[Samba] NT_STATUS_INTERNAL_DB_CORRUPTION messages in log.samba--proper course of action?

Rowland Penny rowlandpenny241155 at gmail.com
Fri Jul 3 18:07:26 UTC 2015

On 03/07/15 18:51, Pinja-Liina Jalkanen wrote:
> On 03/07/15 17:32, Rowland Penny wrote:
>> On 03/07/15 14:25, Pinja-Liina Jalkanen wrote:
>>> Hi all,
>>> We've recently migrated from a separate DNS server that was dynamically
>>> updated with BIND's update-policy, using a manually generated
>>> tkey-gssapi-keytab (plus a second server functioning as an ordinary
>>> slave to the first), to BIND9_DLZ. The setup predated Samba's AD DC
>>> support and BIND's DLZ support, and was originally established because
>>> even though we needed AD, we were unwilling to use Windows's own DNS
>>> server.

OK, so I missed that you hadn't provisioned samba4, but the message when 
you run 'samba-tool domain join --help' is even more explicit :

                         The DNS server backend. SAMBA_INTERNAL is the 
                         name server (default), BIND9_DLZ uses samba4 AD to
                         store zone information, NONE skips the DNS setup
                         entirely (this DC will not be a DNS server)

You need DNS for an AD domain, no ifs or buts, and experience of this 
mailing list leads to me think that not running it on the DCs is a bad idea.

>> Why did you go with '--dns-backend=None' , did you miss the 'NONE skips
>> the  DNS setup entirely (not recommended)' part in the commands help?
>> Don't bother answering, this is a rhetorical question.
> You're throwing me rethorical questions, but didn't bother to actually
> _read_ my message, did you? I explained quite carefully that we used to
> have a DNS setup that is separate from AD and that _predates_ Samba's AD
> support--that is Samba 4.0--entirely.
> You could have just as well asked me why we didn't back then just go
> with the MS DNS but decided to use BIND instead. Because we've never
> ever _provisioned_ Samba; at least not as in "samba-tool domain
> provision". The "provisioning" of our domain was, once upon a time, done
> with Windows' dcpromo.exe.
> When we first added a Samba DC to the mix we were absolutely NOT going
> to change the existing DNS setup, as Samba's AD support was still very
> bleeding edge and that's why the first Samba DC was joined to our domain
> with --dns-backend=NONE. This whole problem arose when we were finally
> brave enough to try to change that setup, but there wasn't any
> documentation explaining how to do that.

There isn't any documentation for what you need to do now, because 
nobody ever thought that somebody would set up AD with samba4 (in any 
form) without a DNS server running on the DC.

Your only hope is to go through the files in 
/usr/share/pyshared/samba/provision/ and pick out the required info from 
them. I certainly wont be helping you any further in this problem of 
your own making!

>> OK, I suggest that you look in /usr/share/samba/provision/sambadns.py
>> and then 'create_dns_partitions'. This is what *didn't* get run when you
>> provisioned, You should be able to work out what you need to do now.
> Given what you wrote before, ignoring entirely the fact that our domain
> was never provisioned using Samba, I'm taking your advice with a grain
> of salt. But I'll take a look of that script.
> By the way, while the DNS updates do work now, I happened to notice the
> following message in the BIND log right after a successful update. It's
> most likely related:
> Jul  3 19:00:42 dc-a named[18846]: failed to find dnsRecord for
> DC=mydomain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=tld
> Pinja-Liina Jalkanen

More information about the samba mailing list