[Samba] missing DomainDnsZones and ForestDnsZones ?

Rowland penny rpenny at samba.org
Fri Mar 18 20:19:14 UTC 2016 

See inline comments


On 18/03/16 20:11, Robert Moulton wrote:
> Rowland penny wrote on 3/18/16 12:58 PM:
>> On 18/03/16 19:27, Robert Moulton wrote:
>>> Rowland penny wrote on 3/18/16 11:48 AM:
>>>> On 18/03/16 18:19, Robert Moulton wrote:
>>>>> Greetings - On our samba 4 (4.3.3) AD controller I just noticed
>>>>> something odd. When I run 'samba-tool fsmo show' I get an error:
>>>>>
>>>>> # samba-tool fsmo show
>>>>> ERROR(ldb): uncaught exception - No such Base DN:
>>>>> CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>>   File
>>>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
>>>>>
>>>>>
>>>>> line 175, in _run
>>>>>     return self.run(*args, **kwargs)
>>>>>   File
>>>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/fsmo.py", 
>>>>>
>>>>> line 395, in run
>>>>>     domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
>>>>>   File
>>>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/fsmo.py", 
>>>>>
>>>>> line 40, in get_fsmo_roleowner
>>>>>     scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>>>>>
>>>>> And 'ldbsearch' verifies that DomainDnsZones is missing:
>>>>>
>>>>> # ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb
>>>>> '(fsmoroleowner=*)' | grep 'dn:'
>>>>> dn: CN=Schema,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>> dn: CN=Partitions,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>> dn: DC=biostat,DC=washington,DC=edu
>>>>> dn: CN=Infrastructure,DC=biostat,DC=washington,DC=edu
>>>>> dn: CN=RID Manager$,CN=System,DC=biostat,DC=washington,DC=edu
>>>>>
>>>>> What might explain this anomaly, and more importantly, what should be
>>>>> done to address it?
>>>>>
>>>>> thanks,
>>>>> -r
>>>>>
>>>>
>>>> OK, as for how did you get to here, how was the domain provisioned ??
>>>
>>> Provisioning was a 'classicupgrade' of a samba 3 domain with LDAP
>>> backend.
>>
>> I don't suppose you can remember the actual command you ran to upgrade ?
>
> I remember:
>
> samba-tool domain classicupgrade --dbdir=/var/tmp/dbdir/ 
> --use-xattrs=yes --realm=biostat.washington.edu 
> --dns-backend=BIND9_FLATFILE --option="interfaces=lo eth0" 
> --option="bind interfaces only=yes" /var/tmp/dbdir/smb.conf
>

And there is your problem, --dns-backend=BIND9_FLATFILE

Flatfiles do not store their info in AD

Please tell me that this domain is only a test domain and you can re-run 
the upgrade with '--dns-backend=BIND9_DLZ' or '--dns-backend=SAMBA_INTERNAL'

Rowland

> (output is appended below)
>
>>
>>>
>>>> You are actually missing two fsmo roleowners, your ldbsearch should
>>>> return these as well as the other 5:
>>>>
>>>> dn: 
>>>> CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>> dn: 
>>>> CN=Infrastructure,DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu
>>>>
>>>> Do the 'DNs' exist ?
>>>>
>>>> try this:
>>>>
>>>> ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>>>> 'DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu' -s sub
>>>> '(cn=Infrastructure)'
>>>>
>>>> Does it return anything ?
>>>>
>>>
>>> uh-oh, no such base dn ...
>>>
>>> # ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>>> 'DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu' -s sub
>>> '(cn=Infrastructure)'
>>> search error - No such Base DN:
>>> DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>
>>>> Run it again, but replace 'DC=DomainDnsZones' with 
>>>> 'DC=ForestDnsZones',
>>>> does this return anything ?
>>>
>>> ... and again:
>>>
>>> [root at porter ~]# ldbsearch --cross-ncs -H
>>> /usr/local/samba/private/sam.ldb -b
>>> 'DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu' -s sub
>>> '(cn=Infrastructure)'
>>> search error - No such Base DN:
>>> DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu
>>>
>>> should they be added with ldbadd?
>>
>> It is not as simple as that, You probably have a lot more missing.
>>
>> When you ran the upgrade command, did you cut and paste it from the wiki
>> ? If so, you may have missed half the command line. I have just looked
>> at the wiki page and altered it so it shows all the command.
>>
>> I have never been in this position, so I am unsure if you can add the
>> DNS objects to AD and if you can, I do not know how.
>>
>> Rowland
>>>
>>>> If the objects exist, then you need to add the fsmo roleowners with
>>>> ldbmodify
>>>>
>>>> You need to create an ldif
>>>>
>>>> dn: 
>>>> CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>> changetype: modify
>>>> add: fSMORoleOwner
>>>> fSMORoleOwner: CN=NTDS
>>>> Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=biostat,DC=washington,DC=edu 
>>>>
>>>>
>>>>
>>>>
>>>> Then use ldbmodify to add the ldif, repeat for the ForestDnsZones
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>
>>
>
> # /usr/local/samba/bin/samba-tool domain classicupgrade 
> --dbdir=/var/tmp/dbdir/ --use-xattrs=yes 
> --realm=biostat.washington.edu --dns-backend=BIND9_FLATFILE 
> --option="interfaces=lo eth0" --option="bind interfaces only=yes" 
> /var/tmp/dbdir/smb.conf
> Reading smb.conf
> Provisioning
> Exporting account policy
> Exporting groups
> Exporting users
> Ignoring group memberships of 'root' 
> S-1-5-21-1900679799-3721262086-4005390970-1001: Unable to enumerate 
> group memberships, (-1073741596,This error indicates that the 
> requested operation cannot be completed due to a catastrophic media 
> failure or an on-disk data structure corruption.)
>   Skipping wellknown rid=500 (for username=Administrator)
> Next rid = 23307
> Exporting posix attributes
> Reading WINS database
> Cannot open wins database, Ignoring: [Errno 2] No such file or 
> directory: '/var/tmp/dbdir/wins.dat'
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=biostat,DC=washington,DC=edu
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Setting acl on sysvol skipped
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=biostat,DC=washington,DC=edu
> rndc: 'freeze' failed: not found
> rndc: 'unfreeze' failed: not found
> See /usr/local/samba/private/named.conf for an example configuration 
> include file for BIND
> and /usr/local/samba/private/named.txt for further documentation 
> required for secure DNS updates
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at 
> /usr/local/samba/private/krb5.conf
> Setting up fake yp server settings
> Once the above files are installed, your Samba4 server will be ready 
> to use
> Server Role:           active directory domain controller
> Hostname:              marzen
> NetBIOS Domain:        BIOSTAT
> DNS Domain:            biostat.washington.edu
> DOMAIN SID:            S-1-5-21-1900679799-3721262086-4005390970
> Importing WINS database
> Importing Account policy
> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Group already exists 
> sid=S-1-5-21-1900679799-3721262086-4005390970-512, groupname=Domain 
> Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists 
> sid=S-1-5-21-1900679799-3721262086-4005390970-515, groupname=Domain 
> Computers existing_groupname=Domain Computers, Ignoring.
> Group already exists 
> sid=S-1-5-21-1900679799-3721262086-4005390970-514, groupname=Domain 
> Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists 
> sid=S-1-5-21-1900679799-3721262086-4005390970-513, groupname=Domain 
> Users existing_groupname=Domain Users, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators 
> existing_groupname=Administrators, Ignoring.
> Group already exists sid=S-1-5-32-545, groupname=Users 
> existing_groupname=Users, Ignoring.
> Committing 'add groups' transaction to disk
> Adding users
> Importing users
> User root has been kept in the directory, it should be removed in 
> favour of the Administrator user
> Committing 'add users' transaction to disk
> Adding users to groups
> Committing 'add users to groups' transaction to disk
> Setting password for administrator
> Administrator password has been set to password of user 'root'

More information about the samba mailing list