[Samba] Samba Migration and AD integration

Andrew Bartlett abartlet at samba.org
Tue Feb 6 08:21:54 UTC 2018

On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba wrote:
> Hi,
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?

I think you have not understood how AD DNS works.  It won't create a
zone file, it will create entries in the replicated DB that you can see
over LDAP.  By default the internal DNS server is used, but a DLZ
plugin for bind9 can also be used. 

Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if
you wish to used bind, rather than create a zone file. 

> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.

Samba doesn't control dhcpd, but instructions for that are on the wiki.

> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.

If Samba's DNS isn't used then dynamic updates wont work. 

> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.

While I wouldn't exactly expect this if you were not using Samba for
DNS on the Samba server, I think that is at the heart of your trouble. 

> The AD user bit seems to sync ok between the servers.
> The samba-tool dbcheck -cross-ncs gives the following
> samba-tool dbcheck --cross-ncs
> Checking 3835 objects
> ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to
> parse dn string
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
> line 157, in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
> 198, in check_database
>     error_count += self.check_object(object.dn, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
> 1839, in check_object
>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> smb.conf
> [global]
>         netbios name = TEST
>         realm = TESTDC
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = TESTDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes

The fact that your realm has no dots in it and is the same as the
workgroup isn't a good start.  This may be a redaction, but I smell
trouble here. 

> [netlogon]
>         path = /var/lib/samba/sysvol/testdc/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

I hope the above helps,

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list