[Samba] replPropertyMetaData & KCC issues after updating to Samba 4.5.0
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Mon Sep 19 13:22:01 UTC 2016
On 9/18/2016 6:23 PM, Garming Sam wrote:
> Hi,
>
> For the unsorted attributeID values errors, can you first try:
>
> samba-tool dbcheck --cross-ncs --fix --yes 'fix_replmetadata_unsorted_attid'
>
> There's too much going on, and it does look like it might be bailing
> out. Running it with 'fix_replmetadata_unsorted_attid' should fix those
> first errors, then it will probably be easier to figure out what is
> happening. The 'ERROR: incorrect GUID component for member in object'
> should be completely harmless (and due to objects which have been
> recycled) and there's likely a fix to get rid of them to come. However,
> it seems there is something else occurring which we may need to look at
> in more detail.
>
>
>
> As for the KCC, it looks like those are probably stale links from the
> old KCC which connected every DC. The KCC is supposed to delete extra
> connections, but this doesn't always occur (or does not occur
> immediately). Simply deleting those connections should allow the new KCC
> to follow all the site requirements.
>
> If you find that DNS zones are not working correctly, this is probably
> related to the failing dbcheck, and so you may want to also run:
>
> samba-tool dbcheck --cross-ncs --fix --yes 'fix_replica_locations'
>
>
> Hopefully that helps some of your issues.
>
> Cheers,
>
> Garming
>
>
> On 13/09/16 05:12, lingpanda101--- via samba wrote:
>> Hello,
>>
>> Updated samba from 4.4.5 to 4.5.0. All DC's are Ubuntu 12.04.5
>> LTS. I install samba from source(./configure,make,make install).
>> Looking at the release notes I see the section on
>> "replPropertyMetaData Chnages". I run 'samba-tool dbcheck --cross-ncs
>> --fix --yes' and see the errors and samba attempts to fix.
>>
>> ERROR: unsorted attributeID values in replPropertyMetaData on
>> CN=BOOPTI760-7,OU=Computers,OU=BO Staff,OU=BO
>> Office,OU=PF,DC=domain,DC=local
>>
>> Fix replPropertyMetaData on CN=BOOPTI760-7,OU=Computers,OU=BO
>> Staff,OU=BO,OU=PF,DC=domain,DC=local by sorting the attribute list? [YES]
>> Fixed attribute 'replPropertyMetaData' of
>> 'CN=BOOPTI760-7,OU=Computers,OU=BO Staff,OU=BO,OU=PF,DC=domain,DC=local'
>>
>> If I run the same command again 'samba-tool dbcheck --cross-ncs --fix
>> --yes'. I appear to see the same errors all over again. It's as if
>> they don't really get corrected.
>>
>> I also see several of these new errors.
>>
>> ERROR: incorrect GUID component for member in object CN=IMG P
>> Share,CN=Users,DC=domain,DC=local -
>> <GUID=6357f99052feb942af868a84a4d5dd78>;<RMD_ADDTIME=130647328190000000>;<RMD_CHANGETIME=130650285980000000>;<RMD_FLAGS=1>;<RMD_INVOCID=194264d3cddbff43815e8850f94192e1>;<RMD_LOCAL_USN=360361>;<RMD_ORIGINATING_USN=478913>;<RMD_VERSION=3>;<SID=010500000000000515000000730d083801679a88e52f2fc7360c0000>;CN=Test
>> User,CN=Users,DC=domain,DC=local
>> unable to find object for DN CN=Test User,CN=Users,DC=domain,DC=local
>> - (No such Base DN: CN=Test User,CN=Users,DC=domain,DC=local)
>> Not removing dangling forward link
>> ERROR: incorrect DN string component for member in object CN=IMG P
>> Share,CN=Users,DC=domain,DC=local -
>> <GUID=f192ae2cf2a55342818fe1b4a45d5396>;<RMD_ADDTIME=130649535030000000>;<RMD_CHANGETIME=130649601110000000>;<RMD_FLAGS=1>;<RMD_INVOCID=194264d3cddbff43815e8850f94192e1>;<RMD_LOCAL_USN=360194>;<RMD_ORIGINATING_USN=478611>;<RMD_VERSION=1>;<SID=010500000000000515000000730d083801679a88e52f2fc7110e0000>;CN=Demo
>> User,OU=Users,OU=IT Department,OU=Prince Frederick,DC=domain,DC=local
>> Change DN to
>> <GUID=2cae92f1-a5f2-4253-818f-e1b4a45d5396>;<SID=S-1-5-21-940051827-2291820289-3341758437-3601>;CN=Demo
>> User,OU=Users,OU=PF MA,OU=MA,OU=PF,DC=domain,DC=local? [YES]
>> ERROR: Failed to fix incorrect DN string on attribute member : (53,
>> 'Attribute member already deleted for target GUID
>> 2cae92f1-a5f2-4253-818f-e1b4a45d5396')
>>
>> The second issue has to do with the new KCC. I had this same issue
>> when I tested out the 'kccsrv:samba_kcc=true' feature in prior builds.
>> See the duplicate connections for 'PFDC2.domain.local' below. I have
>> the same issue on another DC, although for a different DC connection.
>> Site links are also not being adhered to.
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: 042e3f91-6f91-4e3d-ab58-4b9fea0c4b81
>> Enabled : TRUE
>> Server DNS name : PFDC2.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=PFDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>> Connection --
>> Connection name: 1244834d-74e3-4a5a-981e-88367d7f1a36
>> Enabled : TRUE
>> Server DNS name : pfdc1.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=PFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>> Connection --
>> Connection name: 26508262-933f-4fd3-bc2c-c236e050bfb0
>> Enabled : TRUE
>> Server DNS name : SOLDC2.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=SOLDC2,CN=Servers,CN=Solomons,CN=Sites,CN=Configuration,DC=domain,DC=local
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>> Connection --
>> Connection name: 5ef1d75c-2977-435c-8b90-a94886d3b92d
>> Enabled : TRUE
>> Server DNS name : DUNDC2.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=DUNDC2,CN=Servers,CN=Dunkirk,CN=Sites,CN=Configuration,DC=domain,DC=local
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>> Connection --
>> Connection name: 6743a36d-2401-4ecb-9f05-565a4528f7c6
>> Enabled : TRUE
>> Server DNS name : SOLDC1.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=SOLDC1,CN=Servers,CN=Solomons,CN=Sites,CN=Configuration,DC=domain,DC=local
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>> Connection --
>> Connection name: 865908ee-2f8b-456c-841e-7f54e3e93835
>> Enabled : TRUE
>> Server DNS name : PFDC2.domain.local
>> Server DN name : CN=NTDS
>> Settings,CN=PFDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>>
>> Smb.conf is similar among all DC's. See below.
>>
>> # Global parameters
>> [global]
>> workgroup = DOMAIN
>> realm = domain.local
>> netbios name = DUNDC1
>> server role = active directory domain controller
>> dns forwarder = 8.8.8.8
>> idmap_ldb:use rfc2307 = yes
>>
>> # Debug Logging Information
>> log file = /usr/local/samba/var/log.%U
>> max log size = 5000
>> log level = 1
>> logging = syslog at 2 file
>> debug timestamp = Yes
>> debug uid = Yes
>> debug pid = Yes
>>
>> allow dns updates = secure
>>
>> # Disable Cups Printing
>> load printers = No
>> printcap name = /dev/null
>> disable spoolss = Yes
>>
>> ldap server require strong auth = No
>>
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>> read only = No
>>
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> Thanks for any guidance.
>>
Thanks Garmin. 'Samba-tool dbcheck --cross-ncs --fix --yes
'fix_replmetadata_unsorted_attid' corrected those errors. Now all that
remain are the GUID errors and several of these 'ERROR: incorrect DN
string component for member in object CN=Domain
Admins,CN=Users,DC=domain,DC=local.
The KCC errors I corrected by deleting the old KCC connections. I could
tell the difference because the old KCC doesn't set a
transport(IP,SMTP). The new KCC will create connections based on the
'Inter-Site-Transports' defined in Microsoft Active Directory Sites and
Services. However it still appears to create a full mesh. For instance
Site 1 and 3 should not be replication partners. If I look at the NTDS
for site 1, I see automatically generated connections for Site 3 with no
transport selected. Is this expected behavior?
--
-James
More information about the samba
mailing list