samba4 from BDC to PDC

Tue Jan 3 06:01:10 MST 2012

Hi Amitay,

On Fri, 2011-12-30 at 08:46 +1100, Amitay Isaacs wrote:
> On Fri, Dec 30, 2011 at 12:09 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> > Hi Amitay,
> >
> > On Thu, 2011-12-29 at 23:22 +1100, Amitay Isaacs wrote:
> >> Hi Daniele,
> >>
> >> On Thu, Dec 29, 2011 at 10:18 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >>
> >> > I finished to prepare the VM and joined samba4 to the domain.
> >> > As in the past, after the domain join no dns.keytab will be present in
> >> > the private directory.
> >> >
> >> > As said by Gemes Geza, I exported the keytab using
> >> > [root at kdc01:/usr/local/samba/private]# samba-tool domain exportkeytab
> >> > dns.keytab
> >> > [root at kdc01:/usr/local/samba/private]# samba-tool user add dns-kdc02
> >> > --random-password
> >> > [root at kdc01:/usr/local/samba/private]# samba-tool spn add
> >> > DNS/kdc02.saitelitalia.local dns-kdc02
> >> >
> >> > At this point, if I start named
> >> > [root at kdc01:~]# named -u bind -d 10 -g -c /etc/bind/named.conf
> >> > it fails
> >> > ...
> >> > 29-Dec-2011 11:54:43.328 generating session key for dynamic DNS
> >> > 29-Dec-2011 11:54:43.328 sizing zone task pool based on 5 zones
> >> > 29-Dec-2011 11:54:43.329 decrement_reference: delete from rbt:
> >> > 0xb6d2d548 .
> >> > 29-Dec-2011 11:54:43.330 Loading 'AD DNS Zone' using driver dlopen
> >> > 29-Dec-2011 11:54:43.330 Loading SDLZ driver.
> >> > 29-Dec-2011 11:54:43.515 samba_dlz: Unable to get basedn
> >> > for /usr/local/samba/private/dns/sam.ldb - NULL Base DN invalid for a
> >> > base search
> >> > 29-Dec-2011 11:54:43.515 dlz_dlopen of 'AD DNS Zone' failed
> >> > 29-Dec-2011 11:54:43.515 SDLZ driver failed to load.
> >> > 29-Dec-2011 11:54:43.515 DLZ driver failed to load.
> >> > 29-Dec-2011 11:54:43.516 load_configuration: failure
> >> > 29-Dec-2011 11:54:43.516 loading configuration: failure
> >> > 29-Dec-2011 11:54:43.516 exiting (due to fatal error)
> >> > ...
> >> >
> >> > What am I missing?
> >> > If bind does not start I won't be able to see the AD DNS from windows (I
> >> > use XP to doublecheck what I'm doing) so I can't check if I can add the
> >> > reversed zone.
> >>
> >> It appears that dlz_bind9 is unable to access the DNS partitions. May be there
> >> is something wrong with the copy of samdb in private/dns directory.
> >> private/dns/sam.ldb should be a copy of private/sam.ldb. Can you confirm that?
> >> Does private/dns/sam.ldb.d have all files similar to private/sam.ldb.d?
> >>
> >> Amitay.
> >
> > No, it was not. I copied private/sam.ldb and private/sam.ldb.d/* into
> > private/dns/ and changed permissions and now bind started, thank you.
> >
> > If I try to nslookup on this DNS it fails and same happens with
> > [root at kdc02:~]# samba-tool dns query kdc02
> > saitelitalia.local .saitelitalia.local ALL -U administrator
> > Password for [SAITELITALIA\administrator]:
> > ERROR(runtime): uncaught exception - (9717,
> > 'WERR_DNS_ERROR_DS_UNAVAILABLE')
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 167, in _run
> >    return self.run(*args, **kwargs)
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> > 789, in run
> >    None)
> >
> > Looking in private/sam.ldb.d/ or private/dns/sam.ldb.d/ it seems that
> > the DC=DOMAINDNSZONES,DC=SAITELITALIA,DC=LOCAL.ldb and the
> > DC=FORESTDNSZONES,DC=SAITELITALIA,DC=LOCAL.ldb aren't present on the
> > second DC (the one where dns query fails).
> >
> > How do I replicate them?
> >
> > Daniele.
> >
> 
> That means when you joined the domain, samba-tool did not provision for DNS.
> What was the command did you use to join the domain?
> 
> If you join as a domain controller, it's supposed to provision for DNS
> (create the
> DNS partitions DomainDnsZones and ForestDnsZones) and create a partial
> copy of sam.
> 
> Unfortunately you cannot just copy the files (It's not an exact copy,
> but a partial one).
> That will create a separate copy of sam, which will not be the same as
> seen by samba
> and bind. Since bind requires modify access to only DomainDnsZones and
> ForestDnsZones
> partitions, those partitions are actually linked to the files in main
> sam.ldb.d. Similarly the
> main sam.ldb file is also linked. Configuration and Schema are copies.
> Domain partition
> is newly created and has only minimal amount of information about the domain.
> 
> I would prefer to fix the samba-tool domain join command, rather than
> having you to copy
> the database manually.
> 
> Amitay.

I upgraded the PDC to the current git and now I'm able to create also
the reversed zone and to add/delete/modify it's content.

Thanks,
Daniele.