[Samba] bind fails to start w/missing records

Rowland Penny rowlandpenny at googlemail.com
Sun May 10 09:31:00 MDT 2015 

On 10/05/15 16:08, Steve Thompson wrote:
> Roland,
>
> Thank you very much for your attention to this. You should get a medal 
> for all the help you give everyone on this list.
>
> On Sun, 10 May 2015, Rowland Penny wrote:
>
>> Why ? And why don't they show up when you ask for the zones with 
>> samba-tool ?
>
> I have that many subnets. As for why they don't show up: they are 
> defined in BIND's configuration and not samba's; they never did show 
> up with samba-tool. I wasn't expecting that they should.
>
>> Just check that it isn't just non replicating attributes that are 
>> different.
>
> It looks like a real problem. This is what I get when I compare DC1 
> and DC2 (again, DC1 and DC3 are the same):
>
> * Result for [DOMAIN]: FAILURE
>
> Attributes found only in ldap://baxter:
>
>     isCriticalSystemObject
>     cn
>     ipsecName
>     fSMORoleOwner
>     objectClass
>     ipsecISAKMPReference
>     iPSECNegotiationPolicyAction
>     showInAdvancedViewOnly
>     ipsecFilterReference
>     priorSetTime
>     instanceType
>     ipsecOwnersReference
>     distinguishedName
>     ipsecNFAReference
>     msDS-TombstoneQuotaFactor
>     ipsecData
>     description
>     objectCategory
>     objectGUID
>     whenCreated
>     systemFlags
>     ipsecNegotiationPolicyReference
>     ipsecID
>     lastSetTime
>     iPSECNegotiationPolicyType
>     name
>     memberOf
>     ipsecDataType
>
> * Result for [CONFIGURATION]: FAILURE
>
> Attributes found only in ldap://baxter:
>
>     distinguishedName
>     isCriticalSystemObject
>     name
>     objectCategory
>     objectClass
>     msDS-Behavior-Version
>     description
>     msDS-TombstoneQuotaFactor
>     objectGUID
>     showInAdvancedViewOnly
>     systemFlags
>     whenCreated
>     fSMORoleOwner
>     instanceType
>     cn
>
> * Result for [DNSDOMAIN]: FAILURE
>
> Attributes found only in ldap://baxter:
>
>     distinguishedName
>     isCriticalSystemObject
>     cn
>     objectCategory
>     objectClass
>     objectGUID
>     whenCreated
>     showInAdvancedViewOnly
>     systemFlags
>     instanceType
>     name
>
> * Result for [DNSFOREST]: FAILURE
>
> Attributes found only in ldap://baxter:
>
>     distinguishedName
>     isCriticalSystemObject
>     cn
>     objectCategory
>     objectClass
>     objectGUID
>     whenCreated
>     showInAdvancedViewOnly
>     systemFlags
>     instanceType
>     name
>
> and everything else is in order. "samba-tool drs showrepl" shows no 
> problems.
>

You definitely seem to have problems there.

>> Check your FSMO roles.
>
> I've done that; this appears to be in order (DC1 = baxter):
>
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
>
> -Steve

You do know that there are 7 (yes seven) fsmoroles ?

Have you got:

CN=Infrastructure,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
CN=Infrastructure,DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu

There should be a 'fSMORoleOwner' attribute in each record.

Rowland

More information about the samba mailing list