Need urgent help with samba4 DC re-join

Andreas Oster aoster at novanetwork.de
Tue Jul 17 23:10:05 MDT 2012 

Am 18.07.2012 05:24, schrieb Andrew Bartlett:
> On Tue, 2012-07-17 at 19:31 +0200, Andreas Oster wrote:
>> Am 17.07.2012 08:09, schrieb Andrew Bartlett:
>>
>>> On Tue, 2012-07-17 at 11:17 +1000, Andrew Bartlett wrote:
>>>> On Sat, 2012-07-14 at 08:07 +0200, Andreas Oster wrote: 
>>>>> Am 14.07.2012 04:29, schrieb Andrew Bartlett: 
>>>>>> On Fri, 2012-07-13 at 08:09 +0200, Andreas Oster wrote: 
>>>>>>> Am 03.07.2012 00:32, schrieb Andrew Bartlett: 
>>>>>>>> On Mon, 2012-07-02 at 20:00 +0200, Andreas Oster wrote: 
>>>>>>>>> Hello Andrew, as I have written, I have managed to
>>>>>>>>> restore the system to the state before my disastrous
>>>>>>>>> attempt to demote my BDC (novadc02). Currently both
>>>>>>>>> servers operate normal but still the problems with
>>>>>>>>> objectClass and objectCategory of the DomainDnsZones and
>>>>>>>>> ForestDnsZones exists. Would it make sense to, after
>>>>>>>>> taking a proper backup, demote the second DC again or
>>>>>>>>> should the faulty DB entries be fixed first ?
>>>>>>>> I've been thinking over this, and the reason for the slow
>>>>>>>> replies is that the situation isn't easy to fix. Somehow
>>>>>>>> (and I would like to understand how), the instanceType in
>>>>>>>> your DNS partition on the master is set not to include the
>>>>>>>> WRITE bit. This causes the repl_meta_data message you see.
>>>>>>>> However, I'm pretty sure 'fixing' the instanceType bit
>>>>>>>> would be prohibited by the objectclass module, enforcing
>>>>>>>> the broken schema. Given all that, it seems the 'safe' way
>>>>>>>> to fix it is to correct the instanceType based on the
>>>>>>>> msDS-hasMasterNCs attribute in a dbcheck routine, setting
>>>>>>>> various flags to bypass checking for this specific change,
>>>>>>>> but I've not written that yet. Sorry, Andrew Bartlett
>>>>>>> Hello Andrew, did you have a chance to do something
>>>>>>> regarding the dbcheck enhancement to fix the broken schema
>>>>>>> of my samba4 installation ? Thank you for your kind help
>>>>>> Not yet, sorry. Please keep reminding me. If someone else
>>>>>> wants to take on the task, the dbcheck.py changes needed are:
>>>>>> - for every haveMasterNCs in an ntDsa object - confirm that
>>>>>> the instanceType attribute on the pointed-at schema have the
>>>>>> writable flag set. If not, set it. While doing that, an
>>>>>> additional task will be to fill out the
>>>>>> msDS-HasInstantiatedNCs attributes so the 'binary' part of the
>>>>>> BINARY+DN matches the (perhaps newly revised) instanceType. eg
>>>>>> msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN} Thanks,
>>>>>> Andrew Bartlett
>>>>> Hello Andrew, thank you for the update.
>>>> Attached is a patch for the first part of this. KEEP GOOD BACKUPS
>>>> (and run this on a backup). I'll get to the second part of this
>>>> soon, but if you can let me know if this lets you fix things, it
>>>> would be most helpful.
>>> I've pushed corrected patches to:
>>>
>>> https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/repl-devel
>>>
>>> In particular, I think I've found how we get your DB corrupted in the
>>> first place, and one of the patches there should prevent this happening
>>> again in the future. 
>>>
>>> I'll keep updating that branch as I keep testing, but please let me know
>>> how it works. 
>>>
>>> Unless things are worse than we expect, dbcheck (run as dbcheck -H
>>> sam.ldb --cross-ncs) should only need to correct the instanceType on
>>> objects in your DNS partitions.  When you are comfortable with the
>>> proposed changes, use --fix. 
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>
>> Hello Andrew,
>>
>> I have copied the servers to a different VMware server and fetched the
>> latest sources from git.
>> Then I have applied your patches and compiled everything. After the
>> installation and startup 
>> of the samba4 service I did the "samba-tool dbcheck -H sam.ldb
>> --cross-ncs" but resceived
>> some frightening error messages ( about 1000 ) 
>>
>> all look quite the same, here one example:
>>
>> ERROR: Normalisation error for attribute whenCreated in
>> CN=FRS-Level-Limit,CN=Schema,
>> CN=Configuration,DC=novanetwork,DV=loc
>> value '19700101000000.0Z' should be '16010101000000.0Z'
>> Not fixing attribute whenCreated
>>
>> This repeates many times for different CNs.
>>
>> Is this something to be concerned about ?
> 
> These looks reasonable.  Frankly these objects were created neither in
> the 1600's or 1970s, so it would be best to let it fix them to what it
> thinks is right. 
> 
>> At the end there is also some output regarding the wrong instanceType
>> for DomainDnsZones and
>> ForestDnsZones.
> 
> Great.  Now run with --fix and let's see if that works!
> 
> Andrew Bartlett
> 
> 
Hello Andrew,

unfortunately dbcheck did not work. The following error messages showed up:

ERROR: wrong instanceType 11 on DC=DomainDnsZones,DC=novanetwork,DC=loc,
should be 13
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'dbcheck' object has no attribute 'modify_instancetype'
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 160, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dbcheck.py",
line 117, in run
    controls=controls, attrs=attrs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/dbchecker.py", line
75, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/dbchecker.py", line
680, in check_object
    self.err_wrong_instancetype(obj, calculated_instancetype)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/dbchecker.py", line
393, in err_wrong_instancetype
    if not self.confirm_all('Change instanceType from %s to %d on %s?' %
(obj["instanceType"], calculated_instancetype, obj.dn),
'modify_instancetype'):
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/dbchecker.py", line
109, in confirm_all
    if getattr(self, all_attr) == 'NONE':

By the way, dbcheck does no fix the "ERROR: Normalisation error for
attribute whenCreated". It changes the value but keeps complaining
in a following dbcheck-run (value '19691231235959.0Z' should be
'19700101000000.0Z')

Thank you for your kind help

best regards

Andreas

More information about the samba-technical mailing list