[Samba] 4.2.2 as AD with 2 DCs: database incoherency

mathias dufresne infractory at gmail.com
Mon Jul 27 12:45:15 UTC 2015


Thank you Rowland for this.

I tried using Sernet's Samba 4.2.2 and failed:

All the following command were ran on DC20

samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa
Password for [administrator at AD.DOMAIN.TLD]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20.ad.domain.tld,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=10.0.0.221]
NT_STATUS_IO_TIMEOUT
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 850,
in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 40,
in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

samba-tool dns zonelist dc20
Password for [administrator at AD.DOMAIN.TLD]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fdlocaladdress=10.0.0.221]
NT_STATUS_IO_TIMEOUT
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 809,
in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 40,
in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

After upgrading to 4.2.3:

kinit administrator
Password for administrator at AD.DOMAIN.TLD:
Warning: Your password will expire in 38 days on Thu Sep  3 15:16:54 2015

samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa
Zone 0.0.10.in-addr.arpa created successfully

------------------------------------
On the second DC, namely DC00:

samba-tool dns zonecreate dc00.ad.domain.tld 0.0.10.in-addr.arpa
-Uadministrator
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 850, in
run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in
dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

----------------------------------------------------------------

  So zone creation worked after upgrading to Samba4 4.2.3. I didn't yet
filled that zone but I ran:
samba-tool ldapcmp ldap://DC00.ad.domain.tld ldap://DC20.ad.domain.tld
-Uadministrator
on DC00. Just to see if previous errors were also solved after upgrade.

Regarding initial issue which was database incoherency I copied
/var/lib/samba/private/sam.ldb.d/DC=AD,DC=DOMAIN,DC=TLD from DC20 to DC00
(with both Samba services stopped) to see if this could be achieve and used
as quick answer to incoherency issue. The idea was all DC should have the
same database, let's push the database (piggy work, often efficient...)
Then I ran some ldapcmp before leaving into weekend:

samba-tool ldapcmp ldap://dc00.ad.domain.tld ldap://dc20.ad.domain.tld
domain

* Comparing [DOMAIN] context...
Failed search of base=DC=ad,DC=domain,DC=tld
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
979, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
698, in __init__
    self.dn_list = self.get_dn_list(context)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
841, in get_dn_list
    res = self.con.ldb.search(base=self.search_base,
scope=self.search_scope, attrs=["dn"])

Followed by samba-tool dbcheck ran 2 hours after I left using "sleep" to
give time to ldapcmp process.

This dbcheck was ran on both servers and both were counting same number of
objects before both processes hanged. On DC00 ssh connection was lost, the
VM still running but broken, on DC20 (the FSMO owner) the message should
have been "process stopped" (some "top" command remove this message :/).

I'll continue to play with these two DC and be back later to tell how
things went.

Cheers,

mathias


2015-07-24 17:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 24/07/15 13:53, mathias dufresne wrote:
>
>> The following commands work on both DC:
>> host -t A <short_hostname_of_other_DC>
>> host -t A <fqdn_hostname_of_other_DC>
>>
>> hostname and hostname --fqdn are working on both DC.The simplest way is
>> to not declare external IP /etc/hosts
>>
>>
>> SRV DNS entries which are working are:
>> host -t SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad
>> .domain.tld
>> host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad
>> .domain.tld
>>
>> host -t SRV _kerberos._tcp.ad.domain.tld
>> host -t SRV _ldap._tcp.ad.domain.tld
>>
>> host -t SRV _kerberos._tcp.ad.domain.tld
>> host -t SRV _ldap._tcp.ad.domain.tld
>>
>> host -t SRV
>> _ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld
>> No _kerberos defined there.
>>
>> All of them return both DC FQDN.
>>
>> In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 kind
>> of entries:
>> _ldap
>> _kerberos
>> _kpasswd
>> _gc
>>
>> When in others _tcp containers there are less entries (missing _kpasswd,
>> missing _kpasswd and _gc or missing _kpasswd, _kerberos and _gc).
>>
>> This was for direct search zone.
>>
>> For condiftional redir and inverted search zone (rough translation) I
>> have no entry at all.
>>
>>
> not sure what you mean by 'condiftional redir' but I think 'inverted
> search zone' is bad English for 'reverse zone' :-)
>
> If so, you need to create this, it is not created automatically:
>
> samba-tool dns zonecreate dc1.example.com 0.168.192.in-addr.arpa
>
> Where 'dc1.example.com' is the FQDN of the first DC and the network is
> 192.168.0.0/24, from this you get the 0.168.192.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list