samba_upgradedns issues on secondary DC

Amitay Isaacs amitay at gmail.com
Thu Apr 19 17:54:12 MDT 2012 

On Wed, Apr 18, 2012 at 1:21 PM, Amitay Isaacs <amitay at gmail.com> wrote:
> Hi Daniele,
>
> On Tue, Apr 17, 2012 at 11:39 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
>> Hallo Amitay,
>> I'm trying to follow the execution of the samba_upgradedns script to
>> understand why it doesn't work for me:
>>
>> at line 404, in the "Mark that we are hosting DNS partitions" block, the
>> script looks for NCs which are masters or has partial replicas of
>> partitions right?
>>
>> Trying to reproduce the call with ldbsearch I see
>>
>> [root at kdc02:/usr/local/samba/private]# ldbsearch -H sam.ldb -b
>> "CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local" "(objectclass=nTDSDSa)" "hasPartialReplicaNCs" "msDS-hasMasterNCs"
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> # record 1
>> dn: CN=NTDS
>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: CN=Configuration,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: DC=DomainDnsZones,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: DC=ForestDnsZones,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: DC=saitelitalia,DC=local
>>
>> # record 2
>> dn: CN=NTDS
>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: CN=Configuration,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
>> msDS-hasMasterNCs: DC=saitelitalia,DC=local
>> hasPartialReplicaNCs: DC=DomainDnsZones,DC=saitelitalia,DC=local
>> hasPartialReplicaNCs: DC=ForestDnsZones,DC=saitelitalia,DC=local
>>
>> # returned 2 records
>> # 2 entries
>> # 0 referrals
>>
>> now samba-tool drs showrepl says that there are no failures and
>> replication seems to be OK.
>>
>> ldbsearch tells me that for the DNS zones I have only a partial replica
>> on the secondary DC.
>> I've also seen that the replica is partial because samba-tool dns query
>> on the secondary DC now doesn't fail but shows me an incomplete content:
>>
>> [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc02
>> _msdcs.saitelitalia.local @ ALL -U administrator
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Using binding ncacn_ip_tcp:kdc02[,sign]
>> Password for [SAITELITALIA\administrator]:
>>  Name=, Records=0, Children=0
>>  Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
>>  Name=dc, Records=0, Children=2
>>  Name=domains, Records=0, Children=1
>>  Name=edc6129d-b286-47f3-ae02-c7f17d211370, Records=0, Children=0
>>  Name=gc, Records=0, Children=2
>>  Name=kdc01, Records=0, Children=0
>>  Name=pdc, Records=0, Children=1
>>
>> Is it normal to have only partial replicas on secondary DCs? Is this
>> condition something due to an error in the replication or in the DBs?
>> Would it become a full replica at some point?
>
> Well they should start out as partial replicas but after successful
> replication should be marked in msDs-hasMasterNCs. But the replication
> code in samba does not do that. I haven't yet figured out at what
> point an NC is moved from hasPartialReplicaNCs to msDs-hasMasterNCs.
> So samba_upgradedns, for now, hacks that attribute. But the assumption
> here is that you have replication working between primary and
> secondary DCs. This won't fix any replication issues.
>
> I haven't had sufficient spare time to delve into replication
> documentation and code to figure out at what point this should happen.
>
>> Back to the script: once found the list of ncs with full and partial
>> replicas (and adding a little debug info to the script I've seen that
>> them are not empty as said by ldbsearch) the script will try to update
>> attributes on the db and for me it fails there when running
>> ldb.MessageElement(master_nclist, ldb.FLAG_MOD_REPLACE,
>> "msDS-hasMasterNCs")
>> but I'm not able to find sources of that function. Obviously the error
>> is not in the function but I will understand what goes wrong so can you
>> point me to what I should search for?
>
> I have an idea of why you are seeing ldb Operations Error. I will put
> together a patch which you can test.
>
> Amitay.

Hi Daniele,

Please try this patch and let me know if that fixes the ldb operations
error in samba_upgradedns.

Amitay.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-upgradedns-Update-serverdn-with-only-the-attribut.patch
Type: application/octet-stream
Size: 2960 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120420/0ed040e1/attachment.obj>

More information about the samba-technical mailing list