[Samba] Domain join failure - error during DRS repl ADD: No objectClass found in replPropertyMetaData
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Nov 23 16:19:22 UTC 2015
On 23/11/15 15:51, Matthew Delfino wrote:
>
> On 2015.11.23, at 8:32 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>> OK, try again, but this time, remove the <fSMORoleOwner> from the end
>> of the command, this will dump the entire AD object, I am sure you
>> will find that there is no 'fSMORoleOwner' attribute. This is your
>> actual problem, why do you not have this FSMO role ?
>>
>> You have however found a bug in the code, it should print an error
>> message if no role owner is found.
>>
>> Rowland
>
> Rowland, you nailed it. The 'fSMORoleOwner' attribute was indeed
> missing from:
>
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=mycompany,DC=lan
>
> And
>
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=mycompany,DC=lan
>
> I used Softerra LDAP Administrator 2015.2 to "Add/Modify Attribute…"
> under it’s "Entry" menu while the Infrastructure containers sited
> above were selected.
>
> I made sure that the syntax of my entry was correct:
>
> CN=NTDS
> Settings,CN=DC00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mycompany,DC=lan
>
> And now I get what I expect:
>
> ----
>
> sudo samba-tool fsmo seize --role=all
>
> This DC already has the 'rid' FSMO role
> This DC already has the 'pdc' FSMO role
> This DC already has the 'naming' FSMO role
> This DC already has the 'infrastructure' FSMO role
> This DC already has the 'schema' FSMO role
> This DC already has the 'domaindns' FSMO role
> This DC already has the 'forestdns' FSMO role
>
> ----
>
> And this:
>
> ----
>
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=knockinc,DC=loc" -s base
> '(fSMORoleOwner=*)' fSMORoleOwner
>
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=mycompany,DC=lan
> fSMORoleOwner: CN=NTDS Settings,CN=DC00,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=mycompany,DC=lan
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> ----
>
> Same output for the other one (ForestDnsZones).
>
> ----
>
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)'
> --cross-ncs objectguid
>
> # record 1
> dn: CN=NTDS
> Settings,CN=RHEA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=knockinc,DC=loc
> objectGUID: 6ba7ca4f-291f-4ffe-8403-65fe26a8bfd2
>
> # record 2
> dn: CN=NTDS
> Settings,CN=ENCELADUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=knockinc,DC=loc
> objectGUID: 7c40a9c3-be7e-44b5-b2d9-ebe7f97c0517
>
> # record 3
> dn: CN=NTDS
> Settings,CN=GANYMEDE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=knockinc,DC=loc
> objectGUID: 98b9225b-a5b9-4351-84f8-253762772cc3
>
> # returned 3 records
> # 3 entries
> # 0 referrals
>
> ----
>
> The only other curiosity I have right now is, why are all the
> "whenChanged" attributes off between the DCs? Is that normal after a
> certain version of Samba, post v4.1.6?
>
>
I can help you with that as well, find ldapcmp.py on your system, open
it in your favourite editor, find this line:
# "whenChanged", # This is implicitly replicated
Make it look like this:
"whenChanged",
Save & close the file.
You won't get the error again, whoever changed it last time seems to
have made a mistake, if you look here:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms680921%28v=vs.85%29.aspx
You will see that 'whenChanged' is not replicated.
Rowland
More information about the samba
mailing list