CN=PDC,OU=Domain Controllers,DC=cxx-br,DC=local
>>>>> Adding
>>>>> CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
>>>>> Adding CN=NTDS
>>>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
>>>>> Adding SPNs to CN=PDC,OU=Domain Controllers,DC=cxx-br,DC=local
>>>>> Setting account password for PDC$
>>>>> Enabling account
>>>>> Calling bare provision
>>>>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>>>>> No IPv6 address will be assigned
>>>>> partition_metadata: Migrating partition metadata
>>>>> Provision OK for domain DN DC=cxx-br,DC=local
>>>>> Starting replication
>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
>>>>> objects[402/2619] linked_values[0/0]
>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
>>>>> objects[804/2619] linked_values[0/0]
>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
>>>>> objects[1206/2619] linked_values[0/0]
>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
>>>>> objects[1608/2619] linked_values[0/0]
>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
>>>>> objects[2010/2619] linked_values[0/0]
>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=cxx-br,DC=local]
>>>>> objects[2412/2619] linked_values[0/0]
>>>>> Join failed - cleaning up
>>>>> checking sAMAccountName
>>>>> Deleted CN=PDC,OU=Domain Controllers,DC=cxx-br,DC=local
>>>>> Deleted CN=NTDS
>>>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
>>>>> Deleted
>>>>> CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cxx-br,DC=local
>>>>> ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
>>>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>>> line 162, in _run
>>>>>      return self.run(*args, **kwargs)
>>>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>>>>> line 180, in run
>>>>>      machinepass=machinepass)
>>>>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 967,
>>>>> in join_DC
>>>>>      ctx.do_join()
>>>>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 874,
>>>>> in do_join
>>>>>      ctx.join_replicate()
>>>>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 674,
>>>>> in join_replicate
>>>>>      replica_flags=ctx.replica_flags)
>>>>>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
>>>>> 250, in replicate
>>>>>      (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
>>>>> req_level, req)
>>>>> root at pdc:/usr/share/samba/setup#
>>>>>
>>>>> Here the last lines with -d5
>>>>>
>>>>>
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000001 (1)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015da (5594)
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000001 (1)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015da (5594)
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000001 (1)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015da (5594)
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000001 (1)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015da (5594)
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000001 (1)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015da (5594)
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000001 (1)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015da (5594)
>>>>>                                          meta_data: struct
>>>>> drsuapi_DsReplicaMetaData
>>>>>                                              version
>>>>> : 0x00000002 (2)
>>>>>                                              originating_change_time
>>>>> : Fri Apr  6 12:56:07 2012 CEST
>>>>>
>>>>> originating_invocation_id: 51cb798e-e91f-459c-a6df-6f3e8d607a33
>>>>>                                              originating_usn
>>>>> : 0x00000000000015db (5595)
>>>>>                      more_data                : 0x00000000 (0)
>>>>>                      nc_object_count          : 0x00000000 (0)
>>>>>                      nc_linked_attributes_count: 0x00000000 (0)
>>>>>                      linked_attributes_count  : 0x00000000 (0)
>>>>>                      linked_attributes        : NULL
>>>>>                      drs_error                : WERR_OK
>>>>>              result                   : WERR_GENERAL_FAILURE
>>>> We need more informations.
>>>>
>>>> My guess is that the update require an attribute / class that doesn't
>>>> exists yet because it's in the following changes.
>>>>
>>>> A full log might help us.
>>>>
>>>> Matthieu.
>>>>
>>> Here comes the logfile http://178.77.77.98/debug.log.tar.gz compressed
>>> size ~ 6MB original Size ~ 100MB
>>>
>>> I did call following command
>>>
>>> ./bin/samba-tool domain join cxx-br.local DC -Uadministrator
>>> --password Password -d10>  debug.log 2>&1
>>>
>>> Without openchange attributes replication works fine.
>> So after all checks just one attribute is missing:
>> ms-Exch-Proxy-Gen-Options
>>
>> You should be able to load this ldif in your provision and then after
>> the replication should work
>>
>> #
>> dn: CN=msExch-Proxy-Gen-Options,${SCHEMADN}
>> objectClass: top
>> objectClass: attributeSchema
>> cn: msExch-Proxy-Gen-Options
>> attributeID: 1.2.840.113556.1.4.7000.102.50044
>> attributeSyntax: 2.5.5.9
>> isSingleValued: TRUE
>> showInAdvancedViewOnly: TRUE
>> adminDisplayName: msExch-Proxy-Gen-Options
>> adminDescription: msExch-Proxy-Gen-OptionsNormally we have
>> oMSyntax: 2
>> searchFlags: 0
>> lDAPDisplayName: msExchProxyGenOptions
>> name: msExch-Proxy-Gen-Options
>> schemaIDGUID: 974c9a02-33fc-11d3-aa6e-00c04f8eedd8
>> isMemberOfPartialAttributeSet: FALSE
>> objectCategory: CN=Attribute-Schema,${SCHEMADN}
>>
>> Don't forget to set "dsdb:schema update allowed" to yes in the smb.conf
>> while trying to load this ldif.
> One of the additional problems here is that the application of the
> schema during the DRS replication isn't full or correct.  It loops over
> the chunk to try and complete the schema.  However, as a chunk may not
> contain the whole schema, so it can fail to set it up (because it cannot
> covert all the elements).
Kamen pointed that we have delayed checks and looking at the code seems 
to confirm this. So in theory we shouldn't run into such kind of issue 
of that kind.

> I need to look at this again, but if I recall, I was at one point trying
> to permit an incomplete conversion (not converting mayContain when we
> just need to sort out attribute ID ->  name mappings).
Well here the issue for the conversion was on the sending DC that should 
normally have the complete schema with complete conversion information.

Matthieu.


-- 
Matthieu Patou
Samba Team
http://samba.org



More information about the samba-technical mailing list