[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )

L.P.H. van Belle belle at bazuin.nl
Tue Apr 28 07:37:24 MDT 2015 

Hai,

Ok, i found the problem of first post below. 
I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's. 

The sernet package 4.1.17 for debian wheezy has a bug.. maybe others also, beware. 
When joining as an extra DC, we are (still) missing the rights on 
/var/lib/samba/private/dns.keytab 

after joining the domain.
/var/lib/samba/private/dns.keytab  is set to
root:root 600
and not, as it should be. 

user:group   root:bind and rights 640 

so now i upgraded 4.1.17 to 4.2.1 
first DC1, upgraded the packages, restarted bind, restarted samba. 
No errors seen. 
next DC2, upgraded the packages, restarted bind, restarted samba. 
no errors in the logs seen, so sofar good. 

after about 3-5 min i did the follow, 

running : 
/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2
result 0 errors. 


samba-tool drs showrepl ,  in the first check error, all other after this one, are success.. 
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519
DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=internal,DC=domain,DC=tld
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e
                Last attempt @ Tue Apr 28 14:26:18 2015 CEST failed, result 64 (WERR_NETNAME_DELETED)
                1 consecutive failure(s).
                Last success @ Tue Apr 28 14:24:54 2015 CEST


got phone.. so 5 min later again i did run : samba-tool drs showrepl
and now 0 errors.. .. 

So i can confirm the previous errors with upgrading was because of the incorrect 
rights on : /var/lib/samba/private/dns.keytab


Now i did a complete install just by sernet samba 4.2.1 and same here. 
DC1, all ok, no errors at all, i used the same script as the 4.1.17 version.. 
But when joining a domain as DC, incorrect rights on : 
/var/lib/samba/private/dns.keytab 

at the point of joining the domain for dc2, i saw the following in daemon.log : 
Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel command 'reload'
Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration from '/etc/bind/named.conf'
Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 port range: [1024, 65535]
Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 port range: [1024, 65535]
Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found
Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool based on 5 zones
Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' using driver dlopen
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone 'internal.domain.tld' from 
	'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=domain,DC=tld'
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone '_msdcs.internal.domain.tld' from 	'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=domain,DC=tld'
Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key for view _default
Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down
Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded

again a scripted install, which installed successfully on 4.1.17.. 
i saw also : 
testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED 
trying to fix it now: Record added successfully 

after a restart of samba on DC2. (log.samba) 
Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 15:11:05.691758,  0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
Apr 28 15:11:05 rtd-dc2 samba[10159]:   /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
26x this message. 

from DC1: 
ping dc2 .. host not found. 

on DC2:
samba_dnsupdate --verbose --all-names 
update failed: NOTAUTH
Failed nsupdate: 2
Failed update of 26 entries


so im totaly lost what is wrong is samba 4.2.1 compaired to samba 4.1.17 

the config used on the servers: (this one is DC2's config, they are the same. ) 
# Global parameters
[global]
        workgroup = INTERNAL
        realm = internal.domain.tld			<==== by default lowercased on DC2 at domain join.. ONLY DC2 ! 
        netbios name = DC2
        server role = active directory domain controller
        server services = -dns
	  idmap_ldb:use rfc2307 = yes

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        idmap config INTERNAL : backend = ad
        idmap config INTERNAL : range = 10000-3999999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes

        interfaces = 127.0.0.1 192.168.0.2
        bind interfaces only = yes
        time server = yes
        wins support = yes

        ## Disable printing completely
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

[netlogon]
        path = /var/lib/samba/sysvol/internal.domain.tld/scripts
        read only = No
        acl_xattr:ignore system acl = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        acl_xattr:ignore system acl = yes


so beware of upgrading to 4.2.1.. 
I'll keep these VM's if anyone of samba/sernet wants to debug with me. 



Greetz, 

Louis




>-----Oorspronkelijk bericht-----
>Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] 
>Namens Achim Gottinger
>Verzonden: vrijdag 24 april 2015 18:03
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) 
>upgrades.. fail...
>
>Hello Louis,
>
>Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle:
>> Hai..
>>
>> Just tested an upgrade of 4.1.17 to 4.2.1
>> result... Fail..
>>
>> setup,
>> Debian wheezy, sernet samba packages.
>> 2 clean installed DC's  and 1 windows 7 pc joined.
>> resolv.conf setup
>> DC1 : namserver DC2 then DC1.
>> DC2:  namserver DC1 then DC2.
>>
>> stopped samba on both servers.
>> upgraded the packages on both servers.
>>
>> started samba on DC1 ( the one with fsmo roles )
>> waited 5 min.
>> started samba on DC2
>Have you tried it with DC2 running while upgrading DC1?
>>
>> from error free logs to
>>
>> [2015/04/24 17:06:29.274803,  0] 
>../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
>>    Failed to bind to uuid 
>e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>ncacn_ip_tcp:192.168.0.2[1024,seal,krb5,
>>    
>target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.int
ernal.domain.tld,
>>    target_principal=GC/dc2.internal.domain.tld/internal.domain.tld,
>>    abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,
>>    localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER
>>
>> i didnt change anything in smb.conf  ( wanted to keep the 
>OLD winbind behaivor )
>>
>> anyone else who did this already with 100% success?
>> tried not about 4 times, all fail.. ( imo samba 4.2.1 is not 
>production ready ! )
>> ....
>>
>> this is the smb.conf used.
>>
>> # Global parameters
>> [global]
>>          workgroup = INTERNAL
>>          realm = INTERNAL.DOMAIN.TLD
>>          netbios name = DC1
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, 
>cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>
>>          ## Dont forget to set the idmap_ldb on ALL DC's if 
>you use it
>>          idmap_ldb:use rfc2307 = yes
>>
>>          interfaces = 127.0.0.1 192.168.0.1
>>          bind interfaces only = yes
>>          time server = yes
>>          wins support = yes
>>
>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>          sdb:schema update allowed = no
>>
>>          ## map id's outside to domain to tdb files.
>>          idmap config * : backend = tdb
>>          idmap config * : range = 2000-9999
>>          ## map ids from the domain and (*) the range may 
>not overlap !
>>          idmap config INTERNAL: backend = ad
>>          idmap config INTERNAL: schema_mode = rfc2307
>>          idmap config INTERNAL: range = 10000-3999999
>>
>>          winbind nss info = rfc2307
>>          winbind trusted domains only = no
>>          winbind use default domain = yes
>>          winbind expand groups = 3
>>
>>          #template shell = /bin/bash
>>          #template homedir = /home/users/%ACCOUNTNAME%
>>
>>          ## Disable printing completely
>>          load printers = no
>>          printing = bsd
>>          printcap name = /dev/null
>>          disable spoolss = yes
>>
>> [netlogon]
>>          path = /home/samba/sysvol/internal.domain.tld/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /home/samba/sysvol
>>          read only = No
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list