[Samba] Problems with 2 DCs.
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 3 07:33:17 MST 2015
On 03/03/15 14:24, Jean-François Morcillo wrote:
> Le 02/03/2015 19:44, Rowland Penny a écrit :
>> On 02/03/15 18:12, Jean-François Morcillo wrote:
>>> Le 02/03/2015 12:58, Rowland Penny a écrit :
>>>> On 02/03/15 11:02, Jean-François Morcillo wrote:
>>>>> Le 06/02/2015 17:49, Marc Muehlfeld a écrit :
>>>>>> Hello Jean-François,
>>>>>>
>>>>>> Am 04.02.2015 um 17:51 schrieb Jean-François Morcillo:
>>>>>>> Troubles come into the place when I try to create a user on the 2nd
>>>>>>> DC,
>>>>>>> I get the following error message:
>>>>>>> samba-tool user create usr1 usr1
>>>>>>> ERROR(ldb): Failed to add user 'usr1': -
>>>>>>> ../source4/dsdb/samdb/ldb_modules/ridalloc.c:547: No RID Set DN -
>>>>>>> Remote
>>>>>>> RID Set creation needed
>>>>>> This sounds like your DC, didn't got an RID pool assigned from the
>>>>>> RID
>>>>>> master. See
>>>>>> https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles#RID_Master
>>>>>>
>>>>>>
>>>>>> for details.
>>>>>>
>>>>>> If you just have two DCs in your domain, then the first one has this
>>>>>> role, if you haven't transfered.
>>>>>>
>>>>>> Did you had more DCs in the past and maybe haven't demoted correctly
>>>>>> and
>>>>>> the AD still thinks one of the missing DCs is RID master?
>>>>>>
>>>>>> Please check, which DC owns the RID master role:
>>>>>> # samba-tool fsmo show
>>>>>>
>>>>>>
>>>>>>
>>>>>>> More over, new users created on the first DC are never synced to the
>>>>>>> second one.
>>>>>> Does your replication works in both direction? Check with
>>>>>> # samba-tool drs showrepl
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Marc
>>>>>>
>>>>>>
>>>>> Hello,
>>>>>
>>>>> Just for information, if someone face the same issue, the problem was
>>>>> due to the way we manage the DNS (manually).
>>>>> As far as I understand, for the purpose of synchronization, samba
>>>>> contacts the first DC using an alias (which looks like an UUID,
>>>>> this can
>>>>> be seen in samba.log) and we were lacking this alias in our DNS.
>>>>>
>>>>> Anyway, thank you for your reply.
>>>>>
>>>> Hi, can you share with us just how you were managing DNS and what you
>>>> are doing now.
>>>>
>>>> Rowland
>>>>
>>> Hello,
>>>
>>> DNS is not managed in any way by samba.
>>> The DNS on both DCs are bind, theirs configuration is managed by an
>>> inhouse tool (which also does the synchronization of the DNS database).
>>> This tools reads the samba database and fetch information about the DCs
>>> (filter is
>>> '(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer))')
>>>
>>> In the servicePrincipalName attribute, it gets the value that start with
>>> 'ldap/' and ends with '_msdcs.<realm>'
>>> then it adds an alias with this "UUID" in the DNS database.
>>> That's basically how I solved my issue. it's a little bit «hacky» but it
>>> works and it is supposed to be simplified in a near future.
>>>
>>>
>> If you are running samba4 in AD DC mode, you need to use either the
>> internal DNS server or a bind9 DNS server running on the server, why
>> are you jumping through hoops to get something that is clearly not
>> working ????
>>
>> That will only get records for DCs and it sounds like incorrect
>> records at that.
>>
>> You need records in AD like this (this is a computer) :
>>
>> dn:
>> DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20140812120544.0Z
>> uSNCreated: 3780
>> showInAdvancedViewOnly: TRUE
>> name: ThinkPad
>> objectGUID: 66cce7bf-5d9c-445d-bb44-73caac0d7966
>> objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com
>> dc: ThinkPad
>> whenChanged: 20150302182424.0Z
>> dnsRecord:: BAABAAXwAABIAAAAAAAOEAAAAACiZTcAwKgA1w==
>> uSNChanged: 28272
>> distinguishedName:
>> DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,D
>> C=example,DC=com
>>
>> Rowland
>>
> Hello,
>
> Thank you for those advices.
> Please, consider that this is a work in progress. *For the moment*,
> bind9 is installed on the same server as samba but not managed by samba
> and I'm asked to make them work together even if that does not sounds
> like the best choice.
> I hope to switch to the BIND9_DLZ backend soon.
>
> Regards,
>
No problem, would it help if I told you that I run a samba 4 DC with
bind9 DLZ and DHCP all on the same PC.
Please drop your inelegant setup and move to BIND9_DLZ as soon as possible.
Rowland
More information about the samba
mailing list