Made a join with a netbios name, which already existed, now replication errors

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
Hi there,
I made a big mistake !
We have 3 domain controllers, samba1, samba2 and samba3, all of them running samba "Version 4.3.11 (SerNet)"
samba1 owns all fsmo-roles.
I installed a 4th one, samba4 (Version 4.6.6 - SerNet), copied the smb.conf from samba3, but forgot to adapt the parameters.
 
[global]
        workgroup = DOMAIN
        realm = DOMAIN.UNIVERSITY.DE
        netbios name = SAMBA3
        interfaces = 127.0.0.1, ip_from_samba3                                                                            
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = ip
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        time server = yes
       
[netlogon]
        path = /var/lib/samba/sysvol/domain.university.de/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
 
I joined samba4 with the smb.conf from the samba3, means same netbios-name and interface-ip-address.
Then I ckecked the replication of samba4, but it didnt work. (at that time I didnt know why yet)

Later I discovered my wrong smb.conf, corrected the entries and started samba4 again.
Now samba4 seems to replicate, but still as samba3.

The replication of samba3 doesnt work anymore, there is the following error:


Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:111.222.333.3[1024,seal,target_hostname=samba3.domain.university.de,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=111.222.333.3] NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to samba3.domain.university.de failed - drsException: DRS connection to samba3.domain.university.de failed: (-1073741715, 'Logon failure')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
 
It looks like samba4 overlaps samba3 because of the same netbios-name I gave.

The system knows 3 domain controller, samba1, samba2 and samba3. But for replication it takes samba4 as samba3.

How can I correct that ? I tried to demote samba4 (which knows the system as samba3). But this didnt work, there was an error like "out of index".
samba1 and samba2 work correct as far as I can see - can the system become instable ?
 
 
 
Thanks in advance

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Fri, 28 Jul 2017 17:26:39 +0200
gizmo via samba <[hidden email]> wrote:

> Hi there,
> I made a big mistake !
> We have 3 domain controllers, samba1, samba2 and samba3, all of them
> running samba "Version 4.3.11 (SerNet)" samba1 owns all fsmo-roles.
> I installed a 4th one, samba4 (Version 4.6.6 - SerNet), copied the
> smb.conf from samba3, but forgot to adapt the parameters.
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.UNIVERSITY.DE
>         netbios name = SAMBA3
>         interfaces = 127.0.0.1,
> ip_from_samba3 bind interfaces only = Yes
>         server role = active directory domain controller
>         dns forwarder = ip
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         time server = yes
>        
> [netlogon]
>         path = /var/lib/samba/sysvol/domain.university.de/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>  
> I joined samba4 with the smb.conf from the samba3, means same
> netbios-name and interface-ip-address.

What do you mean, 'I joined samba4 with the smb.conf' ?

You don't create the smb.conf, the join as a DC should create it for
you.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
>> Hi there,
>> I made a big mistake !
>> We have 3 domain controllers, samba1, samba2 and samba3, all of them
>> running samba "Version 4.3.11 (SerNet)" samba1 owns all fsmo-roles.
>> I installed a 4th one, samba4 (Version 4.6.6 - SerNet), copied the
>> smb.conf from samba3, but forgot to adapt the parameters.
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.UNIVERSITY.DE
>> netbios name = SAMBA3
>> interfaces = 127.0.0.1,
>> ip_from_samba3 bind interfaces only = Yes
>> server role = active directory domain controller
>> dns forwarder = ip
>> idmap_ldb:use rfc2307 = yes
>> ldap server require strong auth = no
>> time server = yes
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/domain.university.de/scripts
>> read only = No
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> I joined samba4 with the smb.conf from the samba3, means same
>> netbios-name and interface-ip-address.


>
> What do you mean, 'I joined samba4 with the smb.conf' ?
>
> You don't create the smb.conf, the join as a DC should create it for
> you.
>
> Rowland


I copied the smb.conf from an existing domain controller, because the first join ended with
an error "smb.conf missing"
 
gizmo

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Fri, 28 Jul 2017 19:57:24 +0200
gizmo via samba <[hidden email]> wrote:

> >
> > What do you mean, 'I joined samba4 with the smb.conf' ?
> >
> > You don't create the smb.conf, the join as a DC should create it for
> > you.
> >
> > Rowland
>
>
> I copied the smb.conf from an existing domain controller, because the
> first join ended with an error "smb.conf missing"
>  
> gizmo
>

Well, if anything, this proves that German Universities are as bad as
English ones LOL

When you didn't get a smb.conf, that is when you should have asked for
help.

I think you should first try to fix the database with 'samba-tool
dbcheck --fix --yes'

If this doesn't work, you may need to demote the two DCs in question,
but you may have to upgrade one of the others to at least 4.4.0, this
will get you the '--remove-other-dead-server' option.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
>>
>> I copied the smb.conf from an existing domain controller, because the
>> first join ended with an error "smb.conf missing"
>>
>> gizmo
>>

> Well, if anything, this proves that German Universities are as bad as
> English ones LOL
>
> When you didn't get a smb.conf, that is when you should have asked for
> help.

Now I feel free to ask anything ! ;-)

now I'm really afraid to make another mistake and ruin the whole domain (maybe I did already)
Would it be more safe to install a 5th domain controller first and do all operations from there ?

And when I upgrade the 2 existing working domain controller, I also want to upgrade the OS (SLES 11 -> SLES12)
and then samba (4.3.11 -> 4.6.6).
So I intend to upgrade the OS first, which means, that the server with SLES 12 will be working in the beginning
with the samba software which came from the sernet repository for SLES 11 ?

gizmo



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Fri, 28 Jul 2017 21:09:07 +0200
gizmo via samba <[hidden email]> wrote:

> >>
> >> I copied the smb.conf from an existing domain controller, because
> >> the first join ended with an error "smb.conf missing"
> >>
> >> gizmo
> >>
>
> > Well, if anything, this proves that German Universities are as bad
> > as English ones LOL
> >
> > When you didn't get a smb.conf, that is when you should have asked
> > for help.
>
> Now I feel free to ask anything ! ;-)
>
> now I'm really afraid to make another mistake and ruin the whole
> domain (maybe I did already) Would it be more safe to install a 5th
> domain controller first and do all operations from there ?

If you can join another DC (and it works) then yes this would be one
way to try.

>
> And when I upgrade the 2 existing working domain controller, I also
> want to upgrade the OS (SLES 11 -> SLES12) and then samba (4.3.11 ->
> 4.6.6). So I intend to upgrade the OS first, which means, that the
> server with SLES 12 will be working in the beginning with the samba
> software which came from the sernet repository for SLES 11 ?
>

Yes, this is probably what will happen and as long as Sernet says the
Sernet version of 4.3.11 will work with SLES 12, this shouldn't be a
problem.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-07-28 at 17:26 +0200, gizmo via samba wrote:
> How can I correct that ? I tried to demote samba4 (which knows the system as samba3). But this didnt work, there was an error like "out of index".
> samba1 and samba2 work correct as far as I can see - can the system become instable ?

When you joined samba4 named as samba3, you removed the account for
samba3.  So the server that thought of itself as samba3 can't operate
any more, essentially it has been force-demoted. 

I guess you need to remove them both and start again from samba1 and
samba2.

Take care, and take good backups!

Thanks,

Andrew Bartlett 

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> When you joined samba4 named as samba3, you removed the account for
> samba3. So the server that thought of itself as samba3 can't operate
> any more, essentially it has been force-demoted. 
>
> I guess you need to remove them both and start again from samba1 and
> samba2.


hello,

I let the samba1 and samba2 untouched. They are still working with SLES 11 and samba 4.3.11 from sernet.
Since I broke samba3 with the installation of samba4, I installed a samba5 with SLES 12 and samba 4.6.6 (sernet),
so that I could demote samba3/samba4 with "samba-tool domain demote --remove-other-dead-server=" executed on samba5.
The first try with the name "samba3" or "samba4" didnt work, but with the GUID I could successfully demote.

samba1, samba2 and samba5 seem to work perfect. Then I made a new installation of samba3 (SLES 12 and samba 4.6.6)
and also joined that one. Now there are replication-errors on samba3.

While samba1, samba2 and samba5 seem to replicate with each other, even with the samba3,
so samba3 has the following error with samba2:

  Default-First-Site-Name\SAMBA2 via RPC
                DSA object GUID: 9455b34f-a395-449e-b7bb-9a900d59fdfe
                Last attempt @ Mon Jul 31 19:24:03 2017 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                58 consecutive failure(s).
                Last success @ Mon Jul 31 19:24:03 2017 CEST

On samba3 all entries under "INBOUND NEIGHBORS" have this error (WERR_DS_DRA_ACCESS_DENIED) with samba2.
The entries under "OUTBOUND NEIGHBORS" are all with success.
Under "KCC CONNECTION OBJECTS" samba1 is missing.

samba2 has a lot of entries in the "log.samba" like that:

  [2017/07/31 19:59:02.987782,  0] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs)
    ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-492433167-3996512854-4160196905-8869 with GUID 8eea9ec6-3610-477b-8770-93b467508e57

This is the GUID from samba3.

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Mon, 31 Jul 2017 20:06:34 +0200
gizmo via samba <[hidden email]> wrote:

> > When you joined samba4 named as samba3, you removed the account for
> > samba3. So the server that thought of itself as samba3 can't operate
> > any more, essentially it has been force-demoted. 
> >
> > I guess you need to remove them both and start again from samba1 and
> > samba2.
>
>
> hello,
>
> I let the samba1 and samba2 untouched. They are still working with
> SLES 11 and samba 4.3.11 from sernet. Since I broke samba3 with the
> installation of samba4, I installed a samba5 with SLES 12 and samba
> 4.6.6 (sernet), so that I could demote samba3/samba4 with "samba-tool
> domain demote --remove-other-dead-server=" executed on samba5. The
> first try with the name "samba3" or "samba4" didnt work, but with the
> GUID I could successfully demote.
>
> samba1, samba2 and samba5 seem to work perfect. Then I made a new
> installation of samba3 (SLES 12 and samba 4.6.6) and also joined that
> one. Now there are replication-errors on samba3.
>
> While samba1, samba2 and samba5 seem to replicate with each other,
> even with the samba3, so samba3 has the following error with samba2:
>
>   Default-First-Site-Name\SAMBA2 via RPC
>                 DSA object GUID: 9455b34f-a395-449e-b7bb-9a900d59fdfe
>                 Last attempt @ Mon Jul 31 19:24:03 2017 CEST failed,
> result 8453 (WERR_DS_DRA_ACCESS_DENIED) 58 consecutive failure(s).
>                 Last success @ Mon Jul 31 19:24:03 2017 CEST
>
> On samba3 all entries under "INBOUND NEIGHBORS" have this error
> (WERR_DS_DRA_ACCESS_DENIED) with samba2. The entries under "OUTBOUND
> NEIGHBORS" are all with success. Under "KCC CONNECTION OBJECTS"
> samba1 is missing.
>
> samba2 has a lot of entries in the "log.samba" like that:
>
>   [2017/07/31 19:59:02.987782,
> 0] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs) ../source4/rpc_server/drsuapi/updaterefs.c:276:
> Refusing DsReplicaUpdateRefs for sid
> S-1-5-21-492433167-3996512854-4160196905-8869 with GUID
> 8eea9ec6-3610-477b-8770-93b467508e57
>
> This is the GUID from samba3.
>
> Regards
>

Get rid of samba3 by demoting it again as you did last time, search
through sam.ldb for any mention of samba3 and samba4 (you will
probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
remove them.
Now start again with a new DC, but this time, call it anything but
samba3 or samba4.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> Get rid of samba3 by demoting it again as you did last time, search
> through sam.ldb for any mention of samba3 and samba4 (you will
> probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
> remove them.
> Now start again with a new DC, but this time, call it anything but
> samba3 or samba4.

Indeed after demotion there is one entry "samba3" unter "Computers" left.
I want to delete with the Windows-Tool RSAT and it says, that this object
contains other objects and I can choose "delete substructures".

Should I choose that ? I dont really know what effect (or sideeffect) it has.

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Mon, 31 Jul 2017 20:57:55 +0200
gizmo via samba <[hidden email]> wrote:

> > Get rid of samba3 by demoting it again as you did last time, search
> > through sam.ldb for any mention of samba3 and samba4 (you will
> > probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
> > remove them.
> > Now start again with a new DC, but this time, call it anything but
> > samba3 or samba4.
>
> Indeed after demotion there is one entry "samba3" unter "Computers"
> left. I want to delete with the Windows-Tool RSAT and it says, that
> this object contains other objects and I can choose "delete
> substructures".
>
> Should I choose that ? I dont really know what effect (or sideeffect)
> it has.

Anything under 'samba3' should only refer to 'samba3', so yes, you
probably can remove it. I would search through sam.ldb with ldbsearch
or lbedit on the DC to make sure though.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
> Get rid of samba3 by demoting it again as you did last time, search
> through sam.ldb for any mention of samba3 and samba4 (you will
> probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
> remove them.
> Now start again with a new DC, but this time, call it anything but
> samba3 or samba4.

Getting worse and worse ....
I demoted samba3 and then also samba5, because samba5 reported successful replication
with samba3, although samba3 was already demoted.

So I thought I can start with working samba1 and samba2.

I made a new clean installation of samba5 beginning with the OS ...
But the join failed with

  Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First-  Site-Name,CN=Sites,CN=Configuration,DC=domain Failed to convert object CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain: WERR_GEN_FAILURE

SAMBA3 again ??!! I thought I deleted everything !!

A check on samba2 "ldbsearch --cross-ncs ... | egrep -i samba3"

  dn: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain
  cn: SAMBA3
  name: SAMBA3
  dNSHostName: samba3.domain
  distinguishedName: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites
  dn: DC=samba3,DC=domain,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain
  name: samba3
  dc: samba3
  distinguishedName: DC=samba3,DC=domain.de,CN=MicrosoftD

I'm sure I checked already in the morning and didnt find any entries about samba3, except the ones I deleted.
Im already confused and getting nervous not far from panic.
Im thinking about to start a complete new domain controller with a backup from before I started all this, hopefully
my backup works.
Or should I delete now the mentioned entries ? (ldbdel ... CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration)
They seem to be deep inside the DNS database. I really have the feeling, with each step its getting worse.

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
Hello,
now with "ldbsearch --cross-ncs ..." I dont find entries of domain controllers anymore except samba1 and samba2.
sam.ldb seems to be clean now.
But with the DNS-Tool from Windows I can see a lot of entries for samba3, all of them for services like _gc, _kerberos, _ldap, _kpasswd.
Can this be the reason for the error I get when I join samba5 ? Do I have to delete this entries ?

Because when I want to join samba5, I still get the following error. From where comes that info about samba3 ?

samba-tool domain join domain.university.de DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL

Finding a writeable DC for domain 'domain.university.de'
Found DC samba1.domain.university.de
Password for [domain\administrator]:
workgroup is domain
realm is domain.university.de
Adding CN=SAMBA5,OU=Domain Controllers,DC=domain,DC=university,DC=de
Adding CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Adding CN=NTDS Settings,CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Adding SPNs to CN=SAMBA5,OU=Domain Controllers,DC=domain,DC=university,DC=de
Setting account password for SAMBA5$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=domain,DC=university,DC=de
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[402/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[804/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[1206/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[1608/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[1655/1655] linked_values[52/0]
Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS
Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=deFailed to convert object CN=NTDS
Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de: WERR_GEN_FAILURE
Failed to convert objects: WERR_GEN_FAILURE
Join failed - cleaning up
Deleted CN=SAMBA5,OU=Domain Controllers,DC=domain,DC=university,DC=de
Deleted CN=NTDS Settings,CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Deleted CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of DRS replicated objects: WERR_GEN_FAILURE")
                  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
                    return self.run(*args, **kwargs)
                  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
                    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
                  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269, in join_DC
                    ctx.do_join()
                  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1177, in do_join
                    ctx.join_replicate()
                  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 895, in join_replicate
                    replica_flags=ctx.replica_flags)
                  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 258, in replicate
                    schema=schema, req_level=req_level, req=req)


Regards


>> Get rid of samba3 by demoting it again as you did last time, search
>> through sam.ldb for any mention of samba3 and samba4 (you will
>> probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
>> remove them.
>> Now start again with a new DC, but this time, call it anything but
>> samba3 or samba4.

> Getting worse and worse ....
> I demoted samba3 and then also samba5, because samba5 reported successful replication
> with samba3, although samba3 was already demoted.
>
> So I thought I can start with working samba1 and samba2.
>
> I made a new clean installation of samba5 beginning with the OS ...
> But the join failed with
>
> Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First- Site-Name,CN=Sites,CN=Configuration,DC=domain Failed to convert object CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain: WERR_GEN_FAILURE
>
> SAMBA3 again ??!! I thought I deleted everything !!
>
> A check on samba2 "ldbsearch --cross-ncs ... | egrep -i samba3"
>
> dn: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain
> cn: SAMBA3
> name: SAMBA3
> dNSHostName: samba3.domain
> distinguishedName: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> dn: DC=samba3,DC=domain,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain
> name: samba3
> dc: samba3
> distinguishedName: DC=samba3,DC=domain.de,CN=MicrosoftD
>
> I'm sure I checked already in the morning and didnt find any entries about samba3, except the ones I deleted.
> Im already confused and getting nervous not far from panic.
> Im thinking about to start a complete new domain controller with a backup from before I started all this, hopefully
> my backup works.
> Or should I delete now the mentioned entries ? (ldbdel ... CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration)
> They seem to be deep inside the DNS database. I really have the feeling, with each step its getting worse.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list

> But with the DNS-Tool from Windows I can see a lot of entries for samba3, all of them for services like _gc, _kerberos, _ldap, _kpasswd.

Cleaned the DNS manually with the DNS application, but still I can't join. Same error.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> Cleaned the DNS manually with the DNS application, but still I can't join. Same error.

I thought it was the same error, but now I saw there is a small difference.
It seems like a deleted object causes the problem.
With "ldbsearch --cross-ncs --show-deleted .." I can see now that entry for "samba3" (beside all other demoted servers),
which appears in the error message.

Can I delete that already deleted object with ldbdel just like a "normal" object ?

Regards



samba-tool domain join domain.university.de DC -U"administrator" --dns-backend=SAMBA_INTERNAL

...
Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS
Settings,CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=deFailed
to convert object CN=NTDS
Settings,CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de:
WERR_GEN_FAILURE
Failed to convert objects: WERR_GEN_FAILURE
Join failed - cleaning up
Deleted CN=SAMBA6,OU=Domain Controllers,DC=domain,DC=university,DC=de
Deleted CN=NTDS Settings,CN=SAMBA6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Deleted CN=SAMBA6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of DRS replicated objects: WERR_GEN_FAILURE")
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1177, in do_join
    ctx.join_replicate()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 895, in join_replicate
    replica_flags=ctx.replica_flags)
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 258, in replicate
    schema=schema, req_level=req_level, req=req)



ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb "distinguishedName=CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de"

# record 1
dn: CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
objectClass: top
objectClass: server
instanceType: 4
whenCreated: 20170731105400.0Z
uSNCreated: 529616
objectGUID: e4ee9112-7457-47e9-a603-13a1c762cecf
systemFlags: 1375731712
dNSHostName: samba3.domain.university.de
isDeleted: TRUE
lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
isRecycled: TRUE
cn:: ISAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf
name:: ISAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf
whenChanged: 20170801122422.0Z
uSNChanged: 529940
distinguishedName: CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de

# returned 1 records
# 1 entries
# 0 referrals






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Wed, 2 Aug 2017 08:50:38 +0200
gizmo via samba <[hidden email]> wrote:

> > Cleaned the DNS manually with the DNS application, but still I
> > can't join. Same error.
>
> I thought it was the same error, but now I saw there is a small
> difference. It seems like a deleted object causes the problem.
> With "ldbsearch --cross-ncs --show-deleted .." I can see now that
> entry for "samba3" (beside all other demoted servers), which appears
> in the error message.
>
> Can I delete that already deleted object with ldbdel just like a
> "normal" object ?
>
> ...
> Unxpectedly got mismatching RDN values when checking RDN against name
> of CN=NTDS
> Settings,CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=deFailed

No you cannot delete something that is already deleted, but then
deleted objects should be ignored and I think this is fixed in later
versions.

Does your Samba version have 'samba-tool domain tombstones expunge' ?
if it does, you can set the '--tombstone-lifetime' to 1 day and then
wait, all the 'OADEL' objects should disappear.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> No you cannot delete something that is already deleted, but then
> deleted objects should be ignored and I think this is fixed in later
> versions.
>
> Does your Samba version have 'samba-tool domain tombstones expunge' ?
> if it does, you can set the '--tombstone-lifetime' to 1 day and then
> wait, all the 'OADEL' objects should disappear.

no, 4.3.11 (SerNet) doesnt have this option yet. I have to wait then.
Because I wont risc an upgrade before I can join a new DC.
What's the default time for keeping deleted objects ?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Wed, 2 Aug 2017 10:48:50 +0200
gizmo via samba <[hidden email]> wrote:

> > No you cannot delete something that is already deleted, but then
> > deleted objects should be ignored and I think this is fixed in later
> > versions.
> >
> > Does your Samba version have 'samba-tool domain tombstones
> > expunge' ? if it does, you can set the '--tombstone-lifetime' to 1
> > day and then wait, all the 'OADEL' objects should disappear.
>
> no, 4.3.11 (SerNet) doesnt have this option yet. I have to wait then.
> Because I wont risc an upgrade before I can join a new DC.
> What's the default time for keeping deleted objects ?
>

You are possibly going to have a long wait, it is 180 days

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...