[Samba] readonly DC?

Jo L j.o.l at live.com
Thu Nov 17 18:31:02 UTC 2016 

Hello Samba-ers,

I tried to continue my Samba setup after a long pause doing other stuff.
To recall, I want to run two Samba DCs for one domain as virtual machines on
two Windows systems (I switched from VirtualBox to Hyper V, which helps to
run them automatically at system startup, but I don´t think that really
matters). Both DCs shall use themselves as DNS server as the VPN in between
is unreliable, but I tried the following with the DNS resolver on DC2
pointing to either DC1 or DC2.

DC1 is running fine, I can edit users, and actually the changes are
replicated to DC2. 
DC2 appears to be readonly. In the log file I noticed:

[2016/11/17 18:51:28.847526,  0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable and
[2016/11/17 18:51:29.145815,  0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_UNSUCCESSFUL

I tried to resolve this via
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
including the workaround described in
https://bugzilla.samba.org/show_bug.cgi?id=10882, but I keep getting 

samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS
accounts already exist No zone file
/var/lib/samba/private/dns/samba.lindenberg.one.zone
DNS records will be automatically created DNS partitions already exist
Adding dns-dc2 account Traceback (most recent call last):
  File "/usr/sbin/samba_upgradedns", line 438, in <module>
    "DNSNAME" : dnsname }
  File "/usr/lib/python2.7/dist-packages/samba/provision/common.py", line
55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 225, in
add_ldif
    self.add(msg, controls)
_ldb.LdbError: (68, '../ldb_tdb/ldb_index.c:1216: Failed to re-index
objectSid in CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,DC=one -
../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,D\xe0')

With plenty of error messages that I don´t like to see, and after that
"klist -k /var/lib/samba/private/dns.keytab"
still reports "klist: Key table file '/var/lib/samba/private/dns.keytab' not
found while starting keytab scan".

host -t A dc2.samba.lindenberg.one @..samba.lindenberg.one works fine on DC1
but reports NXDOMAIN on DC2.

What´s wrong? How can I get DC2 to be writable? What other information to
check?
Or should I delete all DC2 information from DC1 and try a rejoin,
temporarily setting DNS to DC1?

Thanks & Best Regards, Joachim

More information about the samba mailing list