[Samba] Fwd: Re: Problem with Samba4 DB

Mon Jul 4 10:00:41 UTC 2016

Hum... My statement was your DB seemed to be not clean and so trying first
to clean it up seemed to me a good idea. Three weeks later your DB has
issue and ask to be cleaned up so the statement was not too bad, which is
not a very good for you ^^

ldbsearch -H /path/to/sam.ldb cn=dc25 -> if it is a DC the DN of this entry
should be CN=dc25,OU=Domain Controllers,DC=your,DC=domain,DC=tld

If it is not into OU=Domain Controllers then it is not any more a DC. If it
is in that OU your DB has serious issue as samba-tool can't remove that DC.

Fortunately Andrew did a great job adding --remove-other-dead-server as it
shows what it does. You could demote a DC to get full logs of that command
and perform clean up by hand, hoping this solves your issue.

Again: your DB is not clean, clean it first. Then go back to DNS
modification issue. This because data are often linked between themselves
in AD DB, incoherences can block new things to be added.

Now about your DNS issue: you mentioned it could an "authoritative
problem". That is very simple to test, once you understand DNS a little bit.
In DNS, related to name servers, there are NS and SOA. NS stands for name
server, some server which is authoritative regarding answering requests.
SOA stands for Start Of Authority and is there to define the master of the
zone, the server which can modify the zone and the one which would accept
DNS update requests. SOA is unique. One SOA per zone, one server per SOA,
one master defined by that way.
In AD all DNS server (name servers) are able to modify the zone, that's a
multi-masters DNS system. There is still one SOA per zone in the DB with
only on server per SOA. The trick to become multi-master is to ignore
simply that SOA record in the DB. Each DNS service able to modify the zone
will reply "I am SOA" if you ask it for "who is SOA".
But unfortunately when using Samba's internal DNS you lose the multi-master
stuff, internal DNS is relying on database information to reply who's SOA,
so only one SOA per zone (a SPOF by design, I expect the Samba team is
working to improve that).
If you are using Bind9_DLZ DNS back end then you get multi-master: Bind
knows it can modify the DB so it consider itself as master of the zone and
will reply "I am SOA" even if the DB contains another DC in SOA record.

Sorry to have been a bit long on that.

Now, to test:
dig -t SOA your.domain.tld @<IP of your DC>

Do that replacing <IP of your DC> by your DCs IPs, of course each DC IP
must be tested one by one.

Doing that you will know what DC considers itself as SOA and those
considering themselves as non-SOA.

Now you know which DC can handle DNS update request, time to test.

A simple way to test is to modify samba_dnsupdate script to comment line
411, the one "os.unlink(tmpfile)". Doing that next launch of
samba_dnsupdate won't remove temporary files generated in /tmp. Each file
is meant to modify one DNS entry using "nsupdate" command.

Once you have one file, use it: nsupdate -g /tmp/<your file>

Please note -g mean you use Kebreros auth, so the user running that command
must have a valid Kerberos ticket matching an AD user with enough power to
modify DNS zones (for testing "administrator" is quick and good enough
choice).

You can perform a tcpdump during nsupdate (something like tcpdump -i
<interface> port domain [and host <your client>]) to check what happens.

Hoping this could help you to get closer to a solution...

M.

2016-06-29 11:02 GMT+02:00 bentunx <bentunx at gmail.com>:

> dear roland and mathias
>
>
> i already upgrade samba server version to 4.4.4
>
> i have domote 3 of 4 offline dc successfully
>
> one dc that i cant demote shown this error message
>
> /**//*[root at pdc ~]# samba-tool domain demote
> --remove-other-dead-server=dc25*//*
> *//*ERROR: Demote failed: DemoteException: dc25 is not an AD DC in
> domain.co.id*//*
> *//*A transaction is still active in ldb context [0x1c11b00] on
> tdb:///usr/local/samba/private/sam.ldb*//*
> */
>
> i  still cant change my DNS
> i have another suspect, maybe it caused by authority problem ?
> because error message while deleting DNS by RSAT /*
> *//*"the record cannot be deleted, The Local Security Authority Database
> Contains an internal inconsistency"*/
>
>
> On 15/06/2016 18:02, Rowland penny wrote:
>
>> On 15/06/16 10:14, bentunx wrote:
>>
>>> hi mathias
>>>
>>> let me confirm your statement
>>> so.. you think if we demote those 2 DC server that already offline, the
>>> DNS will be running well
>>> well if this is one of option we have, i will consider to upgrade our
>>> FSMO DC from samba 4.1.X  to 4.4.x , by the way, are there any
>>> consideration if we update samba directly from 4.1 to 4.4 ?
>>>
>>> let me answer some of your question
>>> *1 - what command are you launching to update your DNS? What are error
>>> messages?*
>>> *2 - what are the DNS names of new entry which refuse to be added? Same
>>> question for the two DC your colleague removed from AD?*
>>> /# samba-tool dns add pdc domain.co.id milis A 172.16.99.49//
>>> //Password for [administrator at domain.CO.ID]://
>>> //ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')//
>>> //  File
>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run//
>>> //    return self.run(*args, **kwargs)//
>>> //  File
>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", line
>>> 1067, in run//
>>> //    0, server, zone, name, add_rec_buf, None)/
>>>
>>>
>>>
>>> *3 - what version of Samba are you running?* 4.1 >> New versions include
>>> a command switch to remove DC from AD database from another DC. In others
>>> words you could cleanup database from old DC entries.
>>>     yes i will try this,
>>>
>>> *4 - what gives the following commands? And what are DNS name and IP  of
>>> your FSMO owner?*
>>> /DNS : pdc.domain.co.id //
>>> //InfrastructureMasterRole owner: CN=NTDS
>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>>> //RidAllocationMasterRole owner: CN=NTDS
>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>>> //PdcEmulationMasterRole owner: CN=NTDS
>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>>> //DomainNamingMasterRole owner: CN=NTDS
>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>>> //SchemaMasterRole owner: CN=NTDS
>>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>>> /
>>> TIA
>>> Zhia
>>>
>>>
>> There should be no problem with upgrading to 4.4.4, in fact there could
>> be several benefits including a much improved samba-tool fsmo code, this
>> will show you all the fsmo role owners:
>>
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> But, you should always backup Samba before upgrading.
>>
>> Rowland
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>