[Samba] missing DomainDnsZones and ForestDnsZones ?

Robert Moulton rmoulton at uw.edu
Fri Mar 18 20:38:37 UTC 2016 

Rowland penny wrote on 3/18/16 1:19 PM:
> See inline comments
>
>
> On 18/03/16 20:11, Robert Moulton wrote:
>> Rowland penny wrote on 3/18/16 12:58 PM:
>>> On 18/03/16 19:27, Robert Moulton wrote:
>>>> Rowland penny wrote on 3/18/16 11:48 AM:
>>>>> On 18/03/16 18:19, Robert Moulton wrote:
>>>>>> Greetings - On our samba 4 (4.3.3) AD controller I just noticed
>>>>>> something odd. When I run 'samba-tool fsmo show' I get an error:
>>>>>>
>>>>>> # samba-tool fsmo show
>>>>>> ERROR(ldb): uncaught exception - No such Base DN:
>>>>>> CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>>>   File
>>>>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>
>>>>>>
>>>>>> line 175, in _run
>>>>>>     return self.run(*args, **kwargs)
>>>>>>   File
>>>>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
>>>>>>
>>>>>> line 395, in run
>>>>>>     domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
>>>>>>   File
>>>>>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
>>>>>>
>>>>>> line 40, in get_fsmo_roleowner
>>>>>>     scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>>>>>>
>>>>>> And 'ldbsearch' verifies that DomainDnsZones is missing:
>>>>>>
>>>>>> # ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb
>>>>>> '(fsmoroleowner=*)' | grep 'dn:'
>>>>>> dn: CN=Schema,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>>> dn: CN=Partitions,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>>> dn: DC=biostat,DC=washington,DC=edu
>>>>>> dn: CN=Infrastructure,DC=biostat,DC=washington,DC=edu
>>>>>> dn: CN=RID Manager$,CN=System,DC=biostat,DC=washington,DC=edu
>>>>>>
>>>>>> What might explain this anomaly, and more importantly, what should be
>>>>>> done to address it?
>>>>>>
>>>>>> thanks,
>>>>>> -r
>>>>>>
>>>>>
>>>>> OK, as for how did you get to here, how was the domain provisioned ??
>>>>
>>>> Provisioning was a 'classicupgrade' of a samba 3 domain with LDAP
>>>> backend.
>>>
>>> I don't suppose you can remember the actual command you ran to upgrade ?
>>
>> I remember:
>>
>> samba-tool domain classicupgrade --dbdir=/var/tmp/dbdir/
>> --use-xattrs=yes --realm=biostat.washington.edu
>> --dns-backend=BIND9_FLATFILE --option="interfaces=lo eth0"
>> --option="bind interfaces only=yes" /var/tmp/dbdir/smb.conf
>>
>
> And there is your problem, --dns-backend=BIND9_FLATFILE
>
> Flatfiles do not store their info in AD
>
> Please tell me that this domain is only a test domain and you can re-run
> the upgrade with '--dns-backend=BIND9_DLZ' or
> '--dns-backend=SAMBA_INTERNAL'
>
> Rowland

It's a production domain. We run our own DNS and tried BIND9_DLZ but our 
DNS setup is complicated enough that we ended up resorting to flatfile, 
manually updating our BIND zone files as needed. We know it isn't ideal 
but we haven't encountered any problems until now.

Couldn't we simply add the missing DNs (along with corresponding DNS 
records, if necessary)?

>> (output is appended below)
>>
>>>
>>>>
>>>>> You are actually missing two fsmo roleowners, your ldbsearch should
>>>>> return these as well as the other 5:
>>>>>
>>>>> dn:
>>>>> CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>> dn:
>>>>> CN=Infrastructure,DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu
>>>>>
>>>>> Do the 'DNs' exist ?
>>>>>
>>>>> try this:
>>>>>
>>>>> ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>>>>> 'DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu' -s sub
>>>>> '(cn=Infrastructure)'
>>>>>
>>>>> Does it return anything ?
>>>>>
>>>>
>>>> uh-oh, no such base dn ...
>>>>
>>>> # ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>>>> 'DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu' -s sub
>>>> '(cn=Infrastructure)'
>>>> search error - No such Base DN:
>>>> DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>
>>>>> Run it again, but replace 'DC=DomainDnsZones' with
>>>>> 'DC=ForestDnsZones',
>>>>> does this return anything ?
>>>>
>>>> ... and again:
>>>>
>>>> [root at porter ~]# ldbsearch --cross-ncs -H
>>>> /usr/local/samba/private/sam.ldb -b
>>>> 'DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu' -s sub
>>>> '(cn=Infrastructure)'
>>>> search error - No such Base DN:
>>>> DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu
>>>>
>>>> should they be added with ldbadd?
>>>
>>> It is not as simple as that, You probably have a lot more missing.
>>>
>>> When you ran the upgrade command, did you cut and paste it from the wiki
>>> ? If so, you may have missed half the command line. I have just looked
>>> at the wiki page and altered it so it shows all the command.
>>>
>>> I have never been in this position, so I am unsure if you can add the
>>> DNS objects to AD and if you can, I do not know how.
>>>
>>> Rowland
>>>>
>>>>> If the objects exist, then you need to add the fsmo roleowners with
>>>>> ldbmodify
>>>>>
>>>>> You need to create an ldif
>>>>>
>>>>> dn:
>>>>> CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>> changetype: modify
>>>>> add: fSMORoleOwner
>>>>> fSMORoleOwner: CN=NTDS
>>>>> Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Then use ldbmodify to add the ldif, repeat for the ForestDnsZones
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>> # /usr/local/samba/bin/samba-tool domain classicupgrade
>> --dbdir=/var/tmp/dbdir/ --use-xattrs=yes
>> --realm=biostat.washington.edu --dns-backend=BIND9_FLATFILE
>> --option="interfaces=lo eth0" --option="bind interfaces only=yes"
>> /var/tmp/dbdir/smb.conf
>> Reading smb.conf
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Exporting users
>> Ignoring group memberships of 'root'
>> S-1-5-21-1900679799-3721262086-4005390970-1001: Unable to enumerate
>> group memberships, (-1073741596,This error indicates that the
>> requested operation cannot be completed due to a catastrophic media
>> failure or an on-disk data structure corruption.)
>>   Skipping wellknown rid=500 (for username=Administrator)
>> Next rid = 23307
>> Exporting posix attributes
>> Reading WINS database
>> Cannot open wins database, Ignoring: [Errno 2] No such file or
>> directory: '/var/tmp/dbdir/wins.dat'
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Adding DomainDN: DC=biostat,DC=washington,DC=edu
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Setting acl on sysvol skipped
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=biostat,DC=washington,DC=edu
>> rndc: 'freeze' failed: not found
>> rndc: 'unfreeze' failed: not found
>> See /usr/local/samba/private/named.conf for an example configuration
>> include file for BIND
>> and /usr/local/samba/private/named.txt for further documentation
>> required for secure DNS updates
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba 4 has been generated at
>> /usr/local/samba/private/krb5.conf
>> Setting up fake yp server settings
>> Once the above files are installed, your Samba4 server will be ready
>> to use
>> Server Role:           active directory domain controller
>> Hostname:              marzen
>> NetBIOS Domain:        BIOSTAT
>> DNS Domain:            biostat.washington.edu
>> DOMAIN SID:            S-1-5-21-1900679799-3721262086-4005390970
>> Importing WINS database
>> Importing Account policy
>> Importing idmap database
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
>> Adding groups
>> Importing groups
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-512, groupname=Domain
>> Admins existing_groupname=Domain Admins, Ignoring.
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-515, groupname=Domain
>> Computers existing_groupname=Domain Computers, Ignoring.
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-514, groupname=Domain
>> Guests existing_groupname=Domain Guests, Ignoring.
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-513, groupname=Domain
>> Users existing_groupname=Domain Users, Ignoring.
>> Group already exists sid=S-1-5-32-544, groupname=Administrators
>> existing_groupname=Administrators, Ignoring.
>> Group already exists sid=S-1-5-32-545, groupname=Users
>> existing_groupname=Users, Ignoring.
>> Committing 'add groups' transaction to disk
>> Adding users
>> Importing users
>> User root has been kept in the directory, it should be removed in
>> favour of the Administrator user
>> Committing 'add users' transaction to disk
>> Adding users to groups
>> Committing 'add users to groups' transaction to disk
>> Setting password for administrator
>> Administrator password has been set to password of user 'root'
>
>

More information about the samba mailing list