[Samba] replication issues solved by adding GUID names to /etc/hosts

mourik jan heupink - merit heupink at merit.unu.edu
Wed Aug 27 04:28:15 MDT 2014 

I can only say that on my site, the command finds no differences and I 
have not been happier lately than I am now. :-)

Are you also on 4.1.11? Because having read a little bit about ldapcmp, 
it seems that at some point it was enhanced a bit, to justify for 
expected differences between dc's.

Perhaps you are running an older version?

On 8/27/2014 12:24, Rowland Penny wrote:
> On 27/08/14 11:10, L.P.H. van Belle wrote:
>>
>> Good one, that one i didnt check yet..
>> and argg... damn.. what the...
>>
>> Now im getting crazy...
>>
>> * Result for [DOMAIN]: FAILURE
>> Attributes found only in ldap://dc1.internal.domain.tld
>>     serverState
>>     msDS-NcType
>>
>> * Result for [CONFIGURATION]: FAILURE
>> Attributes found only in ldap://dc1.internal.domain.tld
>>     subRefs
>>     msDS-NcType
>>
>> * Result for [SCHEMA]: FAILURE
>> Attributes found only in ldap://dc1.internal.domain.tld
>>     msDS-NcType
>>
>> * Result for [DNSFOREST]: FAILURE
>> Attributes found only in ldap://dc1.internal.domain.tld
>>      msDS-NcType
>>
>> ERROR: Compare failed: -1
>>
>>
>> Damn same here
>> samba-tool drs showrepl
>> success....
>>
>> so i can't trust the samba-tool :-(( ...
>>
>> but thanks.. now im into fixing
>>
>> Greetz..
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: heupink at merit.unu.edu
>>> [mailto:samba-bounces at lists.samba.org] Namens mourik jan
>>> heupink - merit
>>> Verzonden: woensdag 27 augustus 2014 11:34
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] replication issues solved by adding
>>> GUID names to /etc/hosts
>>>
>>> Hi Louis,
>>>
>>> Ok, thanks for these instruction. I'll update the files, and my own
>>> documentation to include all this.
>>>
>>> Nowadays I don't only check replication with samba-tool drs showrepl,
>>> because we have had issues (which were solved using the EXCELLENT
>>> support from sernet!) where showrepl showed no errors, but in fact the
>>> DomainDnsZones were NOT in sync.
>>>
>>> So, in addition to showrepl I also use
>>>
>>> samba-tool ldapcmp ldap://dc2.samba.company.com
>>> ldap://dc4.samba.company.com
>>>
>>> If that one also gives only "SUCCESS" then I trust my replication.
>>>
>>> I'm planning to write a little script to automatically verify my
>>> databases regularly using the above two methods. If corruption ever
>>> occurs again, I'd like to know about it immediately.
>>>
>>> Mourik Jan
>>>
>>> On 8/27/2014 11:15, L.P.H. van Belle wrote:
>>>> Hai Mourik Jan,
>>>>
>>>> the hosts file.
>>>> set it for all your servers like :
>>>> 127.0.0.1    localhost (optional with: localhost.localdomain
>>>   ( <== as is dont change localdomain ) )
>>>> 192.87.x.y   dc4.company.com       dc4
>>>>
>>>> the 127.0.1.1 was put in your hosts because you installed
>>> with a DHCP ip number at install and not a static ip.
>>>> and for the resolv.conf
>>>>
>>>> search company.com
>>>> nameserver 192.87.x.y5 (=dc2)
>>>> nameserver 192.87.x.y4 (=dc4)
>>>>
>>>> nameserver 192.87.x.1 (=caching external dns)   ( <  should
>>> not be needed, if you have the forwarders in bind )
>>>> but imo cant harm, os resolving looks in resolv.conf and
>>> processes in that order.
>>>> and i suggest you check the dns entries with the windows
>>> tool for dc2 and dc4 check the A and PTR records.
>>>> If all is set ok, reboot the servers.
>>>> and check again with samba-tool drs showrepl
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: heupink at merit.unu.edu
>>>>> [mailto:samba-bounces at lists.samba.org] Namens mourik jan
>>>>> heupink - merit
>>>>> Verzonden: woensdag 27 augustus 2014 10:39
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] replication issues solved by adding
>>>>> GUID names to /etc/hosts
>>>>>
>>>>> Hi Louis,
>>>>>
>>>>> I tested name resolution using "host GUID._msdcs..." with all the
>>>>> correct answers on all dc's, only ping failed.
>>>>>
>>>>> I now notice a small (but vital?) difference between
>>> /etc/hosts on the
>>>>> two DC's, and also in /etc/resolv.conf
>>>>>
>>>>> root at dc4:~# cat /etc/hosts
>>>>> 127.0.0.1       localhost
>>>>> 192.87.x.y   dc4.company.com       dc4
>>>>>
>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>> ::1     localhost ip6-localhost ip6-loopback
>>>>> ff02::1 ip6-allnodes
>>>>> ff02::2 ip6-allrouters
>>>>> root at dc4:~# cat /etc/resolv.conf
>>>>> search company.com
>>>>> nameserver 192.87.x.y5 (=dc2)
>>>>> nameserver 192.87.x.y4 (=dc4)
>>>>> nameserver 192.87.x.1 (=caching external dns)
>>>>>
>>>>>
>>>>> root at DC2:~# cat /etc/hosts
>>>>> 127.0.0.1       localhost
>>>>> 127.0.1.1       DC2.company.com       DC2
>>>>>
>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>> ::1     localhost ip6-localhost ip6-loopback
>>>>> ff02::1 ip6-allnodes
>>>>> ff02::2 ip6-allrouters
>>>>> root at DC2:~# cat /etc/resolv.conf
>>>>> nameserver 192.87.x.y4 (=dc4)
>>>>> nameserver 192.87.x.y5 (=dc2)
>>>>> nameserver 192.87.x.1 (=caching external dns)
>>>>> root at DC2:~#
>>>>>
>>>>> (obviously these are /etc/hosts before I added the GUID._msdcs...)
>>>>>
>>>>> Could these small differences (127.0.1.1 vs 192.87.x.y) and (search
>>>>> company.com vs no search) be responsible for the observed behaviour?
>>>>>
>>>>> MJ
>>>>>
>>>>> On 8/27/2014 10:15, L.P.H. van Belle wrote:
>>>>>> Ok.. wel and your sure the resolv.conf is correct?
>>>>>> cat you post the hosts file and resolv.conf file. just to be sure.
>>>>>>
>>>>>> i noticed, ( sernet samba) that after adding a DC, the
>>>>> replication didnt work right a way.
>>>>>> It needed a restart of the server. This was tested with
>>>>> server samba 4.1.4-4.1.9
>>>>>> and after the restart replication started working.
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: heupink at merit.unu.edu
>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens mourik jan
>>>>>>> heupink - merit
>>>>>>> Verzonden: woensdag 27 augustus 2014 10:08
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] replication issues solved by adding
>>>>>>> GUID names to /etc/hosts
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Yes, what I'm saying is not that without the guid's in /etc/hosts
>>>>>>> replication will give errors. (we have had successful
>>>>> replication here
>>>>>>> as well)
>>>>>>>
>>>>>>> What I'm saying is, that there were some remaining
>>> WERR_BADFILE repl
>>>>>>> errors after adding a new dc. After waiting hours,
>>> restarting samba
>>>>>>> several times these did not go away.
>>>>>>>
>>>>>>> Then I read the post I mentioned, and added the GUID's to
>>>>> /etc/hosts,
>>>>>>> and immediately my WERR_BADFILE errors disappeared.
>>>>>>>
>>>>>>> I no expert, and again: we've always had successful
>>>>>>> replication here as
>>>>>>> well, without the entries in /etc/hosts. But these errors
>>>>>>> remained, and
>>>>>>> disappeared immediately after editing /etc/hosts.
>>>>>>>
>>>>>>> Plus there have been some more similar reports on this
>>>>> list, I'd say:
>>>>>>> where there is smoke, there is a fire.
>>>>>>>
>>>>>>> Some 'evidence' from the list archives, three different
>>>>>>> threads over the
>>>>>>> last year, similar problem, all sharing the same solution:
>>>>>>>
>>>>>>> http://marc.info/?l=samba&m=137032630404682&w=2
>>>>>>> http://marc.info/?l=samba&m=137003992508143&w=2
>>>>>>> http://marc.info/?l=samba&m=137000020326397&w=2
>>>>>>>
>>>>>>> Again: not saying that it will never work without the entries in
>>>>>>> /etc/hosts, but...
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Mourik Jan
>>>>>>>
>>>>>>> On 8/27/2014 8:22, L.P.H. van Belle wrote:
>>>>>>>> Hai Mourik Jan,
>>>>>>>>
>>>>>>>>
>>>>>>>> host
>>>>> bd6bdc30-c9b2-4fd4-9bdc-4230fec98d59._msdcs.internal.domain.tld
>>>>>>> bd6bdc30-c9b2-4fd4-9bdc-4230fec98d59._msdcs.internal.domain.tld
>>>>>>> is an alias for rtd-dc1.internal.domain.tld.
>>>>>>>> rtd-dc1.internal.domain.tld has address 192.168.0.1
>>>>>>>> root at rtd-dc1:~# ping
>>>>>>> bd6bdc30-c9b2-4fd4-9bdc-4230fec98d59._msdcs.internal.domain.tld
>>>>>>>> ping: unknown host
>>>>>>> bd6bdc30-c9b2-4fd4-9bdc-4230fec98d59._msdcs.internal.domain.tld
>>>>>>>> and samba-tool drs showrepl shows 0 errors.
>>>>>>>>
>>>>>>>> Greetz,
>>>>>>>>
>>>>>>>> Louis
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>> Van: heupink at merit.unu.edu
>>>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens mourik jan
>>>>>>>>> heupink - merit
>>>>>>>>> Verzonden: dinsdag 26 augustus 2014 22:59
>>>>>>>>> Aan: Chan Min Wai; Marc Muehlfeld
>>>>>>>>> CC: samba at lists.samba.org
>>>>>>>>> Onderwerp: Re: [Samba] replication issues solved by adding
>>>>>>>>> GUID names to /etc/hosts
>>>>>>>>>
>>>>>>>>> Well, I can only tell you what I observed.
>>>>>>>>>
>>>>>>>>> Does ping to the GUID name of your DC's work on your
>>>>>>> install? And for
>>>>>>>>> others here? I am on regular fresh installed wheezy x64.
>>>>>>>>>
>>>>>>>>> MJ
>>>>>>>>>
>>>>>>>>> On 08/26/2014 09:06 PM, Chan Min Wai wrote:
>>>>>>>>>> Dear Mourik Jan,
>>>>>>>>>>
>>>>>>>>>> I would have to say that something was not right on your
>>>>>>>>> system library.
>>>>>>>>>> I'm sorry that I cannot tell you which one.
>>>>>>>>>>
>>>>>>>>>> I was having this issue on my gentoo and recently found the
>>>>>>>>> problem was
>>>>>>>>>> with my LDflags..
>>>>>>>>>> I've to comment the one I normally use and leave it as
>>> default..
>>>>>>>>>> Where other are basically unchanged...
>>>>>>>>>>
>>>>>>>>>> And now my DC can replicate between each other without the
>>>>>>> /etc/hosts
>>>>>>>>>> modification.
>>>>>>>>>>
>>>>>>>>>> Hope this help....
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wed, Aug 27, 2014 at 2:36 AM, Marc Muehlfeld
>>>>>>> <mmuehlfeld at samba.org
>>>>>>>>>> <mailto:mmuehlfeld at samba.org>> wrote:
>>>>>>>>>>
>>>>>>>>>>         Hello Mourik Jan,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         Am 26.08.2014 20:24, schrieb mourik jan heupink - merit:
>>>>>>>>>>          > We were having replication issues on wheezy with
>>>>>>>>> sernet-samba-4.1.11.
>>>>>>>>>>          >
>>>>>>>>>>          > Searching the list I found the following post:
>>>>>>>>>>          > http://marc.info/?l=samba&m=136999742625184&w=2
>>>>>>>>>>          >
>>>>>>>>>>          > It says basically that if you are unable to *ping*
>>>>>>>>> the GUID names for
>>>>>>>>>>          > your dc's, you might be experiencing a glibc
>>>>>>> error, where dns
>>>>>>>>>>         names with
>>>>>>>>>>          > an underscore are not properly resolved.
>>>>>>>>>>          >
>>>>>>>>>>          > Note: dns is basically correct, 'host' gives all the
>>>>>>>>> correct answers,
>>>>>>>>>>          > samba_dnsupdate on all dc's says: no dns updates
>>>>>>> are needed.
>>>>>>>>>>          >
>>>>>>>>>>          > The fix in the post, is to add GUID names to
>>>>>>>>> /etc/hosts which I
>>>>>>>>>>         did on
>>>>>>>>>>          > my dc's, and then all of a sudden ping started
>>>>>>> working like it
>>>>>>>>>>         should.
>>>>>>>>>>          > But ALSO replication! Our 'WERR_BADFILE' errors
>>>>>>> are gone now.
>>>>>>>>>>          >
>>>>>>>>>>          > Now, is this not something that should be much more
>>>>>>>>> prominent in
>>>>>>>>>>         the docs?
>>>>>>>>>>
>>>>>>>>>>         Thanks for providing this information. I'll try finding
>>>>>>>>> out more about
>>>>>>>>>>         that and add it to the documentation.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         Regards,
>>>>>>>>>>         Marc
>>>>>>>>>>         --
>>>>>>>>>>         To unsubscribe from this list go to the following URL
>>>>>>>>> and read the
>>>>>>>>>>         instructions:
>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL
>>> and read the
>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
> Hi Louis, I had never tried that command before, so I did and got the
> same results as you, quick google told me that the missing attributes
> are to do with NC replication. Like you, I am now wondering if there is
> something wrong and if so, how do I fix it.
>
> Rowland

More information about the samba mailing list