[Samba] readonly DC?

Andrew Bartlett abartlet at samba.org
Thu Nov 17 18:50:03 UTC 2016

On Thu, 2016-11-17 at 18:31 +0000, Jo L via samba wrote:
> Hello Samba-ers,
> I tried to continue my Samba setup after a long pause doing other
> stuff.
> To recall, I want to run two Samba DCs for one domain as virtual
> machines on
> two Windows systems (I switched from VirtualBox to Hyper V, which
> helps to
> run them automatically at system startup, but I don´t think that
> really
> matters). Both DCs shall use themselves as DNS server as the VPN in
> between
> is unreliable, but I tried the following with the DNS resolver on DC2
> pointing to either DC1 or DC2.
> DC1 is running fine, I can edit users, and actually the changes are
> replicated to DC2. 
> DC2 appears to be readonly. In the log file I noticed:
> [2016/11/17 18:51:28.847526,  0]
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>   /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is
> unacceptable and
> [2016/11/17 18:51:29.145815,  0]
> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
>   ../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
> I tried to resolve this via
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacc
> eptable
> including the workaround described in
> https://bugzilla.samba.org/show_bug.cgi?id=10882, but I keep getting 
> samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information
> accounts already exist No zone file
> /var/lib/samba/private/dns/samba.lindenberg.one.zone
> DNS records will be automatically created DNS partitions already
> exist
> Adding dns-dc2 account Traceback (most recent call last):
>   File "/usr/sbin/samba_upgradedns", line 438, in <module>
>     "DNSNAME" : dnsname }
>   File "/usr/lib/python2.7/dist-packages/samba/provision/common.py",
> line
> 55, in setup_add_ldif
>     ldb.add_ldif(data, controls)
>   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line
> 225, in
> add_ldif
>     self.add(msg, controls)
> _ldb.LdbError: (68, '../ldb_tdb/ldb_index.c:1216: Failed to re-index
> objectSid in CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,DC=one -
> ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
> CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,D\xe0')
> With plenty of error messages that I don´t like to see, and after
> that
> "klist -k /var/lib/samba/private/dns.keytab"
> still reports "klist: Key table file
> '/var/lib/samba/private/dns.keytab' not
> found while starting keytab scan".
> host -t A dc2.samba.lindenberg.one @..samba.lindenberg.one works fine
> on DC1
> but reports NXDOMAIN on DC2.
> What´s wrong? How can I get DC2 to be writable? What other
> information to
> check?
> Or should I delete all DC2 information from DC1 and try a rejoin,
> temporarily setting DNS to DC1?
> Thanks & Best Regards, Joachim

Somehow the RID Set has been allocated incorrectly, or a duplicate RID
pool allocated, perhaps due to a steal of the RID Manager role during a
replication failure.

The dbcheck code in master attempts to address some of this by looking
for this situation and bumping the ridNextRid value.  It should also
look for duplicate rid pools, but doesn't currently.

If you don't need DC2, and don't have any data that is only on that
server, blow it away (samba-tool domain demote --remove-other-dead-
server=DC2 on DC1) and start again.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list