[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )

L.P.H. van Belle belle at bazuin.nl
Tue Apr 28 07:45:23 MDT 2015


in addition..

i rebooted the servers now, checked logs, and...

Apr 28 15:36:57 dc1 named[2029]: samba_dlz: allowing update of signer=RTD-DC2..... etc.. 
which didnt work before the reboot.. 

i did run : 
/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2
0 errors on both servers

samba-tool drs showrepl
0 errors on both servers

check all my logs, 0 errors now.. 

running : 
samba_dnsupdate --verbose --all-names 
again no errors.. 

so now it all looks ok.. 

but the big question now is, it is? 

so what happend here and whats going wrong when upgrading from 4.1.17 to 4.2.1 
and not counted for the few bug i saw.. 


Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>Namens L.P.H. van Belle
>Verzonden: dinsdag 28 april 2015 15:37
>Aan: samba at lists.samba.org
>CC: support at sernet.de
>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) 
>upgrades.. fail...( bug(s) found )
>
>Hai,
>
>Ok, i found the problem of first post below. 
>I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's. 
>
>The sernet package 4.1.17 for debian wheezy has a bug.. maybe 
>others also, beware. 
>When joining as an extra DC, we are (still) missing the rights on 
>/var/lib/samba/private/dns.keytab 
>
>after joining the domain.
>/var/lib/samba/private/dns.keytab  is set to
>root:root 600
>and not, as it should be. 
>
>user:group   root:bind and rights 640 
>
>so now i upgraded 4.1.17 to 4.2.1 
>first DC1, upgraded the packages, restarted bind, restarted samba. 
>No errors seen. 
>next DC2, upgraded the packages, restarted bind, restarted samba. 
>no errors in the logs seen, so sofar good. 
>
>after about 3-5 min i did the follow, 
>
>running : 
>/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 
>ldap://dc2
>result 0 errors. 
>
>
>samba-tool drs showrepl ,  in the first check error, all other 
>after this one, are success.. 
>Default-First-Site-Name\DC1
>DSA Options: 0x00000001
>DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519
>DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba
>
>==== INBOUND NEIGHBORS ====
>
>DC=DomainDnsZones,DC=internal,DC=domain,DC=tld
>        Default-First-Site-Name\DC2 via RPC
>                DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e
>                Last attempt @ Tue Apr 28 14:26:18 2015 CEST 
>failed, result 64 (WERR_NETNAME_DELETED)
>                1 consecutive failure(s).
>                Last success @ Tue Apr 28 14:24:54 2015 CEST
>
>
>got phone.. so 5 min later again i did run : samba-tool drs showrepl
>and now 0 errors.. .. 
>
>So i can confirm the previous errors with upgrading was 
>because of the incorrect 
>rights on : /var/lib/samba/private/dns.keytab
>
>
>Now i did a complete install just by sernet samba 4.2.1 and same here. 
>DC1, all ok, no errors at all, i used the same script as the 
>4.1.17 version.. 
>But when joining a domain as DC, incorrect rights on : 
>/var/lib/samba/private/dns.keytab 
>
>at the point of joining the domain for dc2, i saw the 
>following in daemon.log : 
>Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel 
>command 'reload'
>Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration 
>from '/etc/bind/named.conf'
>Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted 
>keys from file '/etc/bind/bind.keys'
>Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 
>port range: [1024, 65535]
>Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 
>port range: [1024, 65535]
>Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found
>Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool 
>based on 5 zones
>Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' 
>using driver dlopen
>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure
>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured 
>writeable zone '0.168.192.in-addr.arpa'
>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring 
>duplicate zone 'internal.domain.tld' from 
>	
>'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,
>DC=internal,DC=domain,DC=tld'
>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring 
>duplicate zone '_msdcs.internal.domain.tld' from 	
>'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDn
>sZones,DC=internal,DC=domain,DC=tld'
>Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key 
>for view _default
>Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded
>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down
>Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded
>
>again a scripted install, which installed successfully on 4.1.17.. 
>i saw also : 
>testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED 
>trying to fix it now: Record added successfully 
>
>after a restart of samba on DC2. (log.samba) 
>Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 
>15:11:05.691758,  0] 
>../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>Apr 28 15:11:05 rtd-dc2 samba[10159]:   
>/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
>26x this message. 
>
>from DC1: 
>ping dc2 .. host not found. 
>
>on DC2:
>samba_dnsupdate --verbose --all-names 
>update failed: NOTAUTH
>Failed nsupdate: 2
>Failed update of 26 entries
>
>
>so im totaly lost what is wrong is samba 4.2.1 compaired to 
>samba 4.1.17 
>
>the config used on the servers: (this one is DC2's config, 
>they are the same. ) 
># Global parameters
>[global]
>        workgroup = INTERNAL
>        realm = internal.domain.tld			<==== 
>by default lowercased on DC2 at domain join.. ONLY DC2 ! 
>        netbios name = DC2
>        server role = active directory domain controller
>        server services = -dns
>	  idmap_ldb:use rfc2307 = yes
>
>        idmap config * : backend = tdb
>        idmap config * : range = 2000-9999
>        idmap config INTERNAL : backend = ad
>        idmap config INTERNAL : range = 10000-3999999
>
>        winbind nss info = rfc2307
>        winbind trusted domains only = no
>        winbind use default domain = yes
>
>        interfaces = 127.0.0.1 192.168.0.2
>        bind interfaces only = yes
>        time server = yes
>        wins support = yes
>
>        ## Disable printing completely
>        load printers = no
>        printing = bsd
>        printcap name = /dev/null
>        disable spoolss = yes
>
>[netlogon]
>        path = /var/lib/samba/sysvol/internal.domain.tld/scripts
>        read only = No
>        acl_xattr:ignore system acl = yes
>
>[sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
>        acl_xattr:ignore system acl = yes
>
>
>so beware of upgrading to 4.2.1.. 
>I'll keep these VM's if anyone of samba/sernet wants to debug with me. 
>
>
>
>Greetz, 
>
>Louis
>
>
>
>
>>-----Oorspronkelijk bericht-----
>>Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] 
>>Namens Achim Gottinger
>>Verzonden: vrijdag 24 april 2015 18:03
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) 
>>upgrades.. fail...
>>
>>Hello Louis,
>>
>>Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle:
>>> Hai..
>>>
>>> Just tested an upgrade of 4.1.17 to 4.2.1
>>> result... Fail..
>>>
>>> setup,
>>> Debian wheezy, sernet samba packages.
>>> 2 clean installed DC's  and 1 windows 7 pc joined.
>>> resolv.conf setup
>>> DC1 : namserver DC2 then DC1.
>>> DC2:  namserver DC1 then DC2.
>>>
>>> stopped samba on both servers.
>>> upgraded the packages on both servers.
>>>
>>> started samba on DC1 ( the one with fsmo roles )
>>> waited 5 min.
>>> started samba on DC2
>>Have you tried it with DC2 running while upgrading DC1?
>>>
>>> from error free logs to
>>>
>>> [2015/04/24 17:06:29.274803,  0] 
>>../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
>>>    Failed to bind to uuid 
>>e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>>ncacn_ip_tcp:192.168.0.2[1024,seal,krb5,
>>>    
>>target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.int
>ernal.domain.tld,
>>>    target_principal=GC/dc2.internal.domain.tld/internal.domain.tld,
>>>    abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,
>>>    localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER
>>>
>>> i didnt change anything in smb.conf  ( wanted to keep the 
>>OLD winbind behaivor )
>>>
>>> anyone else who did this already with 100% success?
>>> tried not about 4 times, all fail.. ( imo samba 4.2.1 is not 
>>production ready ! )
>>> ....
>>>
>>> this is the smb.conf used.
>>>
>>> # Global parameters
>>> [global]
>>>          workgroup = INTERNAL
>>>          realm = INTERNAL.DOMAIN.TLD
>>>          netbios name = DC1
>>>          server role = active directory domain controller
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, 
>>cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>>
>>>          ## Dont forget to set the idmap_ldb on ALL DC's if 
>>you use it
>>>          idmap_ldb:use rfc2307 = yes
>>>
>>>          interfaces = 127.0.0.1 192.168.0.1
>>>          bind interfaces only = yes
>>>          time server = yes
>>>          wins support = yes
>>>
>>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>>          sdb:schema update allowed = no
>>>
>>>          ## map id's outside to domain to tdb files.
>>>          idmap config * : backend = tdb
>>>          idmap config * : range = 2000-9999
>>>          ## map ids from the domain and (*) the range may 
>>not overlap !
>>>          idmap config INTERNAL: backend = ad
>>>          idmap config INTERNAL: schema_mode = rfc2307
>>>          idmap config INTERNAL: range = 10000-3999999
>>>
>>>          winbind nss info = rfc2307
>>>          winbind trusted domains only = no
>>>          winbind use default domain = yes
>>>          winbind expand groups = 3
>>>
>>>          #template shell = /bin/bash
>>>          #template homedir = /home/users/%ACCOUNTNAME%
>>>
>>>          ## Disable printing completely
>>>          load printers = no
>>>          printing = bsd
>>>          printcap name = /dev/null
>>>          disable spoolss = yes
>>>
>>> [netlogon]
>>>          path = /home/samba/sysvol/internal.domain.tld/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /home/samba/sysvol
>>>          read only = No
>>>
>>
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list