Samba4 BDC with Samba4 PDC
Daniele Dario
d.dario76 at gmail.com
Mon Jun 11 03:46:12 MDT 2012
On Fri, 2012-06-08 at 17:03 +0100, Mike Howard wrote:
> On 05/06/2012 21:39, Daniele Dario wrote:
> > On Tue, 2012-06-05 at 13:20 +0100, Mike Howard wrote:
> >> On 04/06/2012 19:44, Christian Huldt wrote:
> >>> Hi Mike
> >>>
> >>> On 2012-06-04 09:44, Mike Howard wrote:
> >>>> I'll start again today and report all steps and outputs upto the
> >>>> point of failure. I know there are others (thread Re: redundant DNS
> >>>> setup with bind_dlz possible ?) who are trying to get a similar setup
> >>>> so maybe we can get there in the end.
> >>>>
> >>>> Btw, I did try without a samba DNS backend but, as you implied, it
> >>>> was not good.
> >>> I have an alpha17 installation that I'm going to upgrade and add a
> >>> bdc, so your notes to the mailing list are most appreciated. The
> >>> alpha17 installation never got automatic dns updates working...
> >>>
> <snip>
> >> 12. On PDC ran;
> >> samba-tool drs showrepl
> >> Default-First-Site-Name\NS
> >> DSA Options: 0x00000001
> >> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
> >> DSA invocationId: 4d9f874b-965e-4e14-afe2-a440e106895e
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> DC=mydomain,DC=co,DC=uk
> >> Default-First-Site-Name\SHEEVA via RPC
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> Last attempt @ Mon Jun 4 09:26:15 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 5 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
> >> Default-First-Site-Name\SHEEVA via RPC
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> Last attempt @ Mon Jun 4 09:26:16 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 5 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Configuration,DC=mydomain,DC=co,DC=uk
> >> Default-First-Site-Name\SHEEVA via RPC
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> Last attempt @ Mon Jun 4 09:26:16 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 5 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> ==== OUTBOUND NEIGHBORS ====
> >>
> >> DC=mydomain,DC=co,DC=uk
> >> Default-First-Site-Name\SHEEVA via RPC
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> Last attempt @ Mon Jun 4 09:29:22 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 303 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
> >> Default-First-Site-Name\SHEEVA via RPC
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> Last attempt @ Mon Jun 4 09:29:22 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 302 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Configuration,DC=mydomain,DC=co,DC=uk
> >> Default-First-Site-Name\SHEEVA via RPC
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> Last attempt @ Mon Jun 4 09:29:23 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 302 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> ==== KCC CONNECTION OBJECTS ====
> >>
> >> Connection --
> >> Connection name: 9d6192cb-3382-42b7-be9a-6c1b1aaa00d9
> >> Enabled : TRUE
> >> Server DNS name : ns.mydomain.co.uk
> >> Server DN name : CN=NTDS
> >> Settings,CN=SHEEVA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=co,DC=uk
> >> TransportType: RPC
> >> options: 0x00000001
> >> Warning: No NC replicated for Connection!
> >>
> >> 13. On BDC ran;
> >> samba-tool drs showrepl
> >> ldb_wrap open of secrets.ldb
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'sasl-DIGEST-MD5' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'krb5' registered
> >> GENSEC backend 'fake_gssapi_krb5' registered
> >> Using binding ncacn_ip_tcp:sheeva.dewberryfields.co.uk[,seal]
> >> Server ldap/SHEEVA.DEWBERRYFIELDS.CO.UK at DEWBERRYFIELDS.CO.UK is not
> >> registered with our KDC: Miscellaneous failure (see text): Server
> >> (ldap/SHEEVA.DEWBERRYFIELDS.CO.UK at DEWBERRYFIELDS.CO.UK) unknown
> >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> >> NT_STATUS_INVALID_PARAMETER
> >> Got challenge flags:
> >> Got NTLMSSP neg_flags=0x60898235
> >> NTLMSSP: Set final flags:
> >> Got NTLMSSP neg_flags=0x60088235
> >> NTLMSSP Sign/Seal - Initialising with flags:
> >> Got NTLMSSP neg_flags=0x60088235
> >> Server ldap/sheeva.dewberryfields.co.uk at DEWBERRYFIELDS.CO.UK is not
> >> registered with our KDC: Miscellaneous failure (see text): Server
> >> (ldap/sheeva.dewberryfields.co.uk at DEWBERRYFIELDS.CO.UK) unknown
> >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> >> NT_STATUS_INVALID_PARAMETER
> >> Got challenge flags:
> >> Got NTLMSSP neg_flags=0x60898205
> >> NTLMSSP: Set final flags:
> >> Got NTLMSSP neg_flags=0x60088205
> >> Default-First-Site-Name\SHEEVA
> >> DSA Options: 0x00000001
> >> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
> >> DSA invocationId: 35659ded-1952-4064-b73d-d83f58f01be1
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> >> Default-First-Site-Name\NS via RPC
> >> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
> >> Last attempt @ Mon Jun 4 09:26:43 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 6 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> CN=Schema,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> >> Default-First-Site-Name\NS via RPC
> >> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
> >> Last attempt @ Mon Jun 4 09:26:43 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 6 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> DC=dewberryfields,DC=co,DC=uk
> >> Default-First-Site-Name\NS via RPC
> >> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
> >> Last attempt @ Mon Jun 4 09:26:44 2012 BST failed,
> >> result 2 (WERR_BADFILE)
> >> 5 consecutive failure(s).
> >> Last success @ NTTIME(0)
> >>
> >> ==== OUTBOUND NEIGHBORS ====
> >>
> >> ==== KCC CONNECTION OBJECTS ====
> >>
> >> Connection --
> >> Connection name: c5b916a7-3c82-410b-b3b8-e85233c1c27a
> >> Enabled : TRUE
> >> Server DNS name : SHEEVA.dewberryfields.co.uk
> >> Server DN name : CN=NTDS
> >> Settings,CN=NS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> >> TransportType: RPC
> >> options: 0x00000001
> >> Warning: No NC replicated for Connection!
> <snip>
> > Hi Mike,
> > I've seen that in points 12 and 13 you have errors in replication of
> > basic partitions:
> > - DC=dewberryfields,DC=co,DC=uk
> > - CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> > - CN=Schema,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> >
> > As said in other threads by Amitay and A. Bartlett, first thing to
> > succeed is to have basic replication working.
> >
> >
>
> Hi Daniele,
>
> Just so I'm absolutely clear, I now have what appears to me, correct
> output from 'showrepl', as below;
>
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:centos.dewberryfields.co.uk[,seal]
> interpret_interface: using netmask value 8 from config file on interface lo
> interpret_interface: using netmask value 8 from config file on interface lo
> interpret_interface: using netmask value 8 from config file on interface lo
> interpret_interface: using netmask value 8 from config file on interface lo
> interpret_interface: using netmask value 8 from config file on interface lo
> interpret_interface: using netmask value 8 from config file on interface lo
> Default-First-Site-Name\CENTOS
> DSA Options: 0x00000001
> DSA object GUID: 0d93a7a7-ce08-44f2-8506-daee3a257541
> DSA invocationId: af255b41-1553-45a0-a021-8c240584e52c
>
> ==== INBOUND NEIGHBORS ====
>
> CN=Schema,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> Default-First-Site-Name\SHEEVA via RPC
> DSA object GUID: 16745f47-cd94-4550-aa0c-1ee59c0acdf8
> Last attempt @ Fri Jun 8 16:50:57 2012 BST was successful
> 0 consecutive failure(s).
> Last success @ Fri Jun 8 16:50:57 2012 BST
>
> CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> Default-First-Site-Name\SHEEVA via RPC
> DSA object GUID: 16745f47-cd94-4550-aa0c-1ee59c0acdf8
> Last attempt @ Fri Jun 8 16:50:58 2012 BST was successful
> 0 consecutive failure(s).
> Last success @ Fri Jun 8 16:50:58 2012 BST
>
> DC=dewberryfields,DC=co,DC=uk
> Default-First-Site-Name\SHEEVA via RPC
> DSA object GUID: 16745f47-cd94-4550-aa0c-1ee59c0acdf8
> Last attempt @ Fri Jun 8 16:50:59 2012 BST was successful
> 0 consecutive failure(s).
> Last success @ Fri Jun 8 16:50:59 2012 BST
>
> ==== OUTBOUND NEIGHBORS ====
>
> CN=Schema,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> Default-First-Site-Name\SHEEVA via RPC
> DSA object GUID: 16745f47-cd94-4550-aa0c-1ee59c0acdf8
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> Default-First-Site-Name\SHEEVA via RPC
> DSA object GUID: 16745f47-cd94-4550-aa0c-1ee59c0acdf8
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=dewberryfields,DC=co,DC=uk
> Default-First-Site-Name\SHEEVA via RPC
> DSA object GUID: 16745f47-cd94-4550-aa0c-1ee59c0acdf8
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
> Connection name: 6f6589f2-79cc-4fe0-adf9-3e4627c00a14
> Enabled : TRUE
> Server DNS name : CENTOS.dewberryfields.co.uk
> Server DN name : CN=NTDS
> Settings,CN=SHEEVA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
>
> So, from the above it appears to me that basic replication is working.
> Is that fair to say?
>
> Cheers,
> Mike.
Hi Mike,
it seems to me that basic replication is OK.
As I said, when I got it working I manually started replication for DNS
partitions:
1. DomainDnsZones from PDC to BDC
2. ForestDnsZones from PDC to BDC
3. wait for a while and check it with samba-tool drs showrepl: you
should see that replication has started (for now only in one
direction) and works fine. To be sure I restarted samba on both
PDC and BDC.
I. it seems to me that at this point you can check the
zones with samba-tool dns query on BDC. For me
replication was partial so let me know if you see
complete records or just names
4. DomainDnsZones from BDC to PDC
5. ForestDnsZones from BDC to PDC
6. wait for a while and check again with samba-tool drs showrepl
(I've restarted again samba on both DCs)
If all works fine you can proceed with samba_upgradedns on BDC and see
if private/dns partition is created than you can start bind on BDC.
Cheers,
Daniele.
More information about the samba-technical
mailing list