[Samba] 4.2.2 as AD with 2 DCs: database incoherency
mathias dufresne
infractory at gmail.com
Fri Jul 24 12:53:12 UTC 2015
The following commands work on both DC:
host -t A <short_hostname_of_other_DC>
host -t A <fqdn_hostname_of_other_DC>
hostname and hostname --fqdn are working on both DC.The simplest way is to
not declare external IP /etc/hosts
SRV DNS entries which are working are:
host -t SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld
host -t SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld
host -t SRV _kerberos._tcp.ad.domain.tld
host -t SRV _ldap._tcp.ad.domain.tld
host -t SRV _kerberos._tcp.ad.domain.tld
host -t SRV _ldap._tcp.ad.domain.tld
host -t SRV
_ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld
No _kerberos defined there.
All of them return both DC FQDN.
In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 kind of
entries:
_ldap
_kerberos
_kpasswd
_gc
When in others _tcp containers there are less entries (missing _kpasswd,
missing _kpasswd and _gc or missing _kpasswd, _kerberos and _gc).
This was for direct search zone.
For condiftional redir and inverted search zone (rough translation) I have
no entry at all.
2015-07-23 19:41 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 23/07/15 16:23, mathias dufresne wrote:
>
>> Hi all,
>>
>> I tried "samba-tool ldapcmp" several times to solve this issue, without
>> success.
>>
>> On DC acting as full FSMO:
>> dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
>> ldap://dc20.ad.dgfip.lan domain
>> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line
>> 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
>> 968, in run
>> outf=self.outf, errf=self.errf)
>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
>> 80, in __init__
>> self.server_names = self.find_servers()
>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
>> 106, in find_servers
>> scope=SCOPE_SUBTREE, expression="(objectClass=computer)",
>> attrs=["cn"])
>>
>> On the other one, which is the one with more group than the other:
>> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
>> ldap://dc20.ad.dgfip.lan domain
>> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 968, in run
>> outf=self.outf, errf=self.errf)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 83,
>> in __init__
>> self.get_sid_map()
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 257, in get_sid_map
>> expression="(objectSid=*)", scope=SCOPE_SUBTREE, attrs=["objectSid",
>> "sAMAccountName"])
>>
>> After modifying hostname configuration on FSMO which is a Centos for that
>> system does not reply FQDN when running "hostname" and not replying short
>> name when running "hostname --fqdn", the error changed a bit on non-FSMO:
>>
>> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
>> ldap://dc20.ad.dgfip.lan domain
>>
>> * Comparing [DOMAIN] context...
>> Failed search of base=DC=ad,DC=dgfip,DC=lan
>> ERROR(ldb): uncaught exception - LDAP client internal error:
>> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 979, in run
>> outf=self.outf, errf=self.errf)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 698, in __init__
>> self.dn_list = self.get_dn_list(context)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 841, in get_dn_list
>> res = self.con.ldb.search(base=self.search_base,
>> scope=self.search_scope, attrs=["dn"])
>>
>> Finally I tried to demote non-FSMO DC:
>>
>> dc00:~# samba-tool domain demote -Uadministrator
>> Using dc20.ad.dgfip.lan as partner server for the demotion
>> ERROR(<class 'samba.drs_utils.drsException'>): uncaught exception -
>> drsException: DRS connection to dc20.ad.dgfip.lan failed: (-1073741643,
>> '{Device Timeout} The specified I/O operation on %hs was not completed
>> before the time-out period expired.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
>> 693,
>> in run
>> (drsuapiBind, drsuapi_handle, supportedExtensions) =
>> drsuapi_connect(server, lp, creds)
>> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in
>> drsuapi_connect
>> raise drsException("DRS connection to %s failed: %s" % (server, e))
>>
>> And now before trying a MS Windows script to remove some broken DC from
>> AD,
>> I come back to see if anyone has any clue to help me to solve that
>> issue...
>>
>> Best regards,
>>
>> mathias
>>
>>
>> 2015-07-16 17:31 GMT+02:00 Reindl Harald <h.reindl at thelounge.net>:
>>
>>
>>> Am 16.07.2015 um 17:18 schrieb Rowland Penny:
>>>
>>> On 16/07/15 13:27, Reindl Harald wrote:
>>>>
>>>> Am 16.07.2015 um 14:02 schrieb Rowland Penny:
>>>>>
>>>>> /etc/hosts should be:
>>>>>>
>>>>>> 127.0.0.1 localhost.localdomain localhost
>>>>>>
>>>>>> uhm no - you want 127.0.0.1 normally resolved to localhost and hence
>>>>> 127.0.0.1 localhost localhost.localdomain
>>>>>
>>>>> Ah NO, only if you are using a brain dead OS like red-hat :-)
>>>>
>>>> From 'man hosts'
>>>>
>>>> For each host a single line should be present with the following
>>>> information:
>>>>
>>>> IP_address canonical_hostname [aliases...]
>>>>
>>>> Optional aliases provide for name changes, alternate spellings, shorter
>>>> hostnames, or generic hostnames (for example, localhost)
>>>>
>>>> you quote exactly what i said
>>> gethostbyaddr will answer the canonical_hostname and not a random alias
>>>
>>> the real name for 127.0.0.1 is always localhost and hence that should not
>>> be the alias, frankly nobody needs the localhost.localdomain at all
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
> This sounds more & more like a DNS problem. I tried Centos and had a hard
> time getting DNS to work properly, something that is easy on Debian.
>
> You need to be able to ping each DC from the other, by short hostname and
> by FQDN, you should also be able to run 'host -t A
> <short_hostname_of_other_DC>' and 'host -t A <fqdn_hostname_of_other_DC>'
> and get a result.
>
> /etc/resolv.conf needs to point first at the other DC, then to itself
> /etc/hosts should contain at a minimum '127.0.0.1 localhost' , you can
> also have '127.0.0.1 localhost.localdomain localhost'
> You can add the ipaddresses of the DCs to /etc/hosts i.e.
> 192.168.0.2 dc1.example.com dc1
> 192.168.0.3 dc2.example.com dc2
>
> Though you shouldn't have to, if the DNS servers are working correctly.
>
> Running 'hostname' should return just the short hostname, running
> 'hostname -f' or 'hostname --fqdn' should return the FQDN hostname,
> /etc/hostname should contain just the DCs short hostname, when I tried out
> Centos, I seem to remember finding that it contained
> 'localhost.localdomain', something it should never contain.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list