[Samba] report on issue of samba_upgradedns

Vinicius Bones Silva vbs at e-trust.com.br
Mon May 15 15:41:44 UTC 2017 

Hi,

This is just a report I wanted to share. Maybe someone can put it on the wiki. I created a 
new DC for a new site using the samba internal dns option. Later, I decided to go with 
bind. So I ran the command, and got this error:

[root at theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-theoden account
Traceback (most recent call last):
   File "/sbin/samba_upgradedns", line 433, in <module>
     "DNSNAME" : dnsname }
   File "/usr/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in 
setup_add_ldif
     ldb.add_ldif(data, controls)
   File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
     self.add(msg, controls)
_ldb.LdbError: (53, '../source4/dsdb/samdb/ldb_modules/ridalloc.c:556: No RID Set DN - 
Remote RID Set creation needed')

Since it mentions RID creation, I went to the RID master server, looking into the logs, I 
found:

   ../source4/rpc_server/drsuapi/getncchanges.c:829: Failed extended allocation RID pool 
operation - ../source4/dsdb/samdb/ldb_modules/ridalloc.c:727: Failed to find 
serverReference in 
CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br - (null)

In this case, THEODEN is the new DC.

Then, doing the following search for:

ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=THEODEN)' --cross-ncs

on both the new DC and the Rid Master, I find out that the entry 
CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br lacks the 
attribute serverReference on the Rid Master.

So I created the following ldif file:

[root at aragorn samba]# cat /root/theoden-fix.ldif
dn: CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br
changetype: modify
add: serverReference
serverReference: CN=THEODEN,OU=Domain Controllers,DC=e-trust,DC=com,DC=br

And added it to the RID Master's database:

[root at aragorn samba]# ldbmodify -H /var/lib/samba/private/sam.ldb /root/theoden-fix.ldif
Modified 1 records successfully

Then, I restarted the samba services on the rid master. After that, I was able to run the 
samba_upgradedns script successfully:

[root at theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-theoden account
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns 
starting. Please make sure you add '-dns' to your server services line in your smb.conf.


Regards.

-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta 
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com 
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a 
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou 
informações contidas nesta mensagem não necessariamente refletem a posição oficial da 
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada 
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the 
intended recipients only. If you are not an intended recipient then you should not 
disseminate, copy, or take any action based on its contents. If you have received this 
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not 
necessarily reflect the position of E-TRUST. If this message is digitally signed, its 
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at 
www.e-trust.com.br.

More information about the samba mailing list