[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 28 07:55:48 MDT 2015
.. forgot to mention..
I did change the lowercaps realm in smb.conf to UPPER CAPS..
on DC2 before the reboot, and tested that also, but did not work.
so very strange imo..
>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: dinsdag 28 april 2015 15:45
>Aan: samba at lists.samba.org
>CC: support at sernet.de
>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet)
>upgrades.. fail...( bug(s) found )
>
>in addition..
>
>i rebooted the servers now, checked logs, and...
>
>Apr 28 15:36:57 dc1 named[2029]: samba_dlz: allowing update of
>signer=RTD-DC2..... etc..
>which didnt work before the reboot..
>
>i did run :
>/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1
>ldap://dc2
>0 errors on both servers
>
>samba-tool drs showrepl
>0 errors on both servers
>
>check all my logs, 0 errors now..
>
>running :
>samba_dnsupdate --verbose --all-names
>again no errors..
>
>so now it all looks ok..
>
>but the big question now is, it is?
>
>so what happend here and whats going wrong when upgrading from
>4.1.17 to 4.2.1
>and not counted for the few bug i saw..
>
>
>Greetz,
>
>Louis
>
>
>
>>-----Oorspronkelijk bericht-----
>>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>Namens L.P.H. van Belle
>>Verzonden: dinsdag 28 april 2015 15:37
>>Aan: samba at lists.samba.org
>>CC: support at sernet.de
>>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet)
>>upgrades.. fail...( bug(s) found )
>>
>>Hai,
>>
>>Ok, i found the problem of first post below.
>>I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's.
>>
>>The sernet package 4.1.17 for debian wheezy has a bug.. maybe
>>others also, beware.
>>When joining as an extra DC, we are (still) missing the rights on
>>/var/lib/samba/private/dns.keytab
>>
>>after joining the domain.
>>/var/lib/samba/private/dns.keytab is set to
>>root:root 600
>>and not, as it should be.
>>
>>user:group root:bind and rights 640
>>
>>so now i upgraded 4.1.17 to 4.2.1
>>first DC1, upgraded the packages, restarted bind, restarted samba.
>>No errors seen.
>>next DC2, upgraded the packages, restarted bind, restarted samba.
>>no errors in the logs seen, so sofar good.
>>
>>after about 3-5 min i did the follow,
>>
>>running :
>>/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1
>>ldap://dc2
>>result 0 errors.
>>
>>
>>samba-tool drs showrepl , in the first check error, all other
>>after this one, are success..
>>Default-First-Site-Name\DC1
>>DSA Options: 0x00000001
>>DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519
>>DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba
>>
>>==== INBOUND NEIGHBORS ====
>>
>>DC=DomainDnsZones,DC=internal,DC=domain,DC=tld
>> Default-First-Site-Name\DC2 via RPC
>> DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e
>> Last attempt @ Tue Apr 28 14:26:18 2015 CEST
>>failed, result 64 (WERR_NETNAME_DELETED)
>> 1 consecutive failure(s).
>> Last success @ Tue Apr 28 14:24:54 2015 CEST
>>
>>
>>got phone.. so 5 min later again i did run : samba-tool drs showrepl
>>and now 0 errors.. ..
>>
>>So i can confirm the previous errors with upgrading was
>>because of the incorrect
>>rights on : /var/lib/samba/private/dns.keytab
>>
>>
>>Now i did a complete install just by sernet samba 4.2.1 and
>same here.
>>DC1, all ok, no errors at all, i used the same script as the
>>4.1.17 version..
>>But when joining a domain as DC, incorrect rights on :
>>/var/lib/samba/private/dns.keytab
>>
>>at the point of joining the domain for dc2, i saw the
>>following in daemon.log :
>>Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel
>>command 'reload'
>>Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration
>>from '/etc/bind/named.conf'
>>Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted
>>keys from file '/etc/bind/bind.keys'
>>Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4
>>port range: [1024, 65535]
>>Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6
>>port range: [1024, 65535]
>>Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found
>>Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool
>>based on 5 zones
>>Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone'
>>using driver dlopen
>>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure
>>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured
>>writeable zone '0.168.192.in-addr.arpa'
>>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring
>>duplicate zone 'internal.domain.tld' from
>>
>>'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,
>>DC=internal,DC=domain,DC=tld'
>>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring
>>duplicate zone '_msdcs.internal.domain.tld' from
>>'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDn
>>sZones,DC=internal,DC=domain,DC=tld'
>>Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key
>>for view _default
>>Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded
>>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down
>>Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded
>>
>>again a scripted install, which installed successfully on 4.1.17..
>>i saw also :
>>testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED
>>trying to fix it now: Record added successfully
>>
>>after a restart of samba on DC2. (log.samba)
>>Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28
>>15:11:05.691758, 0]
>>../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>Apr 28 15:11:05 rtd-dc2 samba[10159]:
>>/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
>>26x this message.
>>
>>from DC1:
>>ping dc2 .. host not found.
>>
>>on DC2:
>>samba_dnsupdate --verbose --all-names
>>update failed: NOTAUTH
>>Failed nsupdate: 2
>>Failed update of 26 entries
>>
>>
>>so im totaly lost what is wrong is samba 4.2.1 compaired to
>>samba 4.1.17
>>
>>the config used on the servers: (this one is DC2's config,
>>they are the same. )
>># Global parameters
>>[global]
>> workgroup = INTERNAL
>> realm = internal.domain.tld <====
>>by default lowercased on DC2 at domain join.. ONLY DC2 !
>> netbios name = DC2
>> server role = active directory domain controller
>> server services = -dns
>> idmap_ldb:use rfc2307 = yes
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config INTERNAL : backend = ad
>> idmap config INTERNAL : range = 10000-3999999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>>
>> interfaces = 127.0.0.1 192.168.0.2
>> bind interfaces only = yes
>> time server = yes
>> wins support = yes
>>
>> ## Disable printing completely
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>>[netlogon]
>> path = /var/lib/samba/sysvol/internal.domain.tld/scripts
>> read only = No
>> acl_xattr:ignore system acl = yes
>>
>>[sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> acl_xattr:ignore system acl = yes
>>
>>
>>so beware of upgrading to 4.2.1..
>>I'll keep these VM's if anyone of samba/sernet wants to debug
>with me.
>>
>>
>>
>>Greetz,
>>
>>Louis
>>
>>
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org]
>>>Namens Achim Gottinger
>>>Verzonden: vrijdag 24 april 2015 18:03
>>>Aan: samba at lists.samba.org
>>>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet)
>>>upgrades.. fail...
>>>
>>>Hello Louis,
>>>
>>>Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle:
>>>> Hai..
>>>>
>>>> Just tested an upgrade of 4.1.17 to 4.2.1
>>>> result... Fail..
>>>>
>>>> setup,
>>>> Debian wheezy, sernet samba packages.
>>>> 2 clean installed DC's and 1 windows 7 pc joined.
>>>> resolv.conf setup
>>>> DC1 : namserver DC2 then DC1.
>>>> DC2: namserver DC1 then DC2.
>>>>
>>>> stopped samba on both servers.
>>>> upgraded the packages on both servers.
>>>>
>>>> started samba on DC1 ( the one with fsmo roles )
>>>> waited 5 min.
>>>> started samba on DC2
>>>Have you tried it with DC2 running while upgrading DC1?
>>>>
>>>> from error free logs to
>>>>
>>>> [2015/04/24 17:06:29.274803, 0]
>>>../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
>>>> Failed to bind to uuid
>>>e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>ncacn_ip_tcp:192.168.0.2[1024,seal,krb5,
>>>>
>>>target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.int
>>ernal.domain.tld,
>>>> target_principal=GC/dc2.internal.domain.tld/internal.domain.tld,
>>>> abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,
>>>> localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER
>>>>
>>>> i didnt change anything in smb.conf ( wanted to keep the
>>>OLD winbind behaivor )
>>>>
>>>> anyone else who did this already with 100% success?
>>>> tried not about 4 times, all fail.. ( imo samba 4.2.1 is not
>>>production ready ! )
>>>> ....
>>>>
>>>> this is the smb.conf used.
>>>>
>>>> # Global parameters
>>>> [global]
>>>> workgroup = INTERNAL
>>>> realm = INTERNAL.DOMAIN.TLD
>>>> netbios name = DC1
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap,
>>>cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>
>>>> ## Dont forget to set the idmap_ldb on ALL DC's if
>>>you use it
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> interfaces = 127.0.0.1 192.168.0.1
>>>> bind interfaces only = yes
>>>> time server = yes
>>>> wins support = yes
>>>>
>>>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>>>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>>> sdb:schema update allowed = no
>>>>
>>>> ## map id's outside to domain to tdb files.
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> ## map ids from the domain and (*) the range may
>>>not overlap !
>>>> idmap config INTERNAL: backend = ad
>>>> idmap config INTERNAL: schema_mode = rfc2307
>>>> idmap config INTERNAL: range = 10000-3999999
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind expand groups = 3
>>>>
>>>> #template shell = /bin/bash
>>>> #template homedir = /home/users/%ACCOUNTNAME%
>>>>
>>>> ## Disable printing completely
>>>> load printers = no
>>>> printing = bsd
>>>> printcap name = /dev/null
>>>> disable spoolss = yes
>>>>
>>>> [netlogon]
>>>> path = /home/samba/sysvol/internal.domain.tld/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /home/samba/sysvol
>>>> read only = No
>>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list