Made a join with a netbios name, which already existed, now replication errors

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
Hi there,
I made a big mistake !
We have 3 domain controllers, samba1, samba2 and samba3, all of them running samba "Version 4.3.11 (SerNet)"
samba1 owns all fsmo-roles.
I installed a 4th one, samba4 (Version 4.6.6 - SerNet), copied the smb.conf from samba3, but forgot to adapt the parameters.
 
[global]
        workgroup = DOMAIN
        realm = DOMAIN.UNIVERSITY.DE
        netbios name = SAMBA3
        interfaces = 127.0.0.1, ip_from_samba3                                                                            
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = ip
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        time server = yes
       
[netlogon]
        path = /var/lib/samba/sysvol/domain.university.de/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
 
I joined samba4 with the smb.conf from the samba3, means same netbios-name and interface-ip-address.
Then I ckecked the replication of samba4, but it didnt work. (at that time I didnt know why yet)

Later I discovered my wrong smb.conf, corrected the entries and started samba4 again.
Now samba4 seems to replicate, but still as samba3.

The replication of samba3 doesnt work anymore, there is the following error:


Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:111.222.333.3[1024,seal,target_hostname=samba3.domain.university.de,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=111.222.333.3] NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to samba3.domain.university.de failed - drsException: DRS connection to samba3.domain.university.de failed: (-1073741715, 'Logon failure')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
 
It looks like samba4 overlaps samba3 because of the same netbios-name I gave.

The system knows 3 domain controller, samba1, samba2 and samba3. But for replication it takes samba4 as samba3.

How can I correct that ? I tried to demote samba4 (which knows the system as samba3). But this didnt work, there was an error like "out of index".
samba1 and samba2 work correct as far as I can see - can the system become instable ?
 
 
 
Thanks in advance

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Fri, 28 Jul 2017 17:26:39 +0200
gizmo via samba <[hidden email]> wrote:

> Hi there,
> I made a big mistake !
> We have 3 domain controllers, samba1, samba2 and samba3, all of them
> running samba "Version 4.3.11 (SerNet)" samba1 owns all fsmo-roles.
> I installed a 4th one, samba4 (Version 4.6.6 - SerNet), copied the
> smb.conf from samba3, but forgot to adapt the parameters.
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.UNIVERSITY.DE
>         netbios name = SAMBA3
>         interfaces = 127.0.0.1,
> ip_from_samba3 bind interfaces only = Yes
>         server role = active directory domain controller
>         dns forwarder = ip
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         time server = yes
>        
> [netlogon]
>         path = /var/lib/samba/sysvol/domain.university.de/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>  
> I joined samba4 with the smb.conf from the samba3, means same
> netbios-name and interface-ip-address.

What do you mean, 'I joined samba4 with the smb.conf' ?

You don't create the smb.conf, the join as a DC should create it for
you.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
>> Hi there,
>> I made a big mistake !
>> We have 3 domain controllers, samba1, samba2 and samba3, all of them
>> running samba "Version 4.3.11 (SerNet)" samba1 owns all fsmo-roles.
>> I installed a 4th one, samba4 (Version 4.6.6 - SerNet), copied the
>> smb.conf from samba3, but forgot to adapt the parameters.
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.UNIVERSITY.DE
>> netbios name = SAMBA3
>> interfaces = 127.0.0.1,
>> ip_from_samba3 bind interfaces only = Yes
>> server role = active directory domain controller
>> dns forwarder = ip
>> idmap_ldb:use rfc2307 = yes
>> ldap server require strong auth = no
>> time server = yes
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/domain.university.de/scripts
>> read only = No
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> I joined samba4 with the smb.conf from the samba3, means same
>> netbios-name and interface-ip-address.


>
> What do you mean, 'I joined samba4 with the smb.conf' ?
>
> You don't create the smb.conf, the join as a DC should create it for
> you.
>
> Rowland


I copied the smb.conf from an existing domain controller, because the first join ended with
an error "smb.conf missing"
 
gizmo

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Fri, 28 Jul 2017 19:57:24 +0200
gizmo via samba <[hidden email]> wrote:

> >
> > What do you mean, 'I joined samba4 with the smb.conf' ?
> >
> > You don't create the smb.conf, the join as a DC should create it for
> > you.
> >
> > Rowland
>
>
> I copied the smb.conf from an existing domain controller, because the
> first join ended with an error "smb.conf missing"
>  
> gizmo
>

Well, if anything, this proves that German Universities are as bad as
English ones LOL

When you didn't get a smb.conf, that is when you should have asked for
help.

I think you should first try to fix the database with 'samba-tool
dbcheck --fix --yes'

If this doesn't work, you may need to demote the two DCs in question,
but you may have to upgrade one of the others to at least 4.4.0, this
will get you the '--remove-other-dead-server' option.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
>>
>> I copied the smb.conf from an existing domain controller, because the
>> first join ended with an error "smb.conf missing"
>>
>> gizmo
>>

> Well, if anything, this proves that German Universities are as bad as
> English ones LOL
>
> When you didn't get a smb.conf, that is when you should have asked for
> help.

Now I feel free to ask anything ! ;-)

now I'm really afraid to make another mistake and ruin the whole domain (maybe I did already)
Would it be more safe to install a 5th domain controller first and do all operations from there ?

And when I upgrade the 2 existing working domain controller, I also want to upgrade the OS (SLES 11 -> SLES12)
and then samba (4.3.11 -> 4.6.6).
So I intend to upgrade the OS first, which means, that the server with SLES 12 will be working in the beginning
with the samba software which came from the sernet repository for SLES 11 ?

gizmo



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Fri, 28 Jul 2017 21:09:07 +0200
gizmo via samba <[hidden email]> wrote:

> >>
> >> I copied the smb.conf from an existing domain controller, because
> >> the first join ended with an error "smb.conf missing"
> >>
> >> gizmo
> >>
>
> > Well, if anything, this proves that German Universities are as bad
> > as English ones LOL
> >
> > When you didn't get a smb.conf, that is when you should have asked
> > for help.
>
> Now I feel free to ask anything ! ;-)
>
> now I'm really afraid to make another mistake and ruin the whole
> domain (maybe I did already) Would it be more safe to install a 5th
> domain controller first and do all operations from there ?

If you can join another DC (and it works) then yes this would be one
way to try.

>
> And when I upgrade the 2 existing working domain controller, I also
> want to upgrade the OS (SLES 11 -> SLES12) and then samba (4.3.11 ->
> 4.6.6). So I intend to upgrade the OS first, which means, that the
> server with SLES 12 will be working in the beginning with the samba
> software which came from the sernet repository for SLES 11 ?
>

Yes, this is probably what will happen and as long as Sernet says the
Sernet version of 4.3.11 will work with SLES 12, this shouldn't be a
problem.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-07-28 at 17:26 +0200, gizmo via samba wrote:
> How can I correct that ? I tried to demote samba4 (which knows the system as samba3). But this didnt work, there was an error like "out of index".
> samba1 and samba2 work correct as far as I can see - can the system become instable ?

When you joined samba4 named as samba3, you removed the account for
samba3.  So the server that thought of itself as samba3 can't operate
any more, essentially it has been force-demoted. 

I guess you need to remove them both and start again from samba1 and
samba2.

Take care, and take good backups!

Thanks,

Andrew Bartlett 

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> When you joined samba4 named as samba3, you removed the account for
> samba3. So the server that thought of itself as samba3 can't operate
> any more, essentially it has been force-demoted. 
>
> I guess you need to remove them both and start again from samba1 and
> samba2.


hello,

I let the samba1 and samba2 untouched. They are still working with SLES 11 and samba 4.3.11 from sernet.
Since I broke samba3 with the installation of samba4, I installed a samba5 with SLES 12 and samba 4.6.6 (sernet),
so that I could demote samba3/samba4 with "samba-tool domain demote --remove-other-dead-server=" executed on samba5.
The first try with the name "samba3" or "samba4" didnt work, but with the GUID I could successfully demote.

samba1, samba2 and samba5 seem to work perfect. Then I made a new installation of samba3 (SLES 12 and samba 4.6.6)
and also joined that one. Now there are replication-errors on samba3.

While samba1, samba2 and samba5 seem to replicate with each other, even with the samba3,
so samba3 has the following error with samba2:

  Default-First-Site-Name\SAMBA2 via RPC
                DSA object GUID: 9455b34f-a395-449e-b7bb-9a900d59fdfe
                Last attempt @ Mon Jul 31 19:24:03 2017 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                58 consecutive failure(s).
                Last success @ Mon Jul 31 19:24:03 2017 CEST

On samba3 all entries under "INBOUND NEIGHBORS" have this error (WERR_DS_DRA_ACCESS_DENIED) with samba2.
The entries under "OUTBOUND NEIGHBORS" are all with success.
Under "KCC CONNECTION OBJECTS" samba1 is missing.

samba2 has a lot of entries in the "log.samba" like that:

  [2017/07/31 19:59:02.987782,  0] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs)
    ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-492433167-3996512854-4160196905-8869 with GUID 8eea9ec6-3610-477b-8770-93b467508e57

This is the GUID from samba3.

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Mon, 31 Jul 2017 20:06:34 +0200
gizmo via samba <[hidden email]> wrote:

> > When you joined samba4 named as samba3, you removed the account for
> > samba3. So the server that thought of itself as samba3 can't operate
> > any more, essentially it has been force-demoted. 
> >
> > I guess you need to remove them both and start again from samba1 and
> > samba2.
>
>
> hello,
>
> I let the samba1 and samba2 untouched. They are still working with
> SLES 11 and samba 4.3.11 from sernet. Since I broke samba3 with the
> installation of samba4, I installed a samba5 with SLES 12 and samba
> 4.6.6 (sernet), so that I could demote samba3/samba4 with "samba-tool
> domain demote --remove-other-dead-server=" executed on samba5. The
> first try with the name "samba3" or "samba4" didnt work, but with the
> GUID I could successfully demote.
>
> samba1, samba2 and samba5 seem to work perfect. Then I made a new
> installation of samba3 (SLES 12 and samba 4.6.6) and also joined that
> one. Now there are replication-errors on samba3.
>
> While samba1, samba2 and samba5 seem to replicate with each other,
> even with the samba3, so samba3 has the following error with samba2:
>
>   Default-First-Site-Name\SAMBA2 via RPC
>                 DSA object GUID: 9455b34f-a395-449e-b7bb-9a900d59fdfe
>                 Last attempt @ Mon Jul 31 19:24:03 2017 CEST failed,
> result 8453 (WERR_DS_DRA_ACCESS_DENIED) 58 consecutive failure(s).
>                 Last success @ Mon Jul 31 19:24:03 2017 CEST
>
> On samba3 all entries under "INBOUND NEIGHBORS" have this error
> (WERR_DS_DRA_ACCESS_DENIED) with samba2. The entries under "OUTBOUND
> NEIGHBORS" are all with success. Under "KCC CONNECTION OBJECTS"
> samba1 is missing.
>
> samba2 has a lot of entries in the "log.samba" like that:
>
>   [2017/07/31 19:59:02.987782,
> 0] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs) ../source4/rpc_server/drsuapi/updaterefs.c:276:
> Refusing DsReplicaUpdateRefs for sid
> S-1-5-21-492433167-3996512854-4160196905-8869 with GUID
> 8eea9ec6-3610-477b-8770-93b467508e57
>
> This is the GUID from samba3.
>
> Regards
>

Get rid of samba3 by demoting it again as you did last time, search
through sam.ldb for any mention of samba3 and samba4 (you will
probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
remove them.
Now start again with a new DC, but this time, call it anything but
samba3 or samba4.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> Get rid of samba3 by demoting it again as you did last time, search
> through sam.ldb for any mention of samba3 and samba4 (you will
> probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
> remove them.
> Now start again with a new DC, but this time, call it anything but
> samba3 or samba4.

Indeed after demotion there is one entry "samba3" unter "Computers" left.
I want to delete with the Windows-Tool RSAT and it says, that this object
contains other objects and I can choose "delete substructures".

Should I choose that ? I dont really know what effect (or sideeffect) it has.

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Mon, 31 Jul 2017 20:57:55 +0200
gizmo via samba <[hidden email]> wrote:

> > Get rid of samba3 by demoting it again as you did last time, search
> > through sam.ldb for any mention of samba3 and samba4 (you will
> > probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
> > remove them.
> > Now start again with a new DC, but this time, call it anything but
> > samba3 or samba4.
>
> Indeed after demotion there is one entry "samba3" unter "Computers"
> left. I want to delete with the Windows-Tool RSAT and it says, that
> this object contains other objects and I can choose "delete
> substructures".
>
> Should I choose that ? I dont really know what effect (or sideeffect)
> it has.

Anything under 'samba3' should only refer to 'samba3', so yes, you
probably can remove it. I would search through sam.ldb with ldbsearch
or lbedit on the DC to make sure though.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
> Get rid of samba3 by demoting it again as you did last time, search
> through sam.ldb for any mention of samba3 and samba4 (you will
> probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
> remove them.
> Now start again with a new DC, but this time, call it anything but
> samba3 or samba4.

Getting worse and worse ....
I demoted samba3 and then also samba5, because samba5 reported successful replication
with samba3, although samba3 was already demoted.

So I thought I can start with working samba1 and samba2.

I made a new clean installation of samba5 beginning with the OS ...
But the join failed with

  Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First-  Site-Name,CN=Sites,CN=Configuration,DC=domain Failed to convert object CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain: WERR_GEN_FAILURE

SAMBA3 again ??!! I thought I deleted everything !!

A check on samba2 "ldbsearch --cross-ncs ... | egrep -i samba3"

  dn: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain
  cn: SAMBA3
  name: SAMBA3
  dNSHostName: samba3.domain
  distinguishedName: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites
  dn: DC=samba3,DC=domain,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain
  name: samba3
  dc: samba3
  distinguishedName: DC=samba3,DC=domain.de,CN=MicrosoftD

I'm sure I checked already in the morning and didnt find any entries about samba3, except the ones I deleted.
Im already confused and getting nervous not far from panic.
Im thinking about to start a complete new domain controller with a backup from before I started all this, hopefully
my backup works.
Or should I delete now the mentioned entries ? (ldbdel ... CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration)
They seem to be deep inside the DNS database. I really have the feeling, with each step its getting worse.

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
Hello,
now with "ldbsearch --cross-ncs ..." I dont find entries of domain controllers anymore except samba1 and samba2.
sam.ldb seems to be clean now.
But with the DNS-Tool from Windows I can see a lot of entries for samba3, all of them for services like _gc, _kerberos, _ldap, _kpasswd.
Can this be the reason for the error I get when I join samba5 ? Do I have to delete this entries ?

Because when I want to join samba5, I still get the following error. From where comes that info about samba3 ?

samba-tool domain join domain.university.de DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL

Finding a writeable DC for domain 'domain.university.de'
Found DC samba1.domain.university.de
Password for [domain\administrator]:
workgroup is domain
realm is domain.university.de
Adding CN=SAMBA5,OU=Domain Controllers,DC=domain,DC=university,DC=de
Adding CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Adding CN=NTDS Settings,CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Adding SPNs to CN=SAMBA5,OU=Domain Controllers,DC=domain,DC=university,DC=de
Setting account password for SAMBA5$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=domain,DC=university,DC=de
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=university,DC=de] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[402/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[804/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[1206/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[1608/1655] linked_values[0/0]
Partition[CN=Configuration,DC=domain,DC=university,DC=de] objects[1655/1655] linked_values[52/0]
Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS
Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=deFailed to convert object CN=NTDS
Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de: WERR_GEN_FAILURE
Failed to convert objects: WERR_GEN_FAILURE
Join failed - cleaning up
Deleted CN=SAMBA5,OU=Domain Controllers,DC=domain,DC=university,DC=de
Deleted CN=NTDS Settings,CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Deleted CN=SAMBA5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of DRS replicated objects: WERR_GEN_FAILURE")
                  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
                    return self.run(*args, **kwargs)
                  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
                    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
                  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269, in join_DC
                    ctx.do_join()
                  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1177, in do_join
                    ctx.join_replicate()
                  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 895, in join_replicate
                    replica_flags=ctx.replica_flags)
                  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 258, in replicate
                    schema=schema, req_level=req_level, req=req)


Regards


>> Get rid of samba3 by demoting it again as you did last time, search
>> through sam.ldb for any mention of samba3 and samba4 (you will
>> probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
>> remove them.
>> Now start again with a new DC, but this time, call it anything but
>> samba3 or samba4.

> Getting worse and worse ....
> I demoted samba3 and then also samba5, because samba5 reported successful replication
> with samba3, although samba3 was already demoted.
>
> So I thought I can start with working samba1 and samba2.
>
> I made a new clean installation of samba5 beginning with the OS ...
> But the join failed with
>
> Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First- Site-Name,CN=Sites,CN=Configuration,DC=domain Failed to convert object CN=NTDS Settings,CN=ISAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain: WERR_GEN_FAILURE
>
> SAMBA3 again ??!! I thought I deleted everything !!
>
> A check on samba2 "ldbsearch --cross-ncs ... | egrep -i samba3"
>
> dn: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain
> cn: SAMBA3
> name: SAMBA3
> dNSHostName: samba3.domain
> distinguishedName: CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> dn: DC=samba3,DC=domain,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain
> name: samba3
> dc: samba3
> distinguishedName: DC=samba3,DC=domain.de,CN=MicrosoftD
>
> I'm sure I checked already in the morning and didnt find any entries about samba3, except the ones I deleted.
> Im already confused and getting nervous not far from panic.
> Im thinking about to start a complete new domain controller with a backup from before I started all this, hopefully
> my backup works.
> Or should I delete now the mentioned entries ? (ldbdel ... CN=SAMBA3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration)
> They seem to be deep inside the DNS database. I really have the feeling, with each step its getting worse.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list

> But with the DNS-Tool from Windows I can see a lot of entries for samba3, all of them for services like _gc, _kerberos, _ldap, _kpasswd.

Cleaned the DNS manually with the DNS application, but still I can't join. Same error.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> Cleaned the DNS manually with the DNS application, but still I can't join. Same error.

I thought it was the same error, but now I saw there is a small difference.
It seems like a deleted object causes the problem.
With "ldbsearch --cross-ncs --show-deleted .." I can see now that entry for "samba3" (beside all other demoted servers),
which appears in the error message.

Can I delete that already deleted object with ldbdel just like a "normal" object ?

Regards



samba-tool domain join domain.university.de DC -U"administrator" --dns-backend=SAMBA_INTERNAL

...
Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS
Settings,CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=deFailed
to convert object CN=NTDS
Settings,CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de:
WERR_GEN_FAILURE
Failed to convert objects: WERR_GEN_FAILURE
Join failed - cleaning up
Deleted CN=SAMBA6,OU=Domain Controllers,DC=domain,DC=university,DC=de
Deleted CN=NTDS Settings,CN=SAMBA6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
Deleted CN=SAMBA6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of DRS replicated objects: WERR_GEN_FAILURE")
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1177, in do_join
    ctx.join_replicate()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 895, in join_replicate
    replica_flags=ctx.replica_flags)
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 258, in replicate
    schema=schema, req_level=req_level, req=req)



ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb "distinguishedName=CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de"

# record 1
dn: CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
objectClass: top
objectClass: server
instanceType: 4
whenCreated: 20170731105400.0Z
uSNCreated: 529616
objectGUID: e4ee9112-7457-47e9-a603-13a1c762cecf
systemFlags: 1375731712
dNSHostName: samba3.domain.university.de
isDeleted: TRUE
lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de
isRecycled: TRUE
cn:: ISAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf
name:: ISAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf
whenChanged: 20170801122422.0Z
uSNChanged: 529940
distinguishedName: CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=de

# returned 1 records
# 1 entries
# 0 referrals






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Wed, 2 Aug 2017 08:50:38 +0200
gizmo via samba <[hidden email]> wrote:

> > Cleaned the DNS manually with the DNS application, but still I
> > can't join. Same error.
>
> I thought it was the same error, but now I saw there is a small
> difference. It seems like a deleted object causes the problem.
> With "ldbsearch --cross-ncs --show-deleted .." I can see now that
> entry for "samba3" (beside all other demoted servers), which appears
> in the error message.
>
> Can I delete that already deleted object with ldbdel just like a
> "normal" object ?
>
> ...
> Unxpectedly got mismatching RDN values when checking RDN against name
> of CN=NTDS
> Settings,CN=SAMBA3\0ADEL:e4ee9112-7457-47e9-a603-13a1c762cecf,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=university,DC=deFailed

No you cannot delete something that is already deleted, but then
deleted objects should be ignored and I think this is fixed in later
versions.

Does your Samba version have 'samba-tool domain tombstones expunge' ?
if it does, you can set the '--tombstone-lifetime' to 1 day and then
wait, all the 'OADEL' objects should disappear.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
> No you cannot delete something that is already deleted, but then
> deleted objects should be ignored and I think this is fixed in later
> versions.
>
> Does your Samba version have 'samba-tool domain tombstones expunge' ?
> if it does, you can set the '--tombstone-lifetime' to 1 day and then
> wait, all the 'OADEL' objects should disappear.

no, 4.3.11 (SerNet) doesnt have this option yet. I have to wait then.
Because I wont risc an upgrade before I can join a new DC.
What's the default time for keeping deleted objects ?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Fw: Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Wed, 2 Aug 2017 10:48:50 +0200
gizmo via samba <[hidden email]> wrote:

> > No you cannot delete something that is already deleted, but then
> > deleted objects should be ignored and I think this is fixed in later
> > versions.
> >
> > Does your Samba version have 'samba-tool domain tombstones
> > expunge' ? if it does, you can set the '--tombstone-lifetime' to 1
> > day and then wait, all the 'OADEL' objects should disappear.
>
> no, 4.3.11 (SerNet) doesnt have this option yet. I have to wait then.
> Because I wont risc an upgrade before I can join a new DC.
> What's the default time for keeping deleted objects ?
>

You are possibly going to have a long wait, it is 180 days

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list

> On 2017.08.02, at 4:22 AM, Rowland Penny via samba <[hidden email]> wrote:
>
> On Wed, 2 Aug 2017 10:48:50 +0200
> gizmo via samba <[hidden email]> wrote:
>
>>> No you cannot delete something that is already deleted, but then
>>> deleted objects should be ignored and I think this is fixed in later
>>> versions.
>>>
>>> Does your Samba version have 'samba-tool domain tombstones
>>> expunge' ? if it does, you can set the '--tombstone-lifetime' to 1
>>> day and then wait, all the 'OADEL' objects should disappear.
>>
>> no, 4.3.11 (SerNet) doesnt have this option yet. I have to wait then.
>> Because I wont risc an upgrade before I can join a new DC.
>> What's the default time for keeping deleted objects ?
>>
>
> You are possibly going to have a long wait, it is 180 days
>
> Rowland

I’m having a similar problem. I just fixed a bad member of my samba domain - an samba AD DC that wasn’t working. I demoted it, uninstalled Samba and reinstalled, then rejoined the domain.

Everything's replicating nicely. All my users can authenticate. But my samba AD DCs are all on 4.4.16, and I want to be on 4.7.

So, I set up a new server to act as my 4.7. My plan: Join it to the domain, move the FSMO role to this new server, then one-by-one replace my old DCs with new ones running Samba 4.7.

I go to get the new 4.7 samba machine joined and here’s what happens:

-----

samba-tool domain join mydomain.net DC -Uadministrator --realm=mydomain.net --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mydomain.net'
Found DC rhea.mydomain.net
Password for [mydomain\administrator]:
workgroup is mydomain
realm is mydomain.net
Adding CN=UMBRIEL,OU=Domain Controllers,DC=mydomain,DC=net
Adding CN=UMBRIEL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Adding CN=NTDS Settings,CN=UMBRIEL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Adding SPNs to CN=UMBRIEL,OU=Domain Controllers,DC=mydomain,DC=net
Setting account password for UMBRIEL$
Enabling account
Adding DNS account CN=dns-UMBRIEL,CN=Users,DC=mydomain,DC=net with dns/ SPN
Setting account password for dns-UMBRIEL
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=mydomain,DC=net
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[402/1578] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[804/1578] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[1206/1578] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[1578/1578] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=mydomain,DC=net] objects[402/1636] linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=net] objects[804/1636] linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1206/1636] linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1608/1636] linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1636/1636] linked_values[47/0]
Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=netFailed to convert object CN=NTDS Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net: WERR_GEN_FAILURE
Failed to convert objects: WERR_GEN_FAILURE
Join failed - cleaning up
Deleted CN=UMBRIEL,OU=Domain Controllers,DC=mydomain,DC=net
Deleted CN=dns-UMBRIEL,CN=Users,DC=mydomain,DC=net
Deleted CN=NTDS Settings,CN=UMBRIEL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Deleted CN=UMBRIEL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of DRS replicated objects: WERR_GEN_FAILURE")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 924, in join_replicate
    replica_flags=ctx.replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in replicate
    schema=schema, req_level=req_level, req=req)

-----

("Ganymede" is the server I just demoted and re-promoted.)

By your thread with gizmo, I take it that my new samba AD DC doesn’t like this deleted record:

-----

sudo ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb "distinguishedName=CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net"
[sudo] password for svr.matthew.delfino:
# record 1
dn: CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
objectClass: top
objectClass: server
instanceType: 4
whenCreated: 20151103020735.0Z
uSNCreated: 20599
objectGUID: 9646252c-8e4d-447f-90fa-3a51355276ac
systemFlags: 1375731712
dNSHostName: GANYMEDE.mydomain.net
isDeleted: TRUE
lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
 on,DC=mydomain,DC=net
isRecycled: TRUE
cn:: R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
name:: R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
whenChanged: 20171030231808.0Z
uSNChanged: 17728815
distinguishedName: CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=S
 ervers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lo
 c

# returned 1 records
# 1 entries
# 0 referrals

-----

If I understand you correspondence above, this "tombstone" record needs to be expunged. But, since my version, (4.4.16), has a samba-tool that appears to not be able to do "samba-tool domain tombstones…." I have to wait 180 days for that record to automatically go away and the mismatch to go away in kind? Do I have this right?

Do I have any options other than waiting 179 more days? I mean, besides a DeLorean with a Flux Capacitor, or cryogenic stasis… or (gulp) patience?

Thanks,
Matthew

©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Made a join with a netbios name, which already existed, now replication errors

Samba - General mailing list
On Tue, 2017-10-31 at 17:37 -0500, Matthew Delfino via samba wrote:

> >
>
> I’m having a similar problem. I just fixed a bad member of my samba
> domain - an samba AD DC that wasn’t working. I demoted it,
> uninstalled Samba and reinstalled, then rejoined the domain.
>
> Everything's replicating nicely. All my users can authenticate. But
> my samba AD DCs are all on 4.4.16, and I want to be on 4.7.
>
> So, I set up a new server to act as my 4.7. My plan: Join it to the
> domain, move the FSMO role to this new server, then one-by-one
> replace my old DCs with new ones running Samba 4.7.
>
> I go to get the new 4.7 samba machine joined and here’s what happens:
>
> -----

> Partition[CN=Configuration,DC=mydomain,DC=net] objects[402/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[804/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[1206/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[1608/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[1636/1636] linked_values[47/0]
> Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=netFailed to convert object CN=NTDS Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net: WERR_GEN_FAILURE
> Failed to convert objects: WERR_GEN_FAILURE
> Join failed - cleaning up

This is interesting.  Sadly the code checking this doesn't print the
RDN value and name that it dislikes for comparison, this really wasn't
expected to be seen in the field.

What does dbcheck say?  Once you back it up and fix it on 4.4, if you
copy the DB to a 4.7 host, does it give any more errors regarding this
object?

> -----
>
> ("Ganymede" is the server I just demoted and re-promoted.)
>
> By your thread with gizmo, I take it that my new samba AD DC doesn’t like this deleted record:
>
> -----
>
> sudo ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb "distinguishedName=CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net"
> [sudo] password for svr.matthew.delfino:
> # record 1
> dn: CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
>

> lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
>  on,DC=mydomain,DC=net
> isRecycled: TRUE
> cn:: R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
> name:: R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
> whenChanged: 20171030231808.0Z
> uSNChanged: 17728815
> distinguishedName: CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=S
>  ervers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lo
>  c

Yes and no.  This looks normal enough, it actually doesn't like the
CN=NTDS Settings child of this object.  Can you show that?

> If I understand you correspondence above, this "tombstone" record
> needs to be expunged. But, since my version, (4.4.16), has a samba-
> tool that appears to not be able to do "samba-tool domain
> tombstones…." I have to wait 180 days for that record to
> automatically go away and the mismatch to go away in kind? Do I have
> this right?

You could upgrade the domain in-place and use the modern tools, or on a
new host that you will give the same name as the old one (we are not
fussy about the surrounding OS, just the hostname and to a lesser
extent the IP).

> Do I have any options other than waiting 179 more days? I mean, besides a DeLorean with a Flux Capacitor, or cryogenic stasis… or (gulp) patience?

You can change the tombstoneLifetime, but please turn it back up once
you are done.

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12