[Samba] ?==?utf-8?q? ?==?utf-8?q? ?= samba-tool domain join DC hang
Heinz Hölzl
heinz.hoelzl at gvcc.net
Wed Sep 28 17:12:09 UTC 2016
Hi,
the only thing i did, was to assign every user to a ohter group. After this i changed the primary group to this new groups and the samba-server itself assigned the users to the group "domain users"automatically (attribute: member).
Now i try to revert this and to rechange the primary group to 513. So i can have again a Domain users object with small number of members.
Thanx
heinz
Am Mittwoch, 28. September 2016 18:41 CEST, Denis Cardon <dcardon at tranquil.it> schrieb:
> Hi Heinz,
> >
> > yes, the problem initiated after changing the primary group of all my 11034 users.
> >
> > I changed the primary group to different groups. This caused that now every user is member of the LDAP object "Domain users"
> >
> > ldapsearch -LLL -x -h dc1 -x -b "cn=domain users,cn=users,dc=example,dc=net" member | grep ^member: | wc -l
> > 11034
> >
> > After this action the replication doesn't working anymore.
> >
> > Now i try to change teh primary group to "Domain users" again ...
>
> each user entry has a default primary group (primaryGroupId attribute),
> which is "domain users" by default (513). Every user is already part of
> that group when you create one! You don't need to add them afterward. So
> now you have to remove all the users from the group, it will probably
> take the night, as committing the transaction after changing the group
> membership takes a while on large groups. It is doable, I had to do that
> cleanup last year on a similarly sized network.
>
> Cheers,
>
> Denis
>
> >
> > regards,
> > heinz
> >
> >
> >
> >> you have quite a few objects (>12000) in you main partition. Do you have
> >> a large group with all those objects inside? The commit of large group
> >> used to result in very very long commit time. There should have been
> >> some improvement in 4.5 though.
> >>
> >
> >> One way to join faster is to add the --domain-critical-only. It will
> >> sync only the necessary objects during the join, then after first samba
> >> startup it will start replicating objects. Actually it is not solution
> >> to the problem, it just move the problem a little bit downstream, so you
> >> can have more debug options.
> >>
> >>> Is my AD to large????
> >>
> >> no
> >>
> >> Cheers,
> >>
> >> Denis
> >>
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> root at dc2:# samba-tool drs showrepl
> >>> Default-First-Site-Name\DC2
> >>> DSA Options: 0x00000001
> >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
> >>> DSA invocationId: 49a80da8-975f-49ef-834b-224b2bbf0805
> >>>
> >>> ==== INBOUND NEIGHBORS ====
> >>>
> >>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610699, 'The operation cannot be performed.')
> >>>
> >>>
> >>>
> >>> root at dc1:~# samba-tool drs showrepl
> >>> Default-First-Site-Name\DC1
> >>> DSA Options: 0x00000001
> >>> DSA object GUID: 3b97b772-7006-4e18-b572-e05932f63986
> >>> DSA invocationId: 84cac16c-79dd-4949-8a0f-e0638b251483
> >>>
> >>> ==== INBOUND NEIGHBORS ====
> >>>
> >>> DC=ForestDnsZones,DC=example,DC=net
> >>> Default-First-Site-Name\DC2 via RPC
> >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
> >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
> >>> 30 consecutive failure(s).
> >>> Last success @ NTTIME(0)
> >>>
> >>> DC=DomainDnsZones,DC=example,DC=net
> >>> Default-First-Site-Name\DC2 via RPC
> >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
> >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
> >>> 30 consecutive failure(s).
> >>> Last success @ NTTIME(0)
> >>>
> >>> DC=example,DC=net
> >>> Default-First-Site-Name\DC2 via RPC
> >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
> >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
> >>> 30 consecutive failure(s).
> >>> Last success @ NTTIME(0)
> >>>
> >>> CN=Schema,CN=Configuration,DC=example,DC=net
> >>> Default-First-Site-Name\DC2 via RPC
> >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
> >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
> >>> 30 consecutive failure(s).
> >>> Last success @ NTTIME(0)
> >>>
> >>> CN=Configuration,DC=example,DC=net
> >>> Default-First-Site-Name\DC2 via RPC
> >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95
> >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE)
> >>> 30 consecutive failure(s).
> >>> Last success @ NTTIME(0)
> >>>
> >>> ==== OUTBOUND NEIGHBORS ====
> >>>
> >>> ==== KCC CONNECTION OBJECTS ====
> >>>
> >>> Connection --
> >>> Connection name: 3005b361-e2ec-465c-92f1-620c8d0b0bec
> >>> Enabled : TRUE
> >>> Server DNS name : dc2.example.net
> >>> Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net
> >>> TransportType: RPC
> >>> options: 0x00000001
> >>> Warning: No NC replicated for Connection!
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> regards,
> >>> heinz
> >>>
> >>>> Hi list,
> >>>>
> >>>> i removed my second DC from the domain, and now the re-join as DC hangs.
> >>>>
> >>>> the join hangs now for ca. 2 hours at the step "Committing SAM database"
> >>>>
> >>>> version: samba 4.5.0 on ubuntu 14.04
> >>>>
> >>>>
> >>>> with a "strace -p " i see this:
> >>>>
> >>>> strace -p 1793
> >>>> Process 1793 attached
> >>>> brk(0x35e18000) = 0x35e18000
> >>>> brk(0x35e39000) = 0x35e39000
> >>>> brk(0x35e5a000) = 0x35e5a000
> >>>> brk(0x35e7b000) = 0x35e7b000
> >>>> brk(0x35e9c000) = 0x35e9c000
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
> >
> >>>>
> >>>>
> >>>>
> >>>> my smb.conf:
> >>>>
> >>>> # Global parameters
> >>>> [global]
> >>>> bind interfaces only = Yes
> >>>> interfaces = lo eth0 eth2
> >>>> netbios name = DC1
> >>>> realm = EXAMPLE.NET
> >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> >>>> workgroup = EXAMPLE
> >>>> server role = active directory domain controller
> >>>> idmap_ldb:use rfc2307 = yes
> >>>> comment =
> >>>> template homedir = /home/%U
> >>>> template shell = /bin/bash
> >>>> ldap server require strong auth = No
> >>>>
> >>>>
> >>>> [netlogon]
> >>>> path = /srv/samba/var/locks/sysvol/example.net/scripts
> >>>> read only = No
> >>>>
> >>>> [sysvol]
> >>>> path = /srv/samba/var/locks/sysvol
> >>>> read only = No
> >>>>
> >>>>
> >>>> samba-tool domain join example.net DC --option="interfaces=lo eth0" --option="bind interfaces only"=yes --realm=example.net --dns-backend=BIND9_DLZ -Uadministrator
> >>>> Finding a writeable DC for domain 'example.net'
> >>>> Found DC dc1.example.net
> >>>> Password for [EXAMPLE\administrator]:
> >>>> workgroup is EXAMPLE
> >>>> realm is example.net
> >>>> Adding CN=DC2,OU=Domain Controllers,DC=example,DC=net
> >>>> Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net
> >>>> Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net
> >>>> Adding SPNs to CN=DC2,OU=Domain Controllers,DC=example,DC=net
> >>>> Setting account password for DC2$
> >>>> Enabling account
> >>>> Adding DNS account CN=dns-DC2,CN=Users,DC=example,DC=net with dns/ SPN
> >>>> Setting account password for dns-DC2
> >>>> Calling bare provision
> >>>> Looking up IPv4 addresses
> >>>> Looking up IPv6 addresses
> >>>> No IPv6 address will be assigned
> >>>> Setting up share.ldb
> >>>> Setting up secrets.ldb
> >>>> Setting up the registry
> >>>> Setting up the privileges database
> >>>> Setting up idmap db
> >>>> Setting up SAM db
> >>>> Setting up sam.ldb partitions and settings
> >>>> Setting up sam.ldb rootDSE
> >>>> Pre-loading the Samba 4 and AD schema
> >>>> A Kerberos configuration suitable for Samba 4 has been generated at /srv/samba/private/krb5.conf
> >>>> Provision OK for domain DN DC=example,DC=net
> >>>> Starting replication
> >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[402/1550] linked_values[0/0]
> >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[804/1550] linked_values[0/0]
> >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[1206/1550] linked_values[0/0]
> >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[1550/1550] linked_values[0/0]
> >>>> Analyze and apply schema objects
> >>>> Partition[CN=Configuration,DC=example,DC=net] objects[402/1628] linked_values[0/0]
> >>>> Partition[CN=Configuration,DC=example,DC=net] objects[804/1628] linked_values[0/0]
> >>>> Partition[CN=Configuration,DC=example,DC=net] objects[1206/1628] linked_values[0/0]
> >>>> Partition[CN=Configuration,DC=example,DC=net] objects[1608/1628] linked_values[0/0]
> >>>> Partition[CN=Configuration,DC=example,DC=net] objects[1628/1628] linked_values[30/0]
> >>>> Replicating critical objects from the base DN of the domain
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1402/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[679/0]
> >>>>
> >>>> Partition[DC=example,DC=net] objects[500/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[902/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[1304/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[1706/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[2108/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[2510/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[2912/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[3314/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[3716/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[4118/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[4520/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[4922/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[5324/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[5726/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[6128/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[6530/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[6932/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[7334/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[7736/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[8138/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[8540/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[8942/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[9344/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[9746/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[10148/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[10550/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[10952/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[11354/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[11756/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[12158/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[12560/12791] linked_values[0/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1171/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0]
> >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[405/0]
> >>>> Done with always replicated NC (base, config, schema)
> >>>> Replicating DC=DomainDnsZones,DC=example,DC=net
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[402/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[804/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[1206/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[1608/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2010/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2412/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2814/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[3216/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[3618/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4020/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4422/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4824/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[5226/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[5628/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6030/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6432/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6834/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[7236/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[7638/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8040/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8442/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8844/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[9246/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[9648/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10050/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10452/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10854/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[11256/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[11658/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[12060/12122] linked_values[0/0]
> >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[12122/12122] linked_values[0/0]
> >>>> Replicating DC=ForestDnsZones,DC=example,DC=net
> >>>> Partition[DC=ForestDnsZones,DC=example,DC=net] objects[22/22] linked_values[0/0]
> >>>> Committing SAM database
> >>>>
> >>>>
> >>>>
> >>>> can someone help me please?
> >>>>
> >>>> regards,
> >>>> heinz
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Denis Cardon
> >> Tranquil IT Systems
> >> Les Espaces Jules Verne, bâtiment A
> >> 12 avenue Jules Verne
> >> 44230 Saint Sébastien sur Loire
> >> tel : +33 (0) 2.40.97.57.55
> >> http://www.tranquil-it-systems.fr
> >>
> >
> >
> >
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
More information about the samba
mailing list