[Samba] Bind9 Flat to Bind9 DLZ
Rowland Penny
rowlandpenny at googlemail.com
Wed Mar 25 11:12:11 MDT 2015
On 25/03/15 16:50, VIKAS wrote:
> Hi Team,
>
> Samba Version = 4.2
>
> Bind = 9.10 with dlz
>
>
> Not able to to view replication.(samba-tool drs showrepl)
>
>
> [root at dc2]# samba-tool drs showrepl (want to highlight the name which is
> using to connect)
>
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> *dc2.ik.lan.mum* failed - drsException: DRS connection to dc2.ik.lan.mum
> failed: (-1073741772, 'The object name is not found.')
>
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/drs.py",
> line 39, in drsuapi_connect
>
> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py",
> line 54, in drsuapi_connect
>
> raise drsException("DRS connection to %s failed: %s" % (server, e))
>
>
>
> While provision I used Bind9_FLAT on DC and everything working fine.
>
>
> Created Additional Domain Server and joined but gave error.
>
>
> [root at dc2]# samba-tool domain join ik.lan.mum DC -Uadministrator
> --realm=ik.lan.mum --dns-backend=*BIND9_FLAT *
>
> Usage: samba-tool domain join <dnsdomain> [DC|RODC|MEMBER|SUBDOMAIN]
> [options]
>
> samba-tool domain join: error: option --dns-backend: invalid choice:
> 'BIND9_FLAT' (choose from 'SAMBA_INTERNAL', 'BIND9_DLZ', 'NONE')
>
> [root at dc2]# samba-tool domain join ik.lan.mum DC -Uadministrator
> --realm=ik.lan.mum --dns-backend=BIND9_DLZ
>
> Finding a writeable DC for domain 'ik.lan.mum'
>
> Found DC dc1.ik.lan.mum
>
> Password for [WORKGROUP\administrator]:
>
> NO DNS zone information found in source domain, not replicating DNS
>
> workgroup is IK.LAN
>
> realm is ik.lan.mum
>
> checking sAMAccountName
>
> Adding CN=DC2,OU=Domain Controllers,DC=ik,DC=lan,DC=mum
>
> Adding
> CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ik,DC=lan,DC=mum
>
>
> Adding CN=NTDS
> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ik,DC=lan,DC=mum
>
>
> Adding SPNs to CN=DC2,OU=Domain Controllers,DC=ik,DC=lan,DC=mum
>
> Setting account password for DC2$
>
> Enabling account
>
> Calling bare provision
>
> Looking up IPv4 addresses
>
> Looking up IPv6 addresses
>
> No IPv6 address will be assigned
>
> Setting up share.ldb
>
> Setting up secrets.ldb
>
> Setting up the registry
>
> Setting up the privileges database
>
> Setting up idmap db
>
> Setting up SAM db
>
> Setting up sam.ldb partitions and settings
>
> Setting up sam.ldb rootDSE
>
> Pre-loading the Samba 4 and AD schema
>
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
>
> Provision OK for domain DN DC=ik,DC=lan,DC=mum
>
> Starting replication
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum] objects[402/1550]
> linked_values[0/0]
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum] objects[804/1550]
> linked_values[0/0]
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum]
> objects[1206/1550] linked_values[0/0]
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum]
> objects[1550/1550] linked_values[0/0]
>
> Analyze and apply schema objects
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[402/1612]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[804/1612]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[1206/1612]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[1608/1612]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[1612/1612]
> linked_values[20/0]
>
> Replicating critical objects from the base DN of the domain
>
> Partition[DC=ik,DC=lan,DC=mum] objects[98/98] linked_values[23/0]
>
> Partition[DC=ik,DC=lan,DC=mum] objects[376/278] linked_values[23/0]
>
> Done with always replicated NC (base, config, schema)
>
> Committing SAM database
>
> Sending DsReplicaUpdateRefs for all the replicated partitions
>
> Setting isSynchronized and dsServiceName
>
> Setting up secrets database
>
> Joined domain IK.LAN (SID S-1-5-21-3947581883-4033758009-2802199242) as a
> DC
>
> [root at dc2]# echo $?
>
> 0
>
>
> [root at dc1 ~]# samba_upgradedns --dns-backend=BIND9_DLZ -d 2
>
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>
> Reading domain information
>
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>
> DNS accounts already exist
>
> No zone file /usr/local/samba/private/dns/IK.LAN.MUM.zone
>
> DNS records will be automatically created
>
> DNS partitions already exist
>
> dns-dc1 account already exists
>
> See /usr/local/samba/private/named.conf for an example configuration
> include file for BIND
>
> and /usr/local/samba/private/named.txt for further documentation required
> for secure DNS updates
>
> Finished upgrading DNS
>
>
> *After that upgraded the dns on DC1*
>
>
> [root at dc1 ~]# samba_upgradedns --dns-backend=BIND9_DLZ -d 2
>
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>
> Reading domain information
>
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>
> DNS accounts already exist
>
> No zone file /usr/local/samba/private/dns/IK.LAN.MUM.zone
>
> DNS records will be automatically created
>
> DNS partitions already exist
>
> dns-dc1 account already exists
>
> See /usr/local/samba/private/named.conf for an example configuration
> include file for BIND
>
> and /usr/local/samba/private/named.txt for further documentation required
> for secure DNS updates
>
> Finished upgrading DNS
>
>
> *Then I tried to join the domain again using BIND9_DLZ (got success)*
>
>
> [root at dc2]# samba-tool domain join ik.lan.mum DC -Uadministrator
> --realm=ik.lan.mum --dns-backend=BIND9_DLZ
>
> Finding a writeable DC for domain 'ik.lan.mum'
>
> Found DC dc1.ik.lan.mum
>
> Password for [IK.LAN\administrator]:
>
> workgroup is IK.LAN
>
> realm is ik.lan.mum
>
> checking sAMAccountName
>
> Deleted CN=DC2,OU=Domain Controllers,DC=ik,DC=lan,DC=mum
>
> Deleted CN=NTDS
> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ik,DC=lan,DC=mum
>
>
> Deleted
> CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ik,DC=lan,DC=mum
>
>
> Adding CN=DC2,OU=Domain Controllers,DC=ik,DC=lan,DC=mum
>
> Adding
> CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ik,DC=lan,DC=mum
>
>
> Adding CN=NTDS
> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ik,DC=lan,DC=mum
>
>
> Adding SPNs to CN=DC2,OU=Domain Controllers,DC=ik,DC=lan,DC=mum
>
> Setting account password for DC2$
>
> Enabling account
>
> Adding DNS account CN=dns-DC2,CN=Users,DC=ik,DC=lan,DC=mum with dns/ SPN
>
> Setting account password for dns-DC2
>
> Calling bare provision
>
> Looking up IPv4 addresses
>
> Looking up IPv6 addresses
>
> No IPv6 address will be assigned
>
> Setting up secrets.ldb
>
> Setting up the registry
>
> Setting up the privileges database
>
> Setting up idmap db
>
> Setting up SAM db
>
> Setting up sam.ldb partitions and settings
>
> Setting up sam.ldb rootDSE
>
> Pre-loading the Samba 4 and AD schema
>
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
>
> Provision OK for domain DN DC=ik,DC=lan,DC=mum
>
> Starting replication
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum] objects[402/1550]
> linked_values[0/0]
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum] objects[804/1550]
> linked_values[0/0]
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum]
> objects[1206/1550] linked_values[0/0]
>
> Schema-DN[CN=Schema,CN=Configuration,DC=ik,DC=lan,DC=mum]
> objects[1550/1550] linked_values[0/0]
>
> Analyze and apply schema objects
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[402/1620]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[804/1620]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[1206/1620]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[1608/1620]
> linked_values[0/0]
>
> Partition[CN=Configuration,DC=ik,DC=lan,DC=mum] objects[1620/1620]
> linked_values[28/0]
>
> Replicating critical objects from the base DN of the domain
>
> Partition[DC=ik,DC=lan,DC=mum] objects[98/98] linked_values[23/0]
>
> Partition[DC=ik,DC=lan,DC=mum] objects[379/281] linked_values[23/0]
>
> Done with always replicated NC (base, config, schema)
>
> Replicating DC=DomainDnsZones,DC=ik,DC=lan,DC=mum
>
> Partition[DC=DomainDnsZones,DC=ik,DC=lan,DC=mum] objects[40/40]
> linked_values[0/0]
>
> Replicating DC=ForestDnsZones,DC=ik,DC=lan,DC=mum
>
> Partition[DC=ForestDnsZones,DC=ik,DC=lan,DC=mum] objects[18/18]
> linked_values[0/0]
>
> Committing SAM database
>
> Sending DsReplicaUpdateRefs for all the replicated partitions
>
> Setting isSynchronized and dsServiceName
>
> Setting up secrets database
>
> See /usr/local/samba/private/named.conf for an example configuration
> include file for BIND
>
> and /usr/local/samba/private/named.txt for further documentation required
> for secure DNS updates
>
> Joined domain IK.LAN (SID S-1-5-21-3947581883-4033758009-2802199242) as a
> DC
>
> *I have strictly followed Samba wiki for joining additional domain *
>
> *Right now everything seems to be working like I can authenticate the user
> by putting DC down, creating / modifying user is replicated immediately.*
>
>
> Thanks,
>
> Vikas
Welcome to the 'I have found a bug' club :-)
Firstly though, it is 'BIND9_FLATFILE' not 'BIND9_FLAT' , not that this
would have helped.
If you run 'samba-tool domain provision --help' , amongst the output is
this:
--dns-backend=NAMESERVER-BACKEND
The DNS server backend. SAMBA_INTERNAL is the
builtin
name server (default), BIND9_FLATFILE uses
bind9 text
database to store zone information, BIND9_DLZ uses
samba4 AD to store zone information, NONE skips the
DNS setup entirely (not recommended)
OK, this shows 'BIND9_FLATFILE', but if you run 'samba-tool domain join
--help' , you will find this:
--dns-backend=NAMESERVER-BACKEND
The DNS server backend. SAMBA_INTERNAL is the
builtin
name server (default), BIND9_DLZ uses samba4 AD to
store zone information, NONE skips the DNS setup
entirely (this DC will not be a DNS server)
Whoops, 'BIND9_FLATFILE' has disappeared.
I wouldn't think that using 'BIND9_FLATFILE' is a good idea, using this
will store the dns info outside AD and what isn't in AD cannot be
replicated.
I actually think the bug is that 'samba-tool domain provision' will
accept 'BIND9_FLATFILE'.
Rowland
More information about the samba
mailing list