[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)

Trenta sis trenta.sis at gmail.com
Tue Sep 10 09:14:18 UTC 2019


Hi,

About duplicate issues warning during join, What I can do to find and
solve this errors?

Thanks

Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de set.
2019 a les 15:53:
>
> Hi Andrew,
>
> thanks for you information, but I have some question, I'm not a samba
> expert... Sorry!
>
> Not that issue, but a very well known one.
>
> The trouble is, Samba 4.4 was happy to get a tree like this:
>
>
>  X
> | |
> Y Z
>
> in an order like this:
>
> Step 1
>
> Y
>
> Step 2
>
> Y Z
>
> Step 3
>  X
> | |
> Y Z
>
> As long as everything worked out in the end, it was fine.  But this had
> issues, so we patched it to instead demand the objects in tree order
> (GET_ANC), but of course the server needs to know what that means.
>
> Samba 4.5 was, from memory, the first release we did that, but the
> server, even with 4.4, didn't really know what that flag meant.
>
> It wasn't until much later, Samba 4.6 or so, when we finally got the
> flag right, which of course gives problems upgrading from Samba 4.4.
> (We would sort the current 'page' of replication entries, but not the
> whole partition).
>
> We have continued to improve this code since, but that is the core.
> The next issue is a flag called GET_TGT but that hurts much less often,
> as we have a client-side workaround detecting that the server didn't
> understand us.
>
> The workaround for you is to carefully touch each object such that the
> children are modified after the parents.  Or upgrade in-place that DC
> and replicate from there.  Both suck, I know.
>
> --> Not really sure where is the issue, but moved domain users to
> CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!!
>  Thanks!!!
> During join some errors "duplciate value attribute CN=.." but I can
> find what is duplicated, and some values that appears as duplciated
> are not showed on RSAT tools,  any suggestion how to solve this
> issues?
>
>
> RFC2307, It seems that join has not added, I'll try to add manually
> and also add some other config that are not added cert config
>
>
> Thanks
>
> Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de
> set. 2019 a les 11:14:
> >
> > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:
> > > Hi,
> > >
> > > After reading wiki documentation about join I have tested to join a
> > > second dc, but with problems.
> > >
> > > I need to add a second controller to our AD, and then upgrade existing
> > > server (4.4.5)  and I have tried to join a new DC 4.10.7 to 4.4.5
> > > server but I receive join errors, attached output  wit and without
> > > debug:
> > > I have executed samba-tool dbcheck --cross-ncs all seems OK
> > >
> > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join
> > > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a
> > > second controller to ensure no downtime.
> > >
> > > some questions:
> > > 1) Why I receive this error?
> > > Replicating critical objects from the base DN of the domain
> > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
> > > Missing parent while attempting to apply records: No parent with GUID
> > > cdee5b31-365
> > >
> > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain
> > > Users,OU=Gru
> > >
> > > ps,DC=DOMAIN-TEST,DC=com
> > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> > >
> > > --> not sure if can be related with this issue:
> > > https://bugzilla.samba.org/show_bug.cgi?id=13274
> >
> > Not that issue, but a very well known one.
> >
> > The trouble is, Samba 4.4 was happy to get a tree like this:
> >
> >
> >  X
> > | |
> > Y Z
> >
> > in an order like this:
> >
> > Step 1
> >
> > Y
> >
> > Step 2
> >
> > Y Z
> >
> > Step 3
> >  X
> > | |
> > Y Z
> >
> > As long as everything worked out in the end, it was fine.  But this had
> > issues, so we patched it to instead demand the objects in tree order
> > (GET_ANC), but of course the server needs to know what that means.
> >
> > Samba 4.5 was, from memory, the first release we did that, but the
> > server, even with 4.4, didn't really know what that flag meant.
> >
> > It wasn't until much later, Samba 4.6 or so, when we finally got the
> > flag right, which of course gives problems upgrading from Samba 4.4.
> > (We would sort the current 'page' of replication entries, but not the
> > whole partition).
> >
> > We have continued to improve this code since, but that is the core.
> > The next issue is a flag called GET_TGT but that hurts much less often,
> > as we have a client-side workaround detecting that the server didn't
> > understand us.
> >
> > The workaround for you is to carefully touch each object such that the
> > children are modified after the parents.  Or upgrade in-place that DC
> > and replicate from there.  Both suck, I know.
> >
> > > 2) About join in wiki appears
> > > "
> > > If the other DCs are Samba DCs and were provisioned with
> > > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes'
> > > to the join command
> > > "
> > >
> > > But checking my command userv to migrate from samba nt doamin to our
> > > actual ADDC domain this command was not used, but checking smb.conf
> > > appears this:
> > >  idmap_ldb:use rfc2307 = yes
> > >
> > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 =
> > > yes' on join command
> >
> > Probably.  But that isn't the big deal at this point.
> >
> > I hope this helps a little.  We need to extend our wiki to explain this
> > more I'm sure.
> >
> > I've CC'ed samba-technical for those there who might want to learn the
> > history a bit more.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett                       http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> >
> >



More information about the samba mailing list