[Samba] 4.2.2 as AD with 2 DCs: database incoherency
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Jul 23 17:41:36 UTC 2015
On 23/07/15 16:23, mathias dufresne wrote:
> Hi all,
>
> I tried "samba-tool ldapcmp" several times to solve this issue, without
> success.
>
> On DC acting as full FSMO:
> dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
> ldap://dc20.ad.dgfip.lan domain
> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 968, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 80, in __init__
> self.server_names = self.find_servers()
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 106, in find_servers
> scope=SCOPE_SUBTREE, expression="(objectClass=computer)", attrs=["cn"])
>
> On the other one, which is the one with more group than the other:
> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
> ldap://dc20.ad.dgfip.lan domain
> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 968, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 83,
> in __init__
> self.get_sid_map()
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 257, in get_sid_map
> expression="(objectSid=*)", scope=SCOPE_SUBTREE, attrs=["objectSid",
> "sAMAccountName"])
>
> After modifying hostname configuration on FSMO which is a Centos for that
> system does not reply FQDN when running "hostname" and not replying short
> name when running "hostname --fqdn", the error changed a bit on non-FSMO:
>
> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
> ldap://dc20.ad.dgfip.lan domain
>
> * Comparing [DOMAIN] context...
> Failed search of base=DC=ad,DC=dgfip,DC=lan
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 979, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 698, in __init__
> self.dn_list = self.get_dn_list(context)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 841, in get_dn_list
> res = self.con.ldb.search(base=self.search_base,
> scope=self.search_scope, attrs=["dn"])
>
> Finally I tried to demote non-FSMO DC:
>
> dc00:~# samba-tool domain demote -Uadministrator
> Using dc20.ad.dgfip.lan as partner server for the demotion
> ERROR(<class 'samba.drs_utils.drsException'>): uncaught exception -
> drsException: DRS connection to dc20.ad.dgfip.lan failed: (-1073741643,
> '{Device Timeout} The specified I/O operation on %hs was not completed
> before the time-out period expired.')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 693,
> in run
> (drsuapiBind, drsuapi_handle, supportedExtensions) =
> drsuapi_connect(server, lp, creds)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in
> drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" % (server, e))
>
> And now before trying a MS Windows script to remove some broken DC from AD,
> I come back to see if anyone has any clue to help me to solve that issue...
>
> Best regards,
>
> mathias
>
>
> 2015-07-16 17:31 GMT+02:00 Reindl Harald <h.reindl at thelounge.net>:
>
>>
>> Am 16.07.2015 um 17:18 schrieb Rowland Penny:
>>
>>> On 16/07/15 13:27, Reindl Harald wrote:
>>>
>>>> Am 16.07.2015 um 14:02 schrieb Rowland Penny:
>>>>
>>>>> /etc/hosts should be:
>>>>>
>>>>> 127.0.0.1 localhost.localdomain localhost
>>>>>
>>>> uhm no - you want 127.0.0.1 normally resolved to localhost and hence
>>>> 127.0.0.1 localhost localhost.localdomain
>>>>
>>> Ah NO, only if you are using a brain dead OS like red-hat :-)
>>>
>>> From 'man hosts'
>>>
>>> For each host a single line should be present with the following
>>> information:
>>>
>>> IP_address canonical_hostname [aliases...]
>>>
>>> Optional aliases provide for name changes, alternate spellings, shorter
>>> hostnames, or generic hostnames (for example, localhost)
>>>
>> you quote exactly what i said
>> gethostbyaddr will answer the canonical_hostname and not a random alias
>>
>> the real name for 127.0.0.1 is always localhost and hence that should not
>> be the alias, frankly nobody needs the localhost.localdomain at all
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
This sounds more & more like a DNS problem. I tried Centos and had a
hard time getting DNS to work properly, something that is easy on Debian.
You need to be able to ping each DC from the other, by short hostname
and by FQDN, you should also be able to run 'host -t A
<short_hostname_of_other_DC>' and 'host -t A
<fqdn_hostname_of_other_DC>' and get a result.
/etc/resolv.conf needs to point first at the other DC, then to itself
/etc/hosts should contain at a minimum '127.0.0.1 localhost' , you
can also have '127.0.0.1 localhost.localdomain localhost'
You can add the ipaddresses of the DCs to /etc/hosts i.e.
192.168.0.2 dc1.example.com dc1
192.168.0.3 dc2.example.com dc2
Though you shouldn't have to, if the DNS servers are working correctly.
Running 'hostname' should return just the short hostname, running
'hostname -f' or 'hostname --fqdn' should return the FQDN hostname,
/etc/hostname should contain just the DCs short hostname, when I tried
out Centos, I seem to remember finding that it contained
'localhost.localdomain', something it should never contain.
Rowland
More information about the samba
mailing list