[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)

[Andrew Bartlett]

On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:
> Hi,
> 
> After reading wiki documentation about join I have tested to join a
> second dc, but with problems.
> 
> I need to add a second controller to our AD, and then upgrade existing
> server (4.4.5)  and I have tried to join a new DC 4.10.7 to 4.4.5
> server but I receive join errors, attached output  wit and without
> debug:
> I have executed samba-tool dbcheck --cross-ncs all seems OK
> 
> I have made a test upgrading actual 4.4.5 to 4.10.7 and then join
> 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a
> second controller to ensure no downtime.
> 
> some questions:
> 1) Why I receive this error?
> Replicating critical objects from the base DN of the domain
> Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
> Missing parent while attempting to apply records: No parent with GUID
> cdee5b31-365
> 
> d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain
> Users,OU=Gru
> 
> ps,DC=DOMAIN-TEST,DC=com
> Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> 
> --> not sure if can be related with this issue:
> https://bugzilla.samba.org/show_bug.cgi?id=13274

Not that issue, but a very well known one.

The trouble is, Samba 4.4 was happy to get a tree like this:


 X
| |
Y Z

in an order like this:

Step 1

Y

Step 2

Y Z

Step 3
 X
| |
Y Z

As long as everything worked out in the end, it was fine.  But this had
issues, so we patched it to instead demand the objects in tree order
(GET_ANC), but of course the server needs to know what that means. 

Samba 4.5 was, from memory, the first release we did that, but the
server, even with 4.4, didn't really know what that flag meant.  

It wasn't until much later, Samba 4.6 or so, when we finally got the
flag right, which of course gives problems upgrading from Samba 4.4.
(We would sort the current 'page' of replication entries, but not the
whole partition).

We have continued to improve this code since, but that is the core. 
The next issue is a flag called GET_TGT but that hurts much less often,
as we have a client-side workaround detecting that the server didn't
understand us. 

The workaround for you is to carefully touch each object such that the
children are modified after the parents.  Or upgrade in-place that DC
and replicate from there.  Both suck, I know. 

> 2) About join in wiki appears
> "
> If the other DCs are Samba DCs and were provisioned with
> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes'
> to the join command
> "
> 
> But checking my command userv to migrate from samba nt doamin to our
> actual ADDC domain this command was not used, but checking smb.conf
> appears this:
>  idmap_ldb:use rfc2307 = yes
> 
> But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 =
> yes' on join command

Probably.  But that isn't the big deal at this point. 

I hope this helps a little.  We need to extend our wiki to explain this
more I'm sure.

I've CC'ed samba-technical for those there who might want to learn the
history a bit more.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba