Make Samba 4 as Additional DC to Windows Server 2003R2

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
Hi,

I am trying to make Samba 4 as additional DC to a Domain Hosted in
Windows Server 2003 R2. Is it possible? Or do we have to first migrate
to Windows Server 2008 R2 and then to Samba?

samba-toll domain join command comes upto Domain Provision and it
reports OK. However when the replication starts it fails. Error thrown is:

"Failed to bind to uuid e35*****-****-****-****-************/00000****
...........NT_STATUS_LOGON_FAILURE"

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list


Am 28.10.2017 um 12:41 schrieb Anantha Raghava via samba:
> I am trying to make Samba 4 as additional DC to a Domain Hosted in
> Windows Server 2003 R2. Is it possible? Or do we have to first migrate
> to Windows Server 2008 R2 and then to Samba?

Windows Server 2003 R2 has gone EOL in 2015-07-14 and frankly you should
first do your homework and then consider additional servers - it's
technically the same base as Windows XP and nobody should run that these
days

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 2017-10-28 at 16:11 +0530, Anantha Raghava via samba wrote:

> Hi,
>
> I am trying to make Samba 4 as additional DC to a Domain Hosted in
> Windows Server 2003 R2. Is it possible? Or do we have to first migrate
> to Windows Server 2008 R2 and then to Samba?
>
> samba-toll domain join command comes upto Domain Provision and it
> reports OK. However when the replication starts it fails. Error thrown is:
>
> "Failed to bind to uuid e35*****-****-****-****-************/00000****
> ...........NT_STATUS_LOGON_FAILURE"

That is interesting.  It should work, but an upgrade to 2008R2 first
would be advised for the migration, as that will allow you to get you a
2008R2 schema and functional level, which you want.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
Hi,

I did upgrade the server to Windows Server 2008 R2 along with AD.

However, when I attempt to add Samba-4 as additional domain controller,
it is able to provision the Domain and starts to replicate the data.
However, while replicating, it throws up an error as shown below and
stops. Samba-4 will remove itself being additional domain controller.

I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend.

Error message:

-------------------------------------------------------------------------------------------

/lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid
in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS
MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com in
@INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA==
../lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid
in CN=TDS
COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS
MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com in
@INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA==
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4824: Failed to
rename conflict dn 'CN=TDS
COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com' to 'CN=TDS
COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com' - ../lib/ldb/ldb_tdb/ldb_index.c:1272:
Failed to re-index objectSid in CN=TDS
COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com - ../lib/ldb/ldb_tdb/ldb_index.c:1196:
unique index violation on objectSid in CN=TDS
COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com
Failed to commit objects: WERR_GEN_FAILURE
Join failed - cleaning up
Deleted CN=DC3,OU=Domain Controllers,DC=corp,DC=dtdc,DC=com
Deleted CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=dtdc,DC=com
Deleted
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=dtdc,DC=com
ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of
DRS replicated objects: WERR_GEN_FAILURE")
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1474, in join_DC
     ctx.do_join()
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1377, in do_join
     ctx.join_replicate()
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 936, in join_replicate
     replica_flags=ctx.domain_replica_flags)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 295, in replicate
     schema=schema, req_level=req_level, req=req)
--------------------------------------------------------------------------------------------------------------

Is this error something to do with Windows Domain Controller?

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

On 28/10/17 4:45 PM, Andrew Bartlett wrote:

> On Sat, 2017-10-28 at 16:11 +0530, Anantha Raghava via samba wrote:
>> Hi,
>>
>> I am trying to make Samba 4 as additional DC to a Domain Hosted in
>> Windows Server 2003 R2. Is it possible? Or do we have to first migrate
>> to Windows Server 2008 R2 and then to Samba?
>>
>> samba-toll domain join command comes upto Domain Provision and it
>> reports OK. However when the replication starts it fails. Error thrown is:
>>
>> "Failed to bind to uuid e35*****-****-****-****-************/00000****
>> ...........NT_STATUS_LOGON_FAILURE"
> That is interesting.  It should work, but an upgrade to 2008R2 first
> would be advised for the migration, as that will allow you to get you a
> 2008R2 schema and functional level, which you want.
>
> Andrew Bartlett
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote:

> Hi,
>
> I did upgrade the server to Windows Server 2008 R2 along with AD.
> However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller.
> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend.
> Error message:
> -------------------------------------------------------------------------------------------
> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA==
>
> Is this error something to do with Windows Domain Controller?

I have a patch for this, developed for a customer who hit the same
thing, remind me if you don't get it from me tomorrow, and given the
additional interest I'll figure a way to get it upstream.

Samba is just stricter than windows in this area, not allowing a SID to
be deleted or be a conflict object and also exist normally.

Until your mail, I didn't think this could happen other than as a
foreignSecurityPrincipal however, and I don't think the source domain
is entirely healthy if an objectSid can be allocated to two different
users, even if they are now deleted.

I hope this helps,

Andrew Bartlett
 
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
Hi,

Thanks for your quick help. I await the patch.

I know the source DC is all that clean. I am trying to clean the source
DC using "ntdsutil". I am not sure how far this exercise will be successful.

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

On 29/10/17 11:57 AM, Andrew Bartlett wrote:

> On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote:
>> Hi,
>>
>> I did upgrade the server to Windows Server 2008 R2 along with AD.
>> However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller.
>> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend.
>> Error message:
>> -------------------------------------------------------------------------------------------
>> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA==
>>
>> Is this error something to do with Windows Domain Controller?
> I have a patch for this, developed for a customer who hit the same
> thing, remind me if you don't get it from me tomorrow, and given the
> additional interest I'll figure a way to get it upstream.
>
> Samba is just stricter than windows in this area, not allowing a SID to
> be deleted or be a conflict object and also exist normally.
>
> Until your mail, I didn't think this could happen other than as a
> foreignSecurityPrincipal however, and I don't think the source domain
> is entirely healthy if an objectSid can be allocated to two different
> users, even if they are now deleted.
>
> I hope this helps,
>
> Andrew Bartlett
>  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
On Sun, 2017-10-29 at 14:22 +0530, Anantha Raghava via samba wrote:
> Hi,
>
> Thanks for your quick help. I await the patch.
>
> I know the source DC is all that clean. I am trying to clean the source
> DC using "ntdsutil". I am not sure how far this exercise will be successful.

Deleted objects stay in the directory for 180 days (the
tombstoneLifetime) no matter what other cleaning, so this won't help.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello Andrew,

A gentle reminder for the patch.

Can you share the patch as you mentioned?

--

Thanks & Regards,


Anantha Raghava



Do not print this e-mail unless required. Save Paper & trees.

On 29/10/17 11:57 AM, Andrew Bartlett wrote:

> On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote:
>> Hi,
>>
>> I did upgrade the server to Windows Server 2008 R2 along with AD.
>> However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller.
>> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend.
>> Error message:
>> -------------------------------------------------------------------------------------------
>> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA==
>>
>> Is this error something to do with Windows Domain Controller?
> I have a patch for this, developed for a customer who hit the same
> thing, remind me if you don't get it from me tomorrow, and given the
> additional interest I'll figure a way to get it upstream.
>
> Samba is just stricter than windows in this area, not allowing a SID to
> be deleted or be a conflict object and also exist normally.
>
> Until your mail, I didn't think this could happen other than as a
> foreignSecurityPrincipal however, and I don't think the source domain
> is entirely healthy if an objectSid can be allocated to two different
> users, even if they are now deleted.
>
> I hope this helps,
>
> Andrew Bartlett
>  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
On Mon, 2017-10-30 at 13:11 +0530, Anantha Raghava wrote:
> Hello Andrew,
>
> A gentle reminder for the patch.
>
> Can you share the patch as you mentioned?
> --

Sorry about that.  This is the patch.

To get this into master however we need to add some configuration
around it, and docs for that configuration, so that it can be set at
runtime.

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

objectsid-not-unique.patch (782 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
Hello Andrew,

Thank you very much.

I will apply the patch, and reinstall samba. Will revert back to you
with results.

--

Thanks & Regards,


Anantha Raghava

eXzaTech Consulting And Services Pvt. Ltd.

Ph: +91-9538849179, E-mail: [hidden email]
<mailto:[hidden email]>

URL: http://www.exzatechconsulting.com <http://www.exzatechconsulting.com/>



Dell Technology Partner, 3CX - Open Software IP PBX Partner, RedHat
Solutions Partner
Open Source Software Solutions - oVirt, SMARTDesktop, Apache Metron,
OpenVPN, OPNSense......

DISCLAIMER:
This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On 31/10/17 1:41 AM, Andrew Bartlett wrote:

> On Mon, 2017-10-30 at 13:11 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>>
>> A gentle reminder for the patch.
>>
>> Can you share the patch as you mentioned?
>> --
> Sorry about that.  This is the patch.
>
> To get this into master however we need to add some configuration
> around it, and docs for that configuration, so that it can be set at
> runtime.
>
> Andrew Bartlett

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Make Samba 4 as Additional DC to Windows Server 2003R2

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello Andrew,

Thank you very much for the patch.

Now Samba-4 is an additional domain controller along with Windows
Server. Initial replication completed without any error.

However, while testing, I noticed that, when a new object is created in
Windows, it is immediately getting replicated to Samba but not vice
versa. Connection to Windows Server is getting refused.

Barring this all other functions are working fine.

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.
On 31/10/17 1:41 AM, Andrew Bartlett wrote:

> On Mon, 2017-10-30 at 13:11 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>>
>> A gentle reminder for the patch.
>>
>> Can you share the patch as you mentioned?
>> --
> Sorry about that.  This is the patch.
>
> To get this into master however we need to add some configuration
> around it, and docs for that configuration, so that it can be set at
> runtime.
>
> Andrew Bartlett

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba