[Samba] Domain join failure - error during DRS repl ADD: No objectClass found in replPropertyMetaData
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Nov 23 09:58:12 UTC 2015
On 23/11/15 00:09, Matthew Delfino wrote:
>
> On 2015.11.22, at 4:43 PM, Matthew Delfino
> <mdelfino.list.samba at KNOCKinc.com
> <mailto:mdelfino.list.samba at KNOCKinc.com>> wrote:
>
>>
>> On 2015.11.22, at 2:27 PM, Rowland Penny
>> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
>> wrote:
>>
>>> On 22/11/15 19:49, Matthew Delfino wrote:
>>>> I have 3 domain controllers, running Samba 4.1.6 on Ubuntu 14.04.3
>>>> LTS in a VMware virtual machine (part of the package install
>>>> available from the "apt-get install samba" command). My approach
>>>> was to do a non-FSMO first, the other non-FSMO second, then the
>>>> FSMO last.
>>>>
>>>> I started by shutting down all of these three VMs and doing a snapshot.
>>>>
>>>> Next, I needed to backup the files and purge the system of all
>>>> traces of Samba:
>>>>
>>>> sudo -s
>>>> service samba stop
>>>> service samba-ad-dc stop
>>>> service nmbd stop
>>>>
>>>> cp -Rp /etc/samba/*
>>>> /root/backup_queue/2015.11.22-SAMBA/root/etc/samba/.
>>>> cp -Rp /var/lib/samba/*
>>>> /root/backup_queue/2015.11.22-SAMBA/root/var/lib/samba/.
>>>>
>>>> apt-get purge ^samba.*
>>>>
>>>> Then, I download all the important packages for compiling from
>>>> source on Ubuntu:
>>>>
>>>> apt-get install acl attr autoconf bison build-essential debhelper
>>>> dnsutils docbook-xml docbook-xsl flex gdb krb5-user libacl1-dev
>>>> libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev
>>>> libgnutls28-dev libjson-perl libldap2-dev libncurses5-dev
>>>> libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl
>>>> perl-modules pkg-config python-all-dev python-dev python-dnspython
>>>> python-crypto xsltproc zlib1g-dev
>>>>
>>>> And don’t forget to exit because you don’t want to be root for the
>>>> next commands:
>>>>
>>>> exit
>>>>
>>>> Prepare for, download and unpack the source:
>>>>
>>>> mkdir source
>>>> cd source
>>>> wget https://download.samba.org/pub/samba/stable/samba-4.3.1.tar.gz
>>>> tar -zxf samba-4.3.1.tar.gz
>>>>
>>>> Configure and compile (compiles always took, like 15 minutes on my
>>>> system):
>>>>
>>>> cd samba-4.3.1/
>>>> ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
>>>> --localstatedir=/var --enable-debug
>>>> make
>>>>
>>>> Install it:
>>>>
>>>> sudo -s
>>>> make install
>>>>
>>>> Recover from those backups:
>>>>
>>>> cp -Rp /root/backup_queue/2015.11.22-SAMBA/root/etc/samba/*
>>>> /etc/samba/.
>>>> cp -Rp /root/backup_queue/2015.11.22-SAMBA/root/var/lib/samba/*
>>>> /var/lib/samba/.
>>>>
>>>> Download the upstart conf and init script from samba wiki (as per
>>>> https://wiki.samba.org/index.php/Samba4/InitScript):
>>>>
>>>> wget -O /etc/init/samba-ad-dc.conf
>>>> 'http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD'
>>>> <http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD%27>
>>>> wget
>>>> "http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD"
>>>> -O /etc/init.d/samba-ad-dc
>>>> chmod 755 /etc/init.d/samba-ad-dc
>>>> update-rc.d samba-ad-dc defaults
>>>>
>>>> Restart:
>>>>
>>>> shutdown -r now
>>>>
>>>> Log back in at restart. Make sure it’s running:
>>>>
>>>> service samba-ad-dc status
>>>>
>>>> In my case, it was running each time (samba-ad-dc start/running,
>>>> process X). Now it’s time to fix stuff:
>>>>
>>>> sudo samba-tool dbcheck —fix
>>>>
>>>> It found hundreds of issues and fixed them all. Lastly, I went on
>>>> to check all my work:
>>>>
>>>> sudo samba-tool drs showrepl
>>>>
>>>> Says inbound and outbound updates are successful, so looked good….
>>>>
>>>> samba-tool ldapcmp ldap://dc00 ldap://dc01 -Uadministrator
>>>>
>>>> Everything checked out EXCEPT "whenChanged," which was off on
>>>> scores of records. So, to make myself feel better, I did this:
>>>>
>>>> samba-tool ldapcmp --filter="whenChanged" ldap://dc01 ldap://dc00
>>>> -Uadministrator
>>>>
>>>> I have tested the authentication systems on a few services that
>>>> were bound to these DCs and they all work - so far so good on that
>>>> front.
>>>>
>>>> I repeated the above steps for the second non-FSMO DC, then the
>>>> FSMO DC. Every one of them is now on Samba 4.3.1.
>>>>
>>>> But the final test I did, after all the upgrades, was this:
>>>>
>>>> sudo samba-tool fsmo show
>>>>
>>>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>>>> element'
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>> return self.run(*args, **kwargs)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 395, in run
>>>> domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 42, in get_fsmo_roleowner
>>>> master_owner = res[0]["fSMORoleOwner"][0]
>>>>
>>>> Which concerns me. What could I do here to get me out of this
>>>> pickle? Do I have to (re)seize FSMO responsibilities? I did run
>>>> this on the DC that was the FSMO before all these shenanigans:
>>>>
>>>> samba-tool fsmo seize --role=all
>>>
>>> Did you just enter 'samba-tool fsmo seize --role=all' ?
>>> If so, you need to add an adminuser & password i.e. -UAdministrator
>>> and then enter the password when prompted.
>>>
>>> Rowland
>>
>> Indeed I did. Hoping you were onto something and this was going to be
>> an easy fix, here’s what I did...
>>
>> samba-tool fsmo seize --role=all -Uadministrator
>>
>> This DC already has the 'rid' FSMO role
>> This DC already has the 'pdc' FSMO role
>> This DC already has the 'naming' FSMO role
>> This DC already has the 'infrastructure' FSMO role
>> This DC already has the 'schema' FSMO role
>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>> element'
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>> 345, in run
>> versionopts, force)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>> 301, in seize_dns_role
>> master_owner = get_fsmo_roleowner(samdb, m.dn)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>> 42, in get_fsmo_roleowner
>> master_owner = res[0]["fSMORoleOwner"][0]
>>
You do need the adminuser and password for the dns fsmo roles, but after
revisiting the python code, I don't think this is your problem. When you
try to show or transfer or seize a role, they all run this:
res = samdb.search(roledn,
scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
assert len(res) == 1
master_owner = res[0]["fSMORoleOwner"][0]
return master_owner
This is where it seems to be choking for you, but only on the DNS fsmo
roles, can you try running these commands on your DC (as root) ,
changing them to match your setup:
ldbsearch -H /usr/local/samba/private/sam.ldb -b
"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s
base '(fSMORoleOwner=*)' fSMORoleOwner
ldbsearch -H /usr/local/samba/private/sam.ldb -b
"CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com" -s
base '(fSMORoleOwner=*)' fSMORoleOwner
You should get something like this back for each command:
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
# returned 1 records
# 1 entries
# 0 referrals
Rowland
More information about the samba
mailing list