[Samba] Issues joining DC
Josep Maria Gorro
jmgorro at gmail.com
Sun Jun 16 15:52:26 UTC 2024
Hello Rowland
You're right. This has been my mistake to have only one DC on the
network. But I thought that better way to have Samba was using source
and compiling. Now I know that using Debian is the natural way to do it.
I'm waiting for 2 commercial supports quotations to solve this situation
and avoid to start up with a new domain.
In the mean time I'm still searching for information that could be
useful to "recover" the domain.
I've launched a dcdiag test against the AD server and this has been the
part of the result that I think is the most important one (sorry but is
in spanish)
Ejecutando pruebas de partición en: DomainDnsZones
Iniciando prueba: CheckSDRefDom
A la partición del directorio de la aplicación
DC=DomainDnsZones,DC=domainname,DC=lan le falta un dominio de
referencia del descriptor de seguridad. El
administrador debe
establecer el atributo DS-SD-Reference-Domain del
objeto de la
referencia cruzada
CN=65a4ea8a-bd7a-4702-9937-786e1062cce1,CN=Partitions,CN=Configuration,DC=domainname,DC=lan
en el DN de un dominio.
......................... DomainDnsZones no superó la prueba
CheckSDRefDom
Iniciando prueba: CrossRefValidation
......................... DomainDnsZones superó la prueba
CrossRefValidation
Ejecutando pruebas de partición en: ForestDnsZones
Iniciando prueba: CheckSDRefDom
A la partición del directorio de la aplicación
DC=ForestDnsZones,DC=domainname,DC=lan le falta un dominio de
referencia del descriptor de seguridad. El
administrador debe
establecer el atributo DS-SD-Reference-Domain del
objeto de la
referencia cruzada
CN=3c813d55-5f95-4a78-aa07-65fe675abe7d,CN=Partitions,CN=Configuration,DC=domainname,DC=lan
en el DN de un dominio.
So I started to search again and I can find this article.
https://bugzilla.samba.org/show_bug.cgi?id=14234
It is really similar as on my situation because I have also a w2012
server enrolled but in my case only as member.
Do you think that create missing objects could fix the issue and allows
me to integrate another DC to the domain?
Thanks a lot.
El 16/06/2024 a las 9:46, Rowland Penny via samba escribió:
> On Sun, 16 Jun 2024 09:09:38 +0200
> Josep Maria Gorro via samba<samba at lists.samba.org> wrote:
>
>> Hello Luis.
>> Thanks for the response. I've tried but appears same result.
>>
>> [root at tibidabo ~]# samba-tool dbcheck --cross-ncs --fix --yes
>> ltdb:
>> tdb(/usr/local/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAINNAME,DC=LAN.ldb):
>> tdb_rec_read bad magic 0xd9fee666 at offset=3878500
>>
>> ERROR(ldb): uncaught exception - Indexed and full searches both
>> failed!
>>
>> File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py",
>> line 157, in run
>> controls=controls, attrs=attrs)
>> File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/dbchecker.py",
>> line 188, in check_database
>> res = self.samdb.search(base=DN, scope=scope, attrs=['dn'],
>> controls=controls)
>>
>>
>> It sounds to me that the issue is something related to DNS zone
>> stored on AD.
>> I've take a look at DNS administrator and all seems to be OK. No
>> errors. And resolutions OK.
>> Are there any tool to manually check AD data, record by record, in
>> order to manually correct any error?
>>
>> I found thread
>> https://lists.samba.org/archive/samba/2018-July/217379.html that
>> seems to be similar, but in that case there was 2 DC. Here I have
>> only one. On last message Rowland says:
>>
>> Ah, you are using a self compiled Samba, this is even easier,
>> move /usr/local/samba to /usr/local/oldsamba , then run 'make
>> install again. You will get a perfectly new /usr/local/samba again ;-)
>>
>> I'm using a self compiled Samba too. But removing all files will
>> erase also AD information too, isn't it?
> Yes, but that was on a second DC and after doing that the original OP
> would have had to join the DC again, so I do not recommend you do it.
>
> You appear to be stuck now and have painted yourself into a corner
> by only having one DC and an old one at that.
>
> I feel that you have done all that you can, you need to get commercial
> support.
>
> Other than that, if your domain cannot be fixed or fixed in a required
> timescale, you may have to start again with a new domain. If you do,
> then I cannot recommend using a redhat based distro, none of them come
> with Samba packages capable of being provisioned as an Active Directory
> DC (apart from fedora, but their Samba packages use MIT and as such are
> still classed as experimental). Most people that are running Samba AD
> successfully are running it on Debian based distros.
>
> Whatever happens, running just one DC is a bad idea, running two is
> better, but running multiple DCs is even better.
>
> Rowland
>
>> Thanks a lot.
>>
>> El 15/06/2024 a las 21:41, Luis Peromarta via samba escribió:
>>> Try this and revert back.
>>> samba-tool dbcheck --cross-ncs --fix --yes
>>>
>>>
>>> LP
>>> On 15 Jun 2024 at 20:29 +0100, Josep Maria Gorro via
>>> samba<samba at lists.samba.org>, wrote:
>>>> Dear all.
>>>>
>>>> Let me make a shot brief of the issue I'm currently experiencing
>>>> that has been published in a couple of threads. Now I'm going to
>>>> join them here.
>>>>
>>>> Current scenario.
>>>> Centos7 running a Samba 4.6.5. Any kind of problem at client side,
>>>> all seems to runs fine. But in some cases the AD objects appears
>>>> on Windows clients as their SID instead of their name.
>>>>
>>>> Rowland has suggested to upgrade Samba (very good proposal). To do
>>>> this the better steps are:
>>>> 1.- Install another computer.
>>>> 2.- Joining it to the domain as a DC.
>>>> 3.- Migrate FSMO roles from old one to new one.
>>>> 4.- Demote old DC and remove from AD.
>>>>
>>>> So, hands on. Following Luis recommendations, I installed a fresh
>>>> Debian 12 and followed their setup guide
>>>> (http://samba.bigbird.es/doku.php?id=samba:start) that is really
>>>> good. All steps ran fine. But when samba-tool domain join is
>>>> launched an error appears:
>>>>
>>>> Join failed - cleaning up
>>>>
>>>> Another time, thanks to Rowland, I used the -d10 parameter to send
>>>> stdout and stderr to files when launching the samba-tool.
>>>> Reading the more than 200MB file I can see an error
>>>> "WERR_DS_DRA_INTERNAL_ERROR". This error appears after lot of AD
>>>> objects has been processed to be replicated.
>>>>
>>>> So this drives me to think that something is failed on AD database.
>>>>
>>>> I usually use samba-tool dbcheck (because I don't have any
>>>> replica) and always the result is OK. But I tried to run
>>>> samba-tool dbcheck --cross-ncs and this error appears
>>>>
>>>> ltdb:
>>>> tdb(/usr/local/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAINNAME,DC=LAN.ldb):
>>>> tdb_rec_read bad magic 0xd9fee666 at offset=3878500
>>>>
>>>> ERROR(ldb): uncaught exception - Indexed and full searches both
>>>> failed!
>>>>
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>>>> line 176, in _run
>>>> return self.run(*args, **kwargs)
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py",
>>>> line 157, in run
>>>> controls=controls, attrs=attrs)
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/dbchecker.py",
>>>> line 188, in check_database
>>>> res = self.samdb.search(base=DN, scope=scope, attrs=['dn'],
>>>> controls=controls)
>>>>
>>>> Could this error the reason I can't merge new DC to the domain?
>>>> Can this be solved?
>>>>
>>>> Thanks a lot for your valuable help.
>>>>
>>>> --
>>>> ------------------------------------------------------------------------
>>>> Josep M. Gorro<mailto:jmgorro at gmail.com>
>>>> *Systems engineer*
>>>>
>>>> --
>>>> Este correo electrónico ha sido analizado en busca de virus por el
>>>> software antivirus de Avast.www.avast.com
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:https://lists.samba.org/mailman/options/samba
>
--
------------------------------------------------------------------------
Josep M. Gorro <mailto:jmgorro at gmail.com>
*Systems engineer*
--
Este correo electrónico ha sido analizado en busca de virus por el software antivirus de Avast.
www.avast.com
More information about the samba
mailing list