[Samba] readonly DC?
Rowland Penny
rpenny at samba.org
Thu Nov 17 19:05:59 UTC 2016
On Fri, 18 Nov 2016 07:50:03 +1300
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Thu, 2016-11-17 at 18:31 +0000, Jo L via samba wrote:
> > Hello Samba-ers,
> >
> > I tried to continue my Samba setup after a long pause doing other
> > stuff.
> > To recall, I want to run two Samba DCs for one domain as virtual
> > machines on
> > two Windows systems (I switched from VirtualBox to Hyper V, which
> > helps to
> > run them automatically at system startup, but I don´t think that
> > really
> > matters). Both DCs shall use themselves as DNS server as the VPN in
> > between
> > is unreliable, but I tried the following with the DNS resolver on
> > DC2 pointing to either DC1 or DC2.
> >
> > DC1 is running fine, I can edit users, and actually the changes are
> > replicated to DC2.
> > DC2 appears to be readonly. In the log file I noticed:
> >
> > [2016/11/17 18:51:28.847526, 0]
> > ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
> > /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is
> > unacceptable and
> > [2016/11/17 18:51:29.145815, 0]
> > ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
> > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
> > NT_STATUS_UNSUCCESSFUL
> >
> > I tried to resolve this via
> > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacc
> > eptable
> > including the workaround described in
> > https://bugzilla.samba.org/show_bug.cgi?id=10882, but I keep
> > getting
> >
> > samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information
> > DNS
> > accounts already exist No zone file
> > /var/lib/samba/private/dns/samba.lindenberg.one.zone
> > DNS records will be automatically created DNS partitions already
> > exist
> > Adding dns-dc2 account Traceback (most recent call last):
> > File "/usr/sbin/samba_upgradedns", line 438, in <module>
> > "DNSNAME" : dnsname }
> > File "/usr/lib/python2.7/dist-packages/samba/provision/common.py",
> > line
> > 55, in setup_add_ldif
> > ldb.add_ldif(data, controls)
> > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line
> > 225, in
> > add_ldif
> > self.add(msg, controls)
> > _ldb.LdbError: (68, '../ldb_tdb/ldb_index.c:1216: Failed to re-index
> > objectSid in CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,DC=one -
> > ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
> > CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,D\xe0')
> >
> > With plenty of error messages that I don´t like to see, and after
> > that
> > "klist -k /var/lib/samba/private/dns.keytab"
> > still reports "klist: Key table file
> > '/var/lib/samba/private/dns.keytab' not
> > found while starting keytab scan".
> >
> > host -t A dc2.samba.lindenberg.one @..samba.lindenberg.one works
> > fine on DC1
> > but reports NXDOMAIN on DC2.
> >
> > What´s wrong? How can I get DC2 to be writable? What other
> > information to
> > check?
> > Or should I delete all DC2 information from DC1 and try a rejoin,
> > temporarily setting DNS to DC1?
> >
> > Thanks & Best Regards, Joachim
>
> Somehow the RID Set has been allocated incorrectly, or a duplicate RID
> pool allocated, perhaps due to a steal of the RID Manager role during
> a replication failure.
>
> The dbcheck code in master attempts to address some of this by looking
> for this situation and bumping the ridNextRid value. It should also
> look for duplicate rid pools, but doesn't currently.
>
> If you don't need DC2, and don't have any data that is only on that
> server, blow it away (samba-tool domain demote --remove-other-dead-
> server=DC2 on DC1) and start again.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
Hang on, could this be bug 10928 ?
Before you blow the second DC away, have a look here:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
Rowland
More information about the samba
mailing list