[Samba] ?= samba-tool domain join DC hang
Denis Cardon
dcardon at tranquil.it
Wed Sep 28 16:41:40 UTC 2016
Hi Heinz,
>
> yes, the problem initiated after changing the primary group of all my 11034 users.
>
> I changed the primary group to different groups. This caused that now every user is member of the LDAP object "Domain users"
>
> ldapsearch -LLL -x -h dc1 -x -b "cn=domain users,cn=users,dc=example,dc=net" member | grep ^member: | wc -l
> 11034
>
> After this action the replication doesn't working anymore.
>
> Now i try to change teh primary group to "Domain users" again ...
each user entry has a default primary group (primaryGroupId attribute),
which is "domain users" by default (513). Every user is already part of
that group when you create one! You don't need to add them afterward. So
now you have to remove all the users from the group, it will probably
take the night, as committing the transaction after changing the group
membership takes a while on large groups. It is doable, I had to do that
cleanup last year on a similarly sized network.
Cheers,
Denis
>
> regards,
> heinz
>
>
>
>> you have quite a few objects (>12000) in you main partition. Do you have
>> a large group with all those objects inside? The commit of large group
>> used to result in very very long commit time. There should have been
>> some improvement in 4.5 though.
>>
>
>> One way to join faster is to add the --domain-critical-only. It will
>> sync only the necessary objects during the join, then after first samba
>> startup it will start replicating objects. Actually it is not solution
>> to the problem, it just move the problem a little bit downstream, so you
>> can have more debug options.
>>
>>> Is my AD to large????
>>
>> no
>>
>> Cheers,
>>
>> Denis
>>
>>
>>>
>>>
>>>
>>>
>>>
>>> root at dc2:# samba-tool drs showrepl
>>> Default-First-Site-Name\DC2
>>> DSA Options: 0x00000001
>>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
>>> DSA invocationId: 49a80da8-975f-49ef-834b-224b2bbf0805
>>>
>>> ==== INBOUND NEIGHBORS ====
>>>
>>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610699, 'The operation cannot be performed.')
>>>
>>>
>>>
>>> root at dc1:~# samba-tool drs showrepl
>>> Default-First-Site-Name\DC1
>>> DSA Options: 0x00000001
>>> DSA object GUID: 3b97b772-7006-4e18-b572-e05932f63986
>>> DSA invocationId: 84cac16c-79dd-4949-8a0f-e0638b251483
>>>
>>> ==== INBOUND NEIGHBORS ====
>>>
>>> DC=ForestDnsZones,DC=example,DC=net
>>> Default-First-Site-Name\DC2 via RPC
>>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
>>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
>>> 30 consecutive failure(s).
>>> Last success @ NTTIME(0)
>>>
>>> DC=DomainDnsZones,DC=example,DC=net
>>> Default-First-Site-Name\DC2 via RPC
>>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
>>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
>>> 30 consecutive failure(s).
>>> Last success @ NTTIME(0)
>>>
>>> DC=example,DC=net
>>> Default-First-Site-Name\DC2 via RPC
>>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
>>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
>>> 30 consecutive failure(s).
>>> Last success @ NTTIME(0)
>>>
>>> CN=Schema,CN=Configuration,DC=example,DC=net
>>> Default-First-Site-Name\DC2 via RPC
>>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
>>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
>>> 30 consecutive failure(s).
>>> Last success @ NTTIME(0)
>>>
>>> CN=Configuration,DC=example,DC=net
>>> Default-First-Site-Name\DC2 via RPC
>>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
>>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
>>> 30 consecutive failure(s).
>>> Last success @ NTTIME(0)
>>>
>>> ==== OUTBOUND NEIGHBORS ====
>>>
>>> ==== KCC CONNECTION OBJECTS ====
>>>
>>> Connection --
>>> Connection name: 3005b361-e2ec-465c-92f1-620c8d0b0bec
>>> Enabled : TRUE
>>> Server DNS name : dc2.example.net
>>> Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net
>>> TransportType: RPC
>>> options: 0x00000001
>>> Warning: No NC replicated for Connection!
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> regards,
>>> heinz
>>>
>>>> Hi list,
>>>>
>>>> i removed my second DC from the domain, and now the re-join as DC hangs.
>>>>
>>>> the join hangs now for ca. 2 hours at the step "Committing SAM database"
>>>>
>>>> version: samba 4.5.0 on ubuntu 14.04
>>>>
>>>>
>>>> with a "strace -p " i see this:
>>>>
>>>> strace -p 1793
>>>> Process 1793 attached
>>>> brk(0x35e18000) = 0x35e18000
>>>> brk(0x35e39000) = 0x35e39000
>>>> brk(0x35e5a000) = 0x35e5a000
>>>> brk(0x35e7b000) = 0x35e7b000
>>>> brk(0x35e9c000) = 0x35e9c000
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
>
>>>>
>>>>
>>>>
>>>> my smb.conf:
>>>>
>>>> # Global parameters
>>>> [global]
>>>> bind interfaces only = Yes
>>>> interfaces = lo eth0 eth2
>>>> netbios name = DC1
>>>> realm = EXAMPLE.NET
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>> workgroup = EXAMPLE
>>>> server role = active directory domain controller
>>>> idmap_ldb:use rfc2307 = yes
>>>> comment =
>>>> template homedir = /home/%U
>>>> template shell = /bin/bash
>>>> ldap server require strong auth = No
>>>>
>>>>
>>>> [netlogon]
>>>> path = /srv/samba/var/locks/sysvol/example.net/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /srv/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>>
>>>> samba-tool domain join example.net DC --option="interfaces=lo eth0" --option="bind interfaces only"=yes --realm=example.net --dns-backend=BIND9_DLZ -Uadministrator
>>>> Finding a writeable DC for domain 'example.net'
>>>> Found DC dc1.example.net
>>>> Password for [EXAMPLE\administrator]:
>>>> workgroup is EXAMPLE
>>>> realm is example.net
>>>> Adding CN=DC2,OU=Domain Controllers,DC=example,DC=net
>>>> Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net
>>>> Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net
>>>> Adding SPNs to CN=DC2,OU=Domain Controllers,DC=example,DC=net
>>>> Setting account password for DC2$
>>>> Enabling account
>>>> Adding DNS account CN=dns-DC2,CN=Users,DC=example,DC=net with dns/ SPN
>>>> Setting account password for dns-DC2
>>>> Calling bare provision
>>>> Looking up IPv4 addresses
>>>> Looking up IPv6 addresses
>>>> No IPv6 address will be assigned
>>>> Setting up share.ldb
>>>> Setting up secrets.ldb
>>>> Setting up the registry
>>>> Setting up the privileges database
>>>> Setting up idmap db
>>>> Setting up SAM db
>>>> Setting up sam.ldb partitions and settings
>>>> Setting up sam.ldb rootDSE
>>>> Pre-loading the Samba 4 and AD schema
>>>> A Kerberos configuration suitable for Samba 4 has been generated at /srv/samba/private/krb5.conf
>>>> Provision OK for domain DN DC=example,DC=net
>>>> Starting replication
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[402/1550] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[804/1550] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[1206/1550] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[1550/1550] linked_values[0/0]
>>>> Analyze and apply schema objects
>>>> Partition[CN=Configuration,DC=example,DC=net] objects[402/1628] linked_values[0/0]
>>>> Partition[CN=Configuration,DC=example,DC=net] objects[804/1628] linked_values[0/0]
>>>> Partition[CN=Configuration,DC=example,DC=net] objects[1206/1628] linked_values[0/0]
>>>> Partition[CN=Configuration,DC=example,DC=net] objects[1608/1628] linked_values[0/0]
>>>> Partition[CN=Configuration,DC=example,DC=net] objects[1628/1628] linked_values[30/0]
>>>> Replicating critical objects from the base DN of the domain
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1402/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[98/98] linked_values[679/0]
>>>>
>>>> Partition[DC=example,DC=net] objects[500/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[902/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[1304/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[1706/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[2108/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[2510/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[2912/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[3314/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[3716/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[4118/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[4520/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[4922/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[5324/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[5726/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[6128/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[6530/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[6932/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[7334/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[7736/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[8138/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[8540/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[8942/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[9344/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[9746/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[10148/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[10550/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[10952/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[11354/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[11756/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[12158/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[12560/12791] linked_values[0/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1171/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
>>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[405/0]
>>>> Done with always replicated NC (base, config, schema)
>>>> Replicating DC=DomainDnsZones,DC=example,DC=net
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[402/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[804/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[1206/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[1608/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2010/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2412/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2814/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[3216/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[3618/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4020/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4422/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4824/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[5226/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[5628/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6030/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6432/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6834/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[7236/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[7638/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8040/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8442/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8844/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[9246/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[9648/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10050/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10452/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10854/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[11256/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[11658/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[12060/12122] linked_values[0/0]
>>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[12122/12122] linked_values[0/0]
>>>> Replicating DC=ForestDnsZones,DC=example,DC=net
>>>> Partition[DC=ForestDnsZones,DC=example,DC=net] objects[22/22] linked_values[0/0]
>>>> Committing SAM database
>>>>
>>>>
>>>>
>>>> can someone help me please?
>>>>
>>>> regards,
>>>> heinz
>>>>
>>>>
>>>
>>>
>>>
>>
>> --
>> Denis Cardon
>> Tranquil IT Systems
>> Les Espaces Jules Verne, bâtiment A
>> 12 avenue Jules Verne
>> 44230 Saint Sébastien sur Loire
>> tel : +33 (0) 2.40.97.57.55
>> http://www.tranquil-it-systems.fr
>>
>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list