[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
Andrew Bartlett
abartlet at samba.org
Mon May 25 22:08:20 UTC 2020
On Mon, 2020-05-25 at 17:45 -0400, Rich Webb via samba wrote:
> ----- On May 25, 2020, at 5:22 PM, Andrew Bartlett abartlet at samba.org
> wrote:
>
> > On Mon, 2020-05-25 at 10:26 -0400, Rich Webb via samba wrote:
> > > ----- On May 24, 2020, at 11:30 PM, samba samba at lists.samba.org
> > > wrote:
> > >
> > > > On Sun, 2020-05-24 at 23:01 -0400, Rich Webb via samba wrote:
> > > > > Hello,
> > > > >
> > > > > I'm attempting to join a new samba 4 server version 4.12.3 to
> > > > > an
> > > > > existing samba 4 domain running on Zentyal 3.2 (samba version
> > > > > 4.1.7).
> > > > >
> > > > > I'm getting the error in the subject line: Failed to commit
> > > > > objects:
> > > > > DOS code 0x000021bf
> > > >
> > > > If you turn up the log level is there more information? (eg
> > > > -d4)?
> > > >
> > > > But yes, Samba 4.1.7 is before we fixed a number of issues in
> > > > the
> > > > replication protocol, and I'm not surprised you have issues.
> > > >
> > > > Andrew Bartlett
> > > >
> > > > --
> > >
> > > Also I am currently using 4.10.15 as I tried to backrev to a
> > > version
> > > that would join properly. The -d4 produced a ton of output... Let
> > > me
> > > know if you need more but here is the final pieces that would
> > > likely
> > > give a clue. I have no idea what mail-fs1 is.. that may have
> > > been an
> > > old host name possibly left hanging around in DNS? The DC's name
> > > is
> > > fs1:
> > >
> > > Missing parent while attempting to apply records: No parent with
> > > GUID
> > > fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely
> > > known
> > > as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local
> > >
> > > ERROR(runtime): uncaught exception - (8460, "Failed to process
> > > 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
> >
> > Thanks, this gives us the information we need.
> >
> > What has happened here is that Samba 4.1, indeed all Samba versions
> > sort the returned results by the order of last change. However,
> > before
> > 4.4 did not know about the GET_ANC flag, to sort the results tree-
> > wise,
> > which we need in this situation, so we can find the parent objects
> > before we replicate the children.
> >
> > This means that, to replicate from Samba 4.1, you need to carefully
> > change a unimportant attribute in all the child objects of
> > OU=Kerberos
> > 'later' than the last change of OU=Kerberos itself.
> >
> > The only other alternative is an in-place upgrade, so the sending
> > Samba
> > version gains this capability.
> >
> > If this makes sense, then have a go. Otherwise (or if this is a
> > large
> > or critical network) this might be a job for a commercial support
> > provider who will probably write a script to assist.
> >
> > How big is your domain?
> >
> > (Dreaming, with unlimited development time I would love to have
> > Samba
> > cope with this natively, by sorting the results on the new DC and
> > using
> > REPL_SINGLE_OBJECT to fill in the gaps, but this is a much bigger
> > task).
> >
> > I hope this gives you a way forward.
> >
> > Andrew Bartlett
>
> Not a huge domain - maybe 8 users or so. When you say in place
> upgrade are you talking about upgrading Zentyal so that Samba gets
> upgraded to at least 4.5 or above?
Yes, or Samba on the Zentyal appliance - even if built manually and
just pointed at the right directories (after forcefully disabling the
installed Samba). I'm not sure how well a modern Samba would build
there, you might have to build 4.5.
But if just 8 users, the simplest approach might be to just make your
domain as 'flat' as possible then try replication again, and fix it up
later.
All the best,
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list