[Samba] 4.2.2 as AD with 2 DCs: database incoherency

mathias dufresne infractory at gmail.com
Thu Jul 23 15:23:44 UTC 2015 

Hi all,

I tried "samba-tool ldapcmp" several times to solve this issue, without
success.

On DC acting as full FSMO:
dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
ldap://dc20.ad.dgfip.lan domain
ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
968, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
80, in __init__
    self.server_names = self.find_servers()
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
106, in find_servers
    scope=SCOPE_SUBTREE, expression="(objectClass=computer)", attrs=["cn"])

On the other one, which is the one with more group than the other:
dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
ldap://dc20.ad.dgfip.lan domain
ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
968, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 83,
in __init__
    self.get_sid_map()
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
257, in get_sid_map
    expression="(objectSid=*)", scope=SCOPE_SUBTREE, attrs=["objectSid",
"sAMAccountName"])

After modifying hostname configuration on FSMO which is a Centos for that
system does not reply FQDN when running "hostname" and not replying short
name when running "hostname --fqdn", the error changed a bit on non-FSMO:

dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
ldap://dc20.ad.dgfip.lan domain

* Comparing [DOMAIN] context...
Failed search of base=DC=ad,DC=dgfip,DC=lan
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
979, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
698, in __init__
    self.dn_list = self.get_dn_list(context)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
841, in get_dn_list
    res = self.con.ldb.search(base=self.search_base,
scope=self.search_scope, attrs=["dn"])

Finally I tried to demote non-FSMO DC:

dc00:~# samba-tool domain demote -Uadministrator
Using dc20.ad.dgfip.lan as partner server for the demotion
ERROR(<class 'samba.drs_utils.drsException'>): uncaught exception -
drsException: DRS connection to dc20.ad.dgfip.lan failed: (-1073741643,
'{Device Timeout} The specified I/O operation on %hs was not completed
before the time-out period expired.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 693,
in run
    (drsuapiBind, drsuapi_handle, supportedExtensions) =
drsuapi_connect(server, lp, creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in
drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

And now before trying a MS Windows script to remove some broken DC from AD,
I come back to see if anyone has any clue to help me to solve that issue...

Best regards,

mathias


2015-07-16 17:31 GMT+02:00 Reindl Harald <h.reindl at thelounge.net>:

>
>
> Am 16.07.2015 um 17:18 schrieb Rowland Penny:
>
>> On 16/07/15 13:27, Reindl Harald wrote:
>>
>>>
>>> Am 16.07.2015 um 14:02 schrieb Rowland Penny:
>>>
>>>> /etc/hosts should be:
>>>>
>>>> 127.0.0.1    localhost.localdomain    localhost
>>>>
>>>
>>> uhm no - you want 127.0.0.1 normally resolved to localhost and hence
>>> 127.0.0.1    localhost    localhost.localdomain
>>>
>>
>> Ah NO, only if you are using a brain dead OS like red-hat :-)
>>
>>  From 'man hosts'
>>
>> For each host a single line should be present with the following
>> information:
>>
>>                IP_address canonical_hostname [aliases...]
>>
>> Optional aliases provide for name changes, alternate spellings, shorter
>> hostnames,  or  generic  hostnames  (for  example, localhost)
>>
>
> you quote exactly what i said
> gethostbyaddr will answer the canonical_hostname and not a random alias
>
> the real name for 127.0.0.1 is always localhost and hence that should not
> be the alias, frankly nobody needs the localhost.localdomain at all
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list