join samba 4.5.12 to samba 4.1.13 failed

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

join samba 4.5.12 to samba 4.1.13 failed

Samba - General mailing list
Hi there,

I have 2 DC servers(samba 4.1.13) working for more than 1 year.
When I join samba 4.5.12 to the domain, it fails on this error:
....
Replicating critical objects from the base DN of the domain
Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
Join failed - cleaning up
Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
...

Environment:
2 existing DCs: DC1 and DC2, CentOS 6.2 32bit, compiled Samba 4.1.13
1 new DC: DC3, Centos 6.8 64bit, compiled Samba 4.5.12
DNS settings: samba 4 internal DNS.
     Windows clients use conpany DNS servers which forward AD zone to AD
servers


What I did on the new DC DC3:
# tar xvf samba-4.5.12.tar
# cd samba-4.5.12
# ./configure --prefix=/usr/local/samba
# make
# make install

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
::1         localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.1.42 dc3.mydomain.htft dc3

# cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
[libdefaults]
  default_realm = MYDOMAIN.HTFT
  dns_lookup_realm = false
  dns_lookup_kdc = true

#kinit administrator
Password for [hidden email]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting     Expires            Service principal
07/25/17 11:37:41  07/25/17 21:37:41 krbtgt/[hidden email]
         renew until 07/26/17 11:37:32


# /usr/local/samba/bin/samba-tool domain join mydomain.htft DC
-U"MYDOMAIN.HTFT\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'mydomain.htft'
Found DC dc2.mydomain.htft
Password for [MYDOMAIN.HTFT\administrator]:
workgroup is MYDOMAIN
realm is mydomain.htft
Adding CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
Adding
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hftne
t,DC=htft
Adding CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=mydomain,DC=htft
Adding SPNs to CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
Setting account password for DC3$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=mydomain,DC=htft
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=mydomain,DC=htft] objects[402/1633]
linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=htft] objects[804/1633]
linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=htft] objects[1206/1633]
linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=htft] objects[1608/1633]
linked_values[0/0]
Partition[CN=Configuration,DC=mydomain,DC=htft] objects[1633/1633]
linked_values[50/0]
Replicating critical objects from the base DN of the domain
Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
Join failed - cleaning up
Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
Deleted CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=htft
Deleted
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=htft
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out
period expired.')
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 652, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1253, in join_DC
     ctx.do_join()
   File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1153, in do_join
     ctx.join_replicate()
   File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 896, in join_replicate
     replica_flags=ctx.domain_replica_flags)
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py",
line 254, in replicate
     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)

It looks like it almost finished the join.
any idea?

Thanks
Allen
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: join samba 4.5.12 to samba 4.1.13 failed

Samba - General mailing list
Hai,

I must ask first, did you check the "before and after the update" steps,
found here https://wiki.samba.org/index.php/Updating_Samba

Your error looks like and it might have todo with samba 4.1.x and ntvfs:
https://wiki.samba.org/index.php/Migrating_the_ntvfs_File_Server_Back_End_to_s3fs 

Last, if the join keeps failing, upgrade the DC with FSMO roles.
Change ntvfs to s3fs and the join of DC3.

Thats only what i can suggest, maybe Rowland has a better option but these are old bugs your hitting.
It might have todo with the ntvfs, or can be corrupted DB, or slow network connection, or AD DB size. (total number of object)
And that in combination with samba 4.1. upgrade to 4.5 is a big step.

The config shown looks ok, so i dont think is a config/setup error.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Allen Chen via samba
> Verzonden: dinsdag 25 juli 2017 20:05
> Aan: [hidden email]
> Onderwerp: [Samba] join samba 4.5.12 to samba 4.1.13 failed
>
> Hi there,
>
> I have 2 DC servers(samba 4.1.13) working for more than 1 year.
> When I join samba 4.5.12 to the domain, it fails on this error:
> ....
> Replicating critical objects from the base DN of the domain
> Partition[DC=mydomain,DC=htft] objects[98/98]
> linked_values[33/0] Join failed - cleaning up Deleted
> CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft ...
>
> Environment:
> 2 existing DCs: DC1 and DC2, CentOS 6.2 32bit, compiled Samba 4.1.13
> 1 new DC: DC3, Centos 6.8 64bit, compiled Samba 4.5.12 DNS
> settings: samba 4 internal DNS.
>      Windows clients use conpany DNS servers which forward AD
> zone to AD servers
>
>
> What I did on the new DC DC3:
> # tar xvf samba-4.5.12.tar
> # cd samba-4.5.12
> # ./configure --prefix=/usr/local/samba
> # make
> # make install
>
> # cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 192.168.1.42 dc3.mydomain.htft dc3
>
> # cat /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>   default_realm = MYDOMAIN.HTFT
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>
> #kinit administrator
> Password for [hidden email]:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 07/25/17 11:37:41  07/25/17 21:37:41
> krbtgt/[hidden email]
>          renew until 07/26/17 11:37:32
>
>
> # /usr/local/samba/bin/samba-tool domain join mydomain.htft DC
> -U"MYDOMAIN.HTFT\administrator" --dns-backend=SAMBA_INTERNAL
> Finding a writeable DC for domain 'mydomain.htft'
> Found DC dc2.mydomain.htft
> Password for [MYDOMAIN.HTFT\administrator]:
> workgroup is MYDOMAIN
> realm is mydomain.htft
> Adding CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
> Adding
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=hftne
> t,DC=htft
> Adding CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> ,CN=Confi
> guration,DC=mydomain,DC=htft
> Adding SPNs to CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
> Setting account password for DC3$
> Enabling account
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
> Provision OK for domain DN DC=mydomain,DC=htft
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=htft]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=mydomain,DC=htft] objects[402/1633]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=htft] objects[804/1633]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=htft] objects[1206/1633]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=htft] objects[1608/1633]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=htft] objects[1633/1633]
> linked_values[50/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
> Join failed - cleaning up
> Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
> Deleted CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> ,CN=Configuration,DC=mydomain,DC=htft
> Deleted
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=mydomain,DC=htft
> ERROR(runtime): uncaught exception - (-1073741643, '{Device
> Timeout} The
> specified I/O operation on %hs was not completed before the time-out
> period expired.')
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/_
> _init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/d
> omain.py",
> line 652, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
> line 1253, in join_DC
>      ctx.do_join()
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
> line 1153, in do_join
>      ctx.join_replicate()
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
> line 896, in join_replicate
>      replica_flags=ctx.domain_replica_flags)
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py",
> line 254, in replicate
>      (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
> req_level, req)
>
> It looks like it almost finished the join.
> any idea?
>
> Thanks
> Allen
>  
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: join samba 4.5.12 to samba 4.1.13 failed

Samba - General mailing list
On Wed, 26 Jul 2017 09:05:40 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai,
>
> I must ask first, did you check the "before and after the update"
> steps, found here https://wiki.samba.org/index.php/Updating_Samba
>
> Your error looks like and it might have todo with samba 4.1.x and
> ntvfs:
> https://wiki.samba.org/index.php/Migrating_the_ntvfs_File_Server_Back_End_to_s3fs 
>
> Last, if the join keeps failing, upgrade the DC with FSMO roles.
> Change ntvfs to s3fs and the join of DC3.
>
> Thats only what i can suggest, maybe Rowland has a better option but
> these are old bugs your hitting. It might have todo with the ntvfs,
> or can be corrupted DB, or slow network connection, or AD DB size.
> (total number of object) And that in combination with samba 4.1.
> upgrade to 4.5 is a big step.
>
> The config shown looks ok, so i dont think is a config/setup error.
>

What I cannot understand is why the OP is still using Centos 6 and why
did they compile an EOL version of Samba initially ?

The configs shown have nothing wrong with them, but the one we need to
see, smb.conf, isn't provided, this may help in deciding the next step.

I think what Louis is suggesting is probably the way to go, upgrade
Samba on the original DC, but only after showing us the smb.conf.

He should also consider moving to Centos 7 as well.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: join samba 4.5.12 to samba 4.1.13 failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 2017-07-25 at 14:04 -0400, Allen Chen via samba wrote:

> Hi there,
>
> I have 2 DC servers(samba 4.1.13) working for more than 1 year.
> When I join samba 4.5.12 to the domain, it fails on this error:
> ....
> Replicating critical objects from the base DN of the domain
> Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
> Join failed - cleaning up
> Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
> ...

Can you share a bit more of the error you see here?

I suspect the issue is a well known issue with the join command
interacting with the older DC.  With Samba 4.5 we started to require
that we get the parent of every object before the object itself, and we
correctly implemented that in 4.6 as a server.

The issue is that when joining the older domain, we set the flags for
'give me the parent as well', GET_ANC, but the server doesn't know to
honour it.

We really should detect that and remove the DOMAIN_CRITICAL_ONLY flag,
which is what causes the trouble here (if we do a full replication we
generally get all the objects in the right order). 

One fix is to upgrade the 4.1.13 servers to 4.6 or above.  I understand
you would prefer to do that on the new DCs you join, but that may not
be possible in this case.

I hope this helps,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: join samba 4.5.12 to samba 4.1.13 failed(resolved)

Samba - General mailing list
On 7/26/2017 4:30 AM, Andrew Bartlett wrote:

> On Tue, 2017-07-25 at 14:04 -0400, Allen Chen via samba wrote:
>> Hi there,
>>
>> I have 2 DC servers(samba 4.1.13) working for more than 1 year.
>> When I join samba 4.5.12 to the domain, it fails on this error:
>> ....
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
>> Join failed - cleaning up
>> Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
>> ...
> Can you share a bit more of the error you see here?
>
> I suspect the issue is a well known issue with the join command
> interacting with the older DC.  With Samba 4.5 we started to require
> that we get the parent of every object before the object itself, and we
> correctly implemented that in 4.6 as a server.
>
> The issue is that when joining the older domain, we set the flags for
> 'give me the parent as well', GET_ANC, but the server doesn't know to
> honour it.
>
> We really should detect that and remove the DOMAIN_CRITICAL_ONLY flag,
> which is what causes the trouble here (if we do a full replication we
> generally get all the objects in the right order).
>
> One fix is to upgrade the 4.1.13 servers to 4.6 or above.  I understand
> you would prefer to do that on the new DCs you join, but that may not
> be possible in this case.
>
> I hope this helps,
>
> Andrew Bartlett
>
Thanks to all of you: Andrew, Louis and Rowland.
Your suggestions are very helpful.

I think the problem is the speed between DCs:
DC1 and the new DC3 are on the same subnet, no speed issue,
DC2 is on another subnet which has a very slow connection(20-50KB/s) to
DC1 and the new DC3.

The join command found DC2:
# /usr/local/samba/bin/samba-tool domain join mydomain.htft DC
-U"MYDOMAIN.HTFT\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'mydomain.htft'
Found DC dc2.mydomain.htft
Password for [MYDOMAIN.HTFT\administrator]:
.....
I don't know why it found DC2. maybe DC1 has all FSMO!
So I join DC3 to the domain like this:
1. upgrade to samba 4.6.6 on DC2 and DC1 one by one, no problem
2. join DC3(samba 4.6.6) to the domain, "Join failed....."(the same err
message, but one step further)
3. stop samba on DC2(it has a slow connection)
4. join DC3(samba 4.6.6) to the domain, successfully, finished very
fast. (no speed issue between DC3 and DC1)
5. start samba on DC2
6. manually add the missing A record and  the objectGUID CNAME Record
7. copy idmap and sysvol over to the new DC3, and reset permissions
8. all the following commands on 3 DCs return normal results:
# samba-tool drs showrepl
# samba-tool fsmo show       (now show me 7 FSMO)
# samba-tool dbcheck --cross-nc
    samba-tool dbcheck --cross-nc --fix --yes
9. the good thing I noticed is when a PC moved to another subnet(ip
changed), the DNS A record gets updated once the computer started.

Allen


 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: join samba 4.5.12 to samba 4.1.13 failed(resolved)

Samba - General mailing list
27.07.2017 3:49, Allen Chen via samba пишет:

> 6. manually add the missing A record and  the objectGUID CNAME Record
> 7. copy idmap and sysvol over to the new DC3, and reset permissions

how to you add records? can you post your commands and where are you
find needed data for records?

Maybe this records and idmap data will replicate and no need to add it
by hand?

(Maybe I will need to do operations like this too - upgrade and add DCs
soon)

--
Administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: join samba 4.5.12 to samba 4.1.13 failed(resolved)

Samba - General mailing list


On 7/27/2017 12:44 AM, Mike Lykov via samba wrote:

> 27.07.2017 3:49, Allen Chen via samba пишет:
>
>> 6. manually add the missing A record and the objectGUID CNAME Record
>> 7. copy idmap and sysvol over to the new DC3, and reset permissions
>
> how to you add records? can you post your commands and where are you
> find needed data for records?
>
> Maybe this records and idmap data will replicate and no need to add it
> by hand?
>
> (Maybe I will need to do operations like this too - upgrade and add
> DCs soon)
>
I have read the document from this link:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...