[Samba] Domain join failure - error during DRS repl ADD: No objectClass found in replPropertyMetaData

Matthew Delfino mdelfino.list.samba at KNOCKinc.com
Mon Nov 23 17:26:22 UTC 2015 

On 2015.11.23, at 10:19 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

> On 23/11/15 15:51, Matthew Delfino wrote:
>> 
>> On 2015.11.23, at 8:32 AM, Rowland Penny <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> wrote:
>>> OK, try again, but this time, remove the <fSMORoleOwner> from the end of the command, this will dump the entire AD object, I am sure you will find that there is no 'fSMORoleOwner' attribute. This is your actual problem, why do you not have this FSMO role ?
>>> 
>>> You have however found a bug in the code, it should print an error message if no role owner is found.
>>> 
>>> Rowland
>> 
>> Rowland, you nailed it. The 'fSMORoleOwner' attribute was indeed missing from:
>> 
>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=mycompany,DC=lan
>> 
>> And
>> 
>> dn: CN=Infrastructure,DC=ForestDnsZones,DC=mycompany,DC=lan
>> 
>> I used Softerra LDAP Administrator 2015.2 to "Add/Modify Attribute…" under it’s "Entry" menu while the Infrastructure containers sited above were selected.
>> 
>> I made sure that the syntax of my entry was correct:
>> 
>> CN=NTDS Settings,CN=DC00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mycompany,DC=lan
>> 
>> And now I get what I expect:
>> 
>> ----
>> 
>> sudo samba-tool fsmo seize --role=all
>> 
>> This DC already has the 'rid' FSMO role
>> This DC already has the 'pdc' FSMO role
>> This DC already has the 'naming' FSMO role
>> This DC already has the 'infrastructure' FSMO role
>> This DC already has the 'schema' FSMO role
>> This DC already has the 'domaindns' FSMO role
>> This DC already has the 'forestdns' FSMO role
>> 
>> ----
>> 
>> And this:
>> 
>> ----
>> 
>> sudo ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=DomainDnsZones,DC=knockinc,DC=loc" -s base '(fSMORoleOwner=*)' fSMORoleOwner
>> 
>> # record 1
>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=mycompany,DC=lan
>> fSMORoleOwner: CN=NTDS Settings,CN=DC00,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=mycompany,DC=lan
>> 
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> 
>> ----
>> 
>> Same output for the other one (ForestDnsZones).
>> 
>> ----
>> 
>> sudo ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
>> 
>> # record 1
>> dn: CN=NTDS Settings,CN=RHEA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=knockinc,DC=loc
>> objectGUID: 6ba7ca4f-291f-4ffe-8403-65fe26a8bfd2
>> 
>> # record 2
>> dn: CN=NTDS Settings,CN=ENCELADUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=knockinc,DC=loc
>> objectGUID: 7c40a9c3-be7e-44b5-b2d9-ebe7f97c0517
>> 
>> # record 3
>> dn: CN=NTDS Settings,CN=GANYMEDE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=knockinc,DC=loc
>> objectGUID: 98b9225b-a5b9-4351-84f8-253762772cc3
>> 
>> # returned 3 records
>> # 3 entries
>> # 0 referrals
>> 
>> ----
>> 
>> The only other curiosity I have right now is, why are all the "whenChanged" attributes off between the DCs? Is that normal after a certain version of Samba, post v4.1.6?
>> 
>> 
> 
> I can help you with that as well, find ldapcmp.py on your system, open it in your favourite editor, find this line:
> 
>                # "whenChanged", # This is implicitly replicated
> 
> Make it look like this:
> 
>                "whenChanged",
> 
> Save & close the file.
> 
> You won't get the error again, whoever changed it last time seems to have made a mistake, if you look here:
> 
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms680921%28v=vs.85%29.aspx
> 
> You will see that 'whenChanged' is not replicated.
> 
> Rowland

Thank you Rowland. I did as you said on all my DCs. My whole team is really happy now because Samba is working without issue. All replications look good, I have the policies set that I needed, no weird errors… It’s a great day! :-)

Matthew



©2015 KNOCK, inc.  All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged.  If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information.  Please be aware that such actions are prohibited.  If you have received this transmission in error, kindly notify the sender by e-mail.  Your cooperation is appreciated.

More information about the samba mailing list