[Samba] 4.2.2 as AD with 2 DCs: database incoherency

mathias dufresne infractory at gmail.com
Thu Jul 30 09:29:46 UTC 2015


Hi all,

So I copied $sambadir/private/sam.ldb.d/DC=SAMBA,DC=DOMAIN,,DC=TLD.ldb file
from one DC (the FSMO owner) to the other one few days ago and no issue
after restarting both Samba services.

Then I started deletion of objects from one DC (the FSMO owner) to check if
these changes would be replicated: they were. Now both database are
coherent.

I was told (somewhere else than here) databases differ between DCs and so
we just can't copy database from one DC to another. I'm glad this was not
true :)

I expect it is not possible to perform that with all DB files, at least not
all files in $sambadir/private.

Is there an *official* point of view regarding that manoeuvrer?

Regarding ldapcmp which was not working, it is still not working but I did
not yet clearly checked the whole DNS configuration.

I'll be back later once, I hope so, that would be solved.

Cheers,

mathias


2015-07-27 14:45 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Thank you Rowland for this.
>
> I tried using Sernet's Samba 4.2.2 and failed:
>
> All the following command were ran on DC20
>
> samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa
> Password for [administrator at AD.DOMAIN.TLD]:
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
> ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20.ad.domain.tld,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=10.0.0.221]
> NT_STATUS_IO_TIMEOUT
> ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
> specified I/O operation on %hs was not completed before the time-out period
> expired.')
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 850,
> in run
>     dns_conn = dns_connect(server, self.lp, self.creds)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 40,
> in dns_connect
>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
> samba-tool dns zonelist dc20
> Password for [administrator at AD.DOMAIN.TLD]:
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
> ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fdlocaladdress=10.0.0.221]
> NT_STATUS_IO_TIMEOUT
> ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
> specified I/O operation on %hs was not completed before the time-out period
> expired.')
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 809,
> in run
>     dns_conn = dns_connect(server, self.lp, self.creds)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 40,
> in dns_connect
>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
> After upgrading to 4.2.3:
>
> kinit administrator
> Password for administrator at AD.DOMAIN.TLD:
> Warning: Your password will expire in 38 days on Thu Sep  3 15:16:54 2015
>
> samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa
> Zone 0.0.10.in-addr.arpa created successfully
>
> ------------------------------------
> On the second DC, namely DC00:
>
> samba-tool dns zonecreate dc00.ad.domain.tld 0.0.10.in-addr.arpa
> -Uadministrator
> ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
> specified I/O operation on %hs was not completed before the time-out period
> expired.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 850,
> in run
>     dns_conn = dns_connect(server, self.lp, self.creds)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in
> dns_connect
>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
> ----------------------------------------------------------------
>
>   So zone creation worked after upgrading to Samba4 4.2.3. I didn't yet
> filled that zone but I ran:
> samba-tool ldapcmp ldap://DC00.ad.domain.tld ldap://DC20.ad.domain.tld
> -Uadministrator
> on DC00. Just to see if previous errors were also solved after upgrade.
>
> Regarding initial issue which was database incoherency I copied
> /var/lib/samba/private/sam.ldb.d/DC=AD,DC=DOMAIN,DC=TLD from DC20 to DC00
> (with both Samba services stopped) to see if this could be achieve and used
> as quick answer to incoherency issue. The idea was all DC should have the
> same database, let's push the database (piggy work, often efficient...)
> Then I ran some ldapcmp before leaving into weekend:
>
> samba-tool ldapcmp ldap://dc00.ad.domain.tld ldap://dc20.ad.domain.tld
> domain
>
> * Comparing [DOMAIN] context...
> Failed search of base=DC=ad,DC=domain,DC=tld
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 979, in run
>     outf=self.outf, errf=self.errf)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 698, in __init__
>     self.dn_list = self.get_dn_list(context)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 841, in get_dn_list
>     res = self.con.ldb.search(base=self.search_base,
> scope=self.search_scope, attrs=["dn"])
>
> Followed by samba-tool dbcheck ran 2 hours after I left using "sleep" to
> give time to ldapcmp process.
>
> This dbcheck was ran on both servers and both were counting same number of
> objects before both processes hanged. On DC00 ssh connection was lost, the
> VM still running but broken, on DC20 (the FSMO owner) the message should
> have been "process stopped" (some "top" command remove this message :/).
>
> I'll continue to play with these two DC and be back later to tell how
> things went.
>
> Cheers,
>
> mathias
>
>
>
> 2015-07-24 17:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 24/07/15 13:53, mathias dufresne wrote:
>>
>>> The following commands work on both DC:
>>> host -t A <short_hostname_of_other_DC>
>>> host -t A <fqdn_hostname_of_other_DC>
>>>
>>> hostname and hostname --fqdn are working on both DC.The simplest way is
>>> to not declare external IP /etc/hosts
>>>
>>>
>>> SRV DNS entries which are working are:
>>> host -t SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad
>>> .domain.tld
>>> host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad
>>> .domain.tld
>>>
>>> host -t SRV _kerberos._tcp.ad.domain.tld
>>> host -t SRV _ldap._tcp.ad.domain.tld
>>>
>>> host -t SRV _kerberos._tcp.ad.domain.tld
>>> host -t SRV _ldap._tcp.ad.domain.tld
>>>
>>> host -t SRV
>>> _ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld
>>> No _kerberos defined there.
>>>
>>> All of them return both DC FQDN.
>>>
>>> In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 kind
>>> of entries:
>>> _ldap
>>> _kerberos
>>> _kpasswd
>>> _gc
>>>
>>> When in others _tcp containers there are less entries (missing _kpasswd,
>>> missing _kpasswd and _gc or missing _kpasswd, _kerberos and _gc).
>>>
>>> This was for direct search zone.
>>>
>>> For condiftional redir and inverted search zone (rough translation) I
>>> have no entry at all.
>>>
>>>
>> not sure what you mean by 'condiftional redir' but I think 'inverted
>> search zone' is bad English for 'reverse zone' :-)
>>
>> If so, you need to create this, it is not created automatically:
>>
>> samba-tool dns zonecreate dc1.example.com 0.168.192.in-addr.arpa
>>
>> Where 'dc1.example.com' is the FQDN of the first DC and the network is
>> 192.168.0.0/24, from this you get the 0.168.192.
>>
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list