[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)

Trenta sis trenta.sis at gmail.com
Thu Sep 19 07:49:13 UTC 2019


hi
Sorry, error is

ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
CN=server,OU=servers,DC=DOMIAN,DC=COM for index on
servicePrincipalNAme, duplicate og objectGUID
931a3f57-1062-423e-9488-695700b197b0 in
@INDEX:SERVICEPRINCIPALNAME:WSMAN/OLD-SERVER

multiple errors liek this during join.

Not sure where is the issue and how to solve?
With this error join is correct and both samba are usable?

thanks

Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 17 de set.
2019 a les 12:52:
>
> Hi,
>
> About duplicate issues warning during join, What I can do to find and
> solve this errors?
> I like to investigate source of this issue and solve this errors before join
>
> Thanks
>
> Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 10 de set.
> 2019 a les 11:14:
> >
> > Hi,
> >
> > About duplicate issues warning during join, What I can do to find and
> > solve this errors?
> >
> > Thanks
> >
> > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de set.
> > 2019 a les 15:53:
> > >
> > > Hi Andrew,
> > >
> > > thanks for you information, but I have some question, I'm not a samba
> > > expert... Sorry!
> > >
> > > Not that issue, but a very well known one.
> > >
> > > The trouble is, Samba 4.4 was happy to get a tree like this:
> > >
> > >
> > >  X
> > > | |
> > > Y Z
> > >
> > > in an order like this:
> > >
> > > Step 1
> > >
> > > Y
> > >
> > > Step 2
> > >
> > > Y Z
> > >
> > > Step 3
> > >  X
> > > | |
> > > Y Z
> > >
> > > As long as everything worked out in the end, it was fine.  But this had
> > > issues, so we patched it to instead demand the objects in tree order
> > > (GET_ANC), but of course the server needs to know what that means.
> > >
> > > Samba 4.5 was, from memory, the first release we did that, but the
> > > server, even with 4.4, didn't really know what that flag meant.
> > >
> > > It wasn't until much later, Samba 4.6 or so, when we finally got the
> > > flag right, which of course gives problems upgrading from Samba 4.4.
> > > (We would sort the current 'page' of replication entries, but not the
> > > whole partition).
> > >
> > > We have continued to improve this code since, but that is the core.
> > > The next issue is a flag called GET_TGT but that hurts much less often,
> > > as we have a client-side workaround detecting that the server didn't
> > > understand us.
> > >
> > > The workaround for you is to carefully touch each object such that the
> > > children are modified after the parents.  Or upgrade in-place that DC
> > > and replicate from there.  Both suck, I know.
> > >
> > > --> Not really sure where is the issue, but moved domain users to
> > > CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!!
> > >  Thanks!!!
> > > During join some errors "duplciate value attribute CN=.." but I can
> > > find what is duplicated, and some values that appears as duplciated
> > > are not showed on RSAT tools,  any suggestion how to solve this
> > > issues?
> > >
> > >
> > > RFC2307, It seems that join has not added, I'll try to add manually
> > > and also add some other config that are not added cert config
> > >
> > >
> > > Thanks
> > >
> > > Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de
> > > set. 2019 a les 11:14:
> > > >
> > > > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:
> > > > > Hi,
> > > > >
> > > > > After reading wiki documentation about join I have tested to join a
> > > > > second dc, but with problems.
> > > > >
> > > > > I need to add a second controller to our AD, and then upgrade existing
> > > > > server (4.4.5)  and I have tried to join a new DC 4.10.7 to 4.4.5
> > > > > server but I receive join errors, attached output  wit and without
> > > > > debug:
> > > > > I have executed samba-tool dbcheck --cross-ncs all seems OK
> > > > >
> > > > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join
> > > > > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a
> > > > > second controller to ensure no downtime.
> > > > >
> > > > > some questions:
> > > > > 1) Why I receive this error?
> > > > > Replicating critical objects from the base DN of the domain
> > > > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
> > > > > Missing parent while attempting to apply records: No parent with GUID
> > > > > cdee5b31-365
> > > > >
> > > > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain
> > > > > Users,OU=Gru
> > > > >
> > > > > ps,DC=DOMAIN-TEST,DC=com
> > > > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> > > > >
> > > > > --> not sure if can be related with this issue:
> > > > > https://bugzilla.samba.org/show_bug.cgi?id=13274
> > > >
> > > > Not that issue, but a very well known one.
> > > >
> > > > The trouble is, Samba 4.4 was happy to get a tree like this:
> > > >
> > > >
> > > >  X
> > > > | |
> > > > Y Z
> > > >
> > > > in an order like this:
> > > >
> > > > Step 1
> > > >
> > > > Y
> > > >
> > > > Step 2
> > > >
> > > > Y Z
> > > >
> > > > Step 3
> > > >  X
> > > > | |
> > > > Y Z
> > > >
> > > > As long as everything worked out in the end, it was fine.  But this had
> > > > issues, so we patched it to instead demand the objects in tree order
> > > > (GET_ANC), but of course the server needs to know what that means.
> > > >
> > > > Samba 4.5 was, from memory, the first release we did that, but the
> > > > server, even with 4.4, didn't really know what that flag meant.
> > > >
> > > > It wasn't until much later, Samba 4.6 or so, when we finally got the
> > > > flag right, which of course gives problems upgrading from Samba 4.4.
> > > > (We would sort the current 'page' of replication entries, but not the
> > > > whole partition).
> > > >
> > > > We have continued to improve this code since, but that is the core.
> > > > The next issue is a flag called GET_TGT but that hurts much less often,
> > > > as we have a client-side workaround detecting that the server didn't
> > > > understand us.
> > > >
> > > > The workaround for you is to carefully touch each object such that the
> > > > children are modified after the parents.  Or upgrade in-place that DC
> > > > and replicate from there.  Both suck, I know.
> > > >
> > > > > 2) About join in wiki appears
> > > > > "
> > > > > If the other DCs are Samba DCs and were provisioned with
> > > > > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes'
> > > > > to the join command
> > > > > "
> > > > >
> > > > > But checking my command userv to migrate from samba nt doamin to our
> > > > > actual ADDC domain this command was not used, but checking smb.conf
> > > > > appears this:
> > > > >  idmap_ldb:use rfc2307 = yes
> > > > >
> > > > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 =
> > > > > yes' on join command
> > > >
> > > > Probably.  But that isn't the big deal at this point.
> > > >
> > > > I hope this helps a little.  We need to extend our wiki to explain this
> > > > more I'm sure.
> > > >
> > > > I've CC'ed samba-technical for those there who might want to learn the
> > > > history a bit more.
> > > >
> > > > Andrew Bartlett
> > > >
> > > > --
> > > > Andrew Bartlett                       http://samba.org/~abartlet/
> > > > Authentication Developer, Samba Team  http://samba.org
> > > > Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> > > >
> > > >



More information about the samba mailing list