L.P.H. van Belle
2015-Apr-24 15:16 UTC
[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...
Hai.. ? Just tested an upgrade of 4.1.17 to 4.2.1? result... Fail.. ? setup, Debian wheezy, sernet samba packages. 2 clean installed DC's? and 1 windows 7 pc joined. resolv.conf setup? DC1 : namserver DC2 then DC1. DC2:? namserver DC1 then DC2. ? stopped samba on both servers. upgraded the packages on both servers. ? started samba on DC1 ( the one with fsmo roles ) waited 5 min. started samba on DC2 ? from error free logs to ? [2015/04/24 17:06:29.274803,? 0] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv) ? Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.0.2[1024,seal,krb5, ? target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.internal.domain.tld, ? target_principal=GC/dc2.internal.domain.tld/internal.domain.tld, ? abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004, ? localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER i didnt change anything in smb.conf? ( wanted to keep the OLD winbind behaivor ) ? anyone else who did this already with 100% success? tried not about 4 times, all fail.. ( imo samba 4.2.1 is not production ready?! ) .... ? this is the smb.conf used. ? # Global parameters [global] ??????? workgroup =?INTERNAL ??????? realm =?INTERNAL.DOMAIN.TLD ??????? netbios name = DC1 ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate ? ??????? ## Dont forget to set the idmap_ldb on ALL DC's if you use it ??????? idmap_ldb:use rfc2307 = yes ? ??????? interfaces = 127.0.0.1 192.168.0.1 ??????? bind interfaces only = yes ??????? time server = yes ??????? wins support = yes ? ## KEEP THIS OFF !! Only used for modify-ing the AD Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles ??????? sdb:schema update allowed = no ? ??????? ## map id's outside to domain to tdb files. ??????? idmap config * : backend = tdb ??????? idmap config * : range = 2000-9999 ??????? ## map ids from the domain and (*) the range may not overlap ! ??????? idmap config INTERNAL: backend = ad ??????? idmap config INTERNAL: schema_mode = rfc2307 ??????? idmap config INTERNAL: range = 10000-3999999 ? ??????? winbind nss info = rfc2307 ??????? winbind trusted domains only = no ??????? winbind use default domain = yes ??????? winbind expand groups = 3 ? ??????? #template shell = /bin/bash ??????? #template homedir = /home/users/%ACCOUNTNAME% ? ??????? ## Disable printing completely ??????? load printers = no ??????? printing = bsd ??????? printcap name = /dev/null ??????? disable spoolss = yes ? [netlogon] ??????? path = /home/samba/sysvol/internal.domain.tld/scripts ??????? read only = No ? [sysvol] ??????? path = /home/samba/sysvol ??????? read only = No
Achim Gottinger
2015-Apr-24 16:02 UTC
[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...
Hello Louis, Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle:> Hai.. > > Just tested an upgrade of 4.1.17 to 4.2.1 > result... Fail.. > > setup, > Debian wheezy, sernet samba packages. > 2 clean installed DC's and 1 windows 7 pc joined. > resolv.conf setup > DC1 : namserver DC2 then DC1. > DC2: namserver DC1 then DC2. > > stopped samba on both servers. > upgraded the packages on both servers. > > started samba on DC1 ( the one with fsmo roles ) > waited 5 min. > started samba on DC2Have you tried it with DC2 running while upgrading DC1?> > from error free logs to > > [2015/04/24 17:06:29.274803, 0] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv) > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.0.2[1024,seal,krb5, > target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.internal.domain.tld, > target_principal=GC/dc2.internal.domain.tld/internal.domain.tld, > abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004, > localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER > > i didnt change anything in smb.conf ( wanted to keep the OLD winbind behaivor ) > > anyone else who did this already with 100% success? > tried not about 4 times, all fail.. ( imo samba 4.2.1 is not production ready ! ) > .... > > this is the smb.conf used. > > # Global parameters > [global] > workgroup = INTERNAL > realm = INTERNAL.DOMAIN.TLD > netbios name = DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > interfaces = 127.0.0.1 192.168.0.1 > bind interfaces only = yes > time server = yes > wins support = yes > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > ## map ids from the domain and (*) the range may not overlap ! > idmap config INTERNAL: backend = ad > idmap config INTERNAL: schema_mode = rfc2307 > idmap config INTERNAL: range = 10000-3999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind expand groups = 3 > > #template shell = /bin/bash > #template homedir = /home/users/%ACCOUNTNAME% > > ## Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > [netlogon] > path = /home/samba/sysvol/internal.domain.tld/scripts > read only = No > > [sysvol] > path = /home/samba/sysvol > read only = No >
L.P.H. van Belle
2015-Apr-28 13:37 UTC
[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )
Hai, Ok, i found the problem of first post below. I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's. The sernet package 4.1.17 for debian wheezy has a bug.. maybe others also, beware. When joining as an extra DC, we are (still) missing the rights on /var/lib/samba/private/dns.keytab after joining the domain. /var/lib/samba/private/dns.keytab is set to root:root 600 and not, as it should be. user:group root:bind and rights 640 so now i upgraded 4.1.17 to 4.2.1 first DC1, upgraded the packages, restarted bind, restarted samba. No errors seen. next DC2, upgraded the packages, restarted bind, restarted samba. no errors in the logs seen, so sofar good. after about 3-5 min i did the follow, running : /usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2 result 0 errors. samba-tool drs showrepl , in the first check error, all other after this one, are success.. Default-First-Site-Name\DC1 DSA Options: 0x00000001 DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519 DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba ==== INBOUND NEIGHBORS === DC=DomainDnsZones,DC=internal,DC=domain,DC=tld Default-First-Site-Name\DC2 via RPC DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e Last attempt @ Tue Apr 28 14:26:18 2015 CEST failed, result 64 (WERR_NETNAME_DELETED) 1 consecutive failure(s). Last success @ Tue Apr 28 14:24:54 2015 CEST got phone.. so 5 min later again i did run : samba-tool drs showrepl and now 0 errors.. .. So i can confirm the previous errors with upgrading was because of the incorrect rights on : /var/lib/samba/private/dns.keytab Now i did a complete install just by sernet samba 4.2.1 and same here. DC1, all ok, no errors at all, i used the same script as the 4.1.17 version.. But when joining a domain as DC, incorrect rights on : /var/lib/samba/private/dns.keytab at the point of joining the domain for dc2, i saw the following in daemon.log : Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel command 'reload' Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration from '/etc/bind/named.conf' Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted keys from file '/etc/bind/bind.keys' Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 port range: [1024, 65535] Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 port range: [1024, 65535] Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool based on 5 zones Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' using driver dlopen Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured writeable zone '0.168.192.in-addr.arpa' Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone 'internal.domain.tld' from 'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=domain,DC=tld' Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone '_msdcs.internal.domain.tld' from 'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=domain,DC=tld' Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key for view _default Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded again a scripted install, which installed successfully on 4.1.17.. i saw also : testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED trying to fix it now: Record added successfully after a restart of samba on DC2. (log.samba) Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 15:11:05.691758, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Apr 28 15:11:05 rtd-dc2 samba[10159]: /usr/sbin/samba_dnsupdate: update failed: NOTAUTH 26x this message. from DC1: ping dc2 .. host not found. on DC2: samba_dnsupdate --verbose --all-names update failed: NOTAUTH Failed nsupdate: 2 Failed update of 26 entries so im totaly lost what is wrong is samba 4.2.1 compaired to samba 4.1.17 the config used on the servers: (this one is DC2's config, they are the same. ) # Global parameters [global] workgroup = INTERNAL realm = internal.domain.tld <==== by default lowercased on DC2 at domain join.. ONLY DC2 ! netbios name = DC2 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config INTERNAL : backend = ad idmap config INTERNAL : range = 10000-3999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes interfaces = 127.0.0.1 192.168.0.2 bind interfaces only = yes time server = yes wins support = yes ## Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [netlogon] path = /var/lib/samba/sysvol/internal.domain.tld/scripts read only = No acl_xattr:ignore system acl = yes [sysvol] path = /var/lib/samba/sysvol read only = No acl_xattr:ignore system acl = yes so beware of upgrading to 4.2.1.. I'll keep these VM's if anyone of samba/sernet wants to debug with me. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] >Namens Achim Gottinger >Verzonden: vrijdag 24 april 2015 18:03 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) >upgrades.. fail... > >Hello Louis, > >Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle: >> Hai.. >> >> Just tested an upgrade of 4.1.17 to 4.2.1 >> result... Fail.. >> >> setup, >> Debian wheezy, sernet samba packages. >> 2 clean installed DC's and 1 windows 7 pc joined. >> resolv.conf setup >> DC1 : namserver DC2 then DC1. >> DC2: namserver DC1 then DC2. >> >> stopped samba on both servers. >> upgraded the packages on both servers. >> >> started samba on DC1 ( the one with fsmo roles ) >> waited 5 min. >> started samba on DC2 >Have you tried it with DC2 running while upgrading DC1? >> >> from error free logs to >> >> [2015/04/24 17:06:29.274803, 0] >../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv) >> Failed to bind to uuid >e3514235-4b06-11d1-ab04-00c04fc2dcd2 for >ncacn_ip_tcp:192.168.0.2[1024,seal,krb5, >> >target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.internal.domain.tld,>> target_principal=GC/dc2.internal.domain.tld/internal.domain.tld, >> abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004, >> localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER >> >> i didnt change anything in smb.conf ( wanted to keep the >OLD winbind behaivor ) >> >> anyone else who did this already with 100% success? >> tried not about 4 times, all fail.. ( imo samba 4.2.1 is not >production ready ! ) >> .... >> >> this is the smb.conf used. >> >> # Global parameters >> [global] >> workgroup = INTERNAL >> realm = INTERNAL.DOMAIN.TLD >> netbios name = DC1 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, >cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate >> >> ## Dont forget to set the idmap_ldb on ALL DC's if >you use it >> idmap_ldb:use rfc2307 = yes >> >> interfaces = 127.0.0.1 192.168.0.1 >> bind interfaces only = yes >> time server = yes >> wins support = yes >> >> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >> sdb:schema update allowed = no >> >> ## map id's outside to domain to tdb files. >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> ## map ids from the domain and (*) the range may >not overlap ! >> idmap config INTERNAL: backend = ad >> idmap config INTERNAL: schema_mode = rfc2307 >> idmap config INTERNAL: range = 10000-3999999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind expand groups = 3 >> >> #template shell = /bin/bash >> #template homedir = /home/users/%ACCOUNTNAME% >> >> ## Disable printing completely >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> [netlogon] >> path = /home/samba/sysvol/internal.domain.tld/scripts >> read only = No >> >> [sysvol] >> path = /home/samba/sysvol >> read only = No >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2015-Apr-28 13:45 UTC
[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )
in addition.. i rebooted the servers now, checked logs, and... Apr 28 15:36:57 dc1 named[2029]: samba_dlz: allowing update of signer=RTD-DC2..... etc.. which didnt work before the reboot.. i did run : /usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2 0 errors on both servers samba-tool drs showrepl 0 errors on both servers check all my logs, 0 errors now.. running : samba_dnsupdate --verbose --all-names again no errors.. so now it all looks ok.. but the big question now is, it is? so what happend here and whats going wrong when upgrading from 4.1.17 to 4.2.1 and not counted for the few bug i saw.. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >Namens L.P.H. van Belle >Verzonden: dinsdag 28 april 2015 15:37 >Aan: samba at lists.samba.org >CC: support at sernet.de >Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) >upgrades.. fail...( bug(s) found ) > >Hai, > >Ok, i found the problem of first post below. >I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's. > >The sernet package 4.1.17 for debian wheezy has a bug.. maybe >others also, beware. >When joining as an extra DC, we are (still) missing the rights on >/var/lib/samba/private/dns.keytab > >after joining the domain. >/var/lib/samba/private/dns.keytab is set to >root:root 600 >and not, as it should be. > >user:group root:bind and rights 640 > >so now i upgraded 4.1.17 to 4.2.1 >first DC1, upgraded the packages, restarted bind, restarted samba. >No errors seen. >next DC2, upgraded the packages, restarted bind, restarted samba. >no errors in the logs seen, so sofar good. > >after about 3-5 min i did the follow, > >running : >/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 >ldap://dc2 >result 0 errors. > > >samba-tool drs showrepl , in the first check error, all other >after this one, are success.. >Default-First-Site-Name\DC1 >DSA Options: 0x00000001 >DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519 >DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba > >==== INBOUND NEIGHBORS ===> >DC=DomainDnsZones,DC=internal,DC=domain,DC=tld > Default-First-Site-Name\DC2 via RPC > DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e > Last attempt @ Tue Apr 28 14:26:18 2015 CEST >failed, result 64 (WERR_NETNAME_DELETED) > 1 consecutive failure(s). > Last success @ Tue Apr 28 14:24:54 2015 CEST > > >got phone.. so 5 min later again i did run : samba-tool drs showrepl >and now 0 errors.. .. > >So i can confirm the previous errors with upgrading was >because of the incorrect >rights on : /var/lib/samba/private/dns.keytab > > >Now i did a complete install just by sernet samba 4.2.1 and same here. >DC1, all ok, no errors at all, i used the same script as the >4.1.17 version.. >But when joining a domain as DC, incorrect rights on : >/var/lib/samba/private/dns.keytab > >at the point of joining the domain for dc2, i saw the >following in daemon.log : >Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel >command 'reload' >Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration >from '/etc/bind/named.conf' >Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted >keys from file '/etc/bind/bind.keys' >Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 >port range: [1024, 65535] >Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 >port range: [1024, 65535] >Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found >Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool >based on 5 zones >Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' >using driver dlopen >Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure >Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured >writeable zone '0.168.192.in-addr.arpa' >Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring >duplicate zone 'internal.domain.tld' from > >'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones, >DC=internal,DC=domain,DC=tld' >Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring >duplicate zone '_msdcs.internal.domain.tld' from >'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDn >sZones,DC=internal,DC=domain,DC=tld' >Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key >for view _default >Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded >Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down >Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded > >again a scripted install, which installed successfully on 4.1.17.. >i saw also : >testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED >trying to fix it now: Record added successfully > >after a restart of samba on DC2. (log.samba) >Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 >15:11:05.691758, 0] >../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >Apr 28 15:11:05 rtd-dc2 samba[10159]: >/usr/sbin/samba_dnsupdate: update failed: NOTAUTH >26x this message. > >from DC1: >ping dc2 .. host not found. > >on DC2: >samba_dnsupdate --verbose --all-names >update failed: NOTAUTH >Failed nsupdate: 2 >Failed update of 26 entries > > >so im totaly lost what is wrong is samba 4.2.1 compaired to >samba 4.1.17 > >the config used on the servers: (this one is DC2's config, >they are the same. ) ># Global parameters >[global] > workgroup = INTERNAL > realm = internal.domain.tld <==== >by default lowercased on DC2 at domain join.. ONLY DC2 ! > netbios name = DC2 > server role = active directory domain controller > server services = -dns > idmap_ldb:use rfc2307 = yes > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config INTERNAL : backend = ad > idmap config INTERNAL : range = 10000-3999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > > interfaces = 127.0.0.1 192.168.0.2 > bind interfaces only = yes > time server = yes > wins support = yes > > ## Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > >[netlogon] > path = /var/lib/samba/sysvol/internal.domain.tld/scripts > read only = No > acl_xattr:ignore system acl = yes > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acl = yes > > >so beware of upgrading to 4.2.1.. >I'll keep these VM's if anyone of samba/sernet wants to debug with me. > > > >Greetz, > >Louis > > > > >>-----Oorspronkelijk bericht----- >>Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] >>Namens Achim Gottinger >>Verzonden: vrijdag 24 april 2015 18:03 >>Aan: samba at lists.samba.org >>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) >>upgrades.. fail... >> >>Hello Louis, >> >>Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle: >>> Hai.. >>> >>> Just tested an upgrade of 4.1.17 to 4.2.1 >>> result... Fail.. >>> >>> setup, >>> Debian wheezy, sernet samba packages. >>> 2 clean installed DC's and 1 windows 7 pc joined. >>> resolv.conf setup >>> DC1 : namserver DC2 then DC1. >>> DC2: namserver DC1 then DC2. >>> >>> stopped samba on both servers. >>> upgraded the packages on both servers. >>> >>> started samba on DC1 ( the one with fsmo roles ) >>> waited 5 min. >>> started samba on DC2 >>Have you tried it with DC2 running while upgrading DC1? >>> >>> from error free logs to >>> >>> [2015/04/24 17:06:29.274803, 0] >>../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv) >>> Failed to bind to uuid >>e3514235-4b06-11d1-ab04-00c04fc2dcd2 for >>ncacn_ip_tcp:192.168.0.2[1024,seal,krb5, >>> >>target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.int >ernal.domain.tld, >>> target_principal=GC/dc2.internal.domain.tld/internal.domain.tld, >>> abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004, >>> localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER >>> >>> i didnt change anything in smb.conf ( wanted to keep the >>OLD winbind behaivor ) >>> >>> anyone else who did this already with 100% success? >>> tried not about 4 times, all fail.. ( imo samba 4.2.1 is not >>production ready ! ) >>> .... >>> >>> this is the smb.conf used. >>> >>> # Global parameters >>> [global] >>> workgroup = INTERNAL >>> realm = INTERNAL.DOMAIN.TLD >>> netbios name = DC1 >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, >>cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate >>> >>> ## Dont forget to set the idmap_ldb on ALL DC's if >>you use it >>> idmap_ldb:use rfc2307 = yes >>> >>> interfaces = 127.0.0.1 192.168.0.1 >>> bind interfaces only = yes >>> time server = yes >>> wins support = yes >>> >>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >>> sdb:schema update allowed = no >>> >>> ## map id's outside to domain to tdb files. >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> ## map ids from the domain and (*) the range may >>not overlap ! >>> idmap config INTERNAL: backend = ad >>> idmap config INTERNAL: schema_mode = rfc2307 >>> idmap config INTERNAL: range = 10000-3999999 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind expand groups = 3 >>> >>> #template shell = /bin/bash >>> #template homedir = /home/users/%ACCOUNTNAME% >>> >>> ## Disable printing completely >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> [netlogon] >>> path = /home/samba/sysvol/internal.domain.tld/scripts >>> read only = No >>> >>> [sysvol] >>> path = /home/samba/sysvol >>> read only = No >>> >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2015-Apr-28 13:55 UTC
[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )
.. forgot to mention.. I did change the lowercaps realm in smb.conf to UPPER CAPS.. on DC2 before the reboot, and tested that also, but did not work. so very strange imo..>-----Oorspronkelijk bericht----- >Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >Namens L.P.H. van Belle >Verzonden: dinsdag 28 april 2015 15:45 >Aan: samba at lists.samba.org >CC: support at sernet.de >Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) >upgrades.. fail...( bug(s) found ) > >in addition.. > >i rebooted the servers now, checked logs, and... > >Apr 28 15:36:57 dc1 named[2029]: samba_dlz: allowing update of >signer=RTD-DC2..... etc.. >which didnt work before the reboot.. > >i did run : >/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 >ldap://dc2 >0 errors on both servers > >samba-tool drs showrepl >0 errors on both servers > >check all my logs, 0 errors now.. > >running : >samba_dnsupdate --verbose --all-names >again no errors.. > >so now it all looks ok.. > >but the big question now is, it is? > >so what happend here and whats going wrong when upgrading from >4.1.17 to 4.2.1 >and not counted for the few bug i saw.. > > >Greetz, > >Louis > > > >>-----Oorspronkelijk bericht----- >>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >>Namens L.P.H. van Belle >>Verzonden: dinsdag 28 april 2015 15:37 >>Aan: samba at lists.samba.org >>CC: support at sernet.de >>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) >>upgrades.. fail...( bug(s) found ) >> >>Hai, >> >>Ok, i found the problem of first post below. >>I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's. >> >>The sernet package 4.1.17 for debian wheezy has a bug.. maybe >>others also, beware. >>When joining as an extra DC, we are (still) missing the rights on >>/var/lib/samba/private/dns.keytab >> >>after joining the domain. >>/var/lib/samba/private/dns.keytab is set to >>root:root 600 >>and not, as it should be. >> >>user:group root:bind and rights 640 >> >>so now i upgraded 4.1.17 to 4.2.1 >>first DC1, upgraded the packages, restarted bind, restarted samba. >>No errors seen. >>next DC2, upgraded the packages, restarted bind, restarted samba. >>no errors in the logs seen, so sofar good. >> >>after about 3-5 min i did the follow, >> >>running : >>/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 >>ldap://dc2 >>result 0 errors. >> >> >>samba-tool drs showrepl , in the first check error, all other >>after this one, are success.. >>Default-First-Site-Name\DC1 >>DSA Options: 0x00000001 >>DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519 >>DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba >> >>==== INBOUND NEIGHBORS ===>> >>DC=DomainDnsZones,DC=internal,DC=domain,DC=tld >> Default-First-Site-Name\DC2 via RPC >> DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e >> Last attempt @ Tue Apr 28 14:26:18 2015 CEST >>failed, result 64 (WERR_NETNAME_DELETED) >> 1 consecutive failure(s). >> Last success @ Tue Apr 28 14:24:54 2015 CEST >> >> >>got phone.. so 5 min later again i did run : samba-tool drs showrepl >>and now 0 errors.. .. >> >>So i can confirm the previous errors with upgrading was >>because of the incorrect >>rights on : /var/lib/samba/private/dns.keytab >> >> >>Now i did a complete install just by sernet samba 4.2.1 and >same here. >>DC1, all ok, no errors at all, i used the same script as the >>4.1.17 version.. >>But when joining a domain as DC, incorrect rights on : >>/var/lib/samba/private/dns.keytab >> >>at the point of joining the domain for dc2, i saw the >>following in daemon.log : >>Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel >>command 'reload' >>Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration >>from '/etc/bind/named.conf' >>Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted >>keys from file '/etc/bind/bind.keys' >>Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 >>port range: [1024, 65535] >>Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 >>port range: [1024, 65535] >>Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found >>Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool >>based on 5 zones >>Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' >>using driver dlopen >>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure >>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured >>writeable zone '0.168.192.in-addr.arpa' >>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring >>duplicate zone 'internal.domain.tld' from >> >>'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones, >>DC=internal,DC=domain,DC=tld' >>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring >>duplicate zone '_msdcs.internal.domain.tld' from >>'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDn >>sZones,DC=internal,DC=domain,DC=tld' >>Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key >>for view _default >>Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded >>Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down >>Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded >> >>again a scripted install, which installed successfully on 4.1.17.. >>i saw also : >>testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED >>trying to fix it now: Record added successfully >> >>after a restart of samba on DC2. (log.samba) >>Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 >>15:11:05.691758, 0] >>../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>Apr 28 15:11:05 rtd-dc2 samba[10159]: >>/usr/sbin/samba_dnsupdate: update failed: NOTAUTH >>26x this message. >> >>from DC1: >>ping dc2 .. host not found. >> >>on DC2: >>samba_dnsupdate --verbose --all-names >>update failed: NOTAUTH >>Failed nsupdate: 2 >>Failed update of 26 entries >> >> >>so im totaly lost what is wrong is samba 4.2.1 compaired to >>samba 4.1.17 >> >>the config used on the servers: (this one is DC2's config, >>they are the same. ) >># Global parameters >>[global] >> workgroup = INTERNAL >> realm = internal.domain.tld <==== >>by default lowercased on DC2 at domain join.. ONLY DC2 ! >> netbios name = DC2 >> server role = active directory domain controller >> server services = -dns >> idmap_ldb:use rfc2307 = yes >> >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config INTERNAL : backend = ad >> idmap config INTERNAL : range = 10000-3999999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> >> interfaces = 127.0.0.1 192.168.0.2 >> bind interfaces only = yes >> time server = yes >> wins support = yes >> >> ## Disable printing completely >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >>[netlogon] >> path = /var/lib/samba/sysvol/internal.domain.tld/scripts >> read only = No >> acl_xattr:ignore system acl = yes >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> acl_xattr:ignore system acl = yes >> >> >>so beware of upgrading to 4.2.1.. >>I'll keep these VM's if anyone of samba/sernet wants to debug >with me. >> >> >> >>Greetz, >> >>Louis >> >> >> >> >>>-----Oorspronkelijk bericht----- >>>Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] >>>Namens Achim Gottinger >>>Verzonden: vrijdag 24 april 2015 18:03 >>>Aan: samba at lists.samba.org >>>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet) >>>upgrades.. fail... >>> >>>Hello Louis, >>> >>>Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle: >>>> Hai.. >>>> >>>> Just tested an upgrade of 4.1.17 to 4.2.1 >>>> result... Fail.. >>>> >>>> setup, >>>> Debian wheezy, sernet samba packages. >>>> 2 clean installed DC's and 1 windows 7 pc joined. >>>> resolv.conf setup >>>> DC1 : namserver DC2 then DC1. >>>> DC2: namserver DC1 then DC2. >>>> >>>> stopped samba on both servers. >>>> upgraded the packages on both servers. >>>> >>>> started samba on DC1 ( the one with fsmo roles ) >>>> waited 5 min. >>>> started samba on DC2 >>>Have you tried it with DC2 running while upgrading DC1? >>>> >>>> from error free logs to >>>> >>>> [2015/04/24 17:06:29.274803, 0] >>>../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv) >>>> Failed to bind to uuid >>>e3514235-4b06-11d1-ab04-00c04fc2dcd2 for >>>ncacn_ip_tcp:192.168.0.2[1024,seal,krb5, >>>> >>>target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.int >>ernal.domain.tld, >>>> target_principal=GC/dc2.internal.domain.tld/internal.domain.tld, >>>> abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004, >>>> localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER >>>> >>>> i didnt change anything in smb.conf ( wanted to keep the >>>OLD winbind behaivor ) >>>> >>>> anyone else who did this already with 100% success? >>>> tried not about 4 times, all fail.. ( imo samba 4.2.1 is not >>>production ready ! ) >>>> .... >>>> >>>> this is the smb.conf used. >>>> >>>> # Global parameters >>>> [global] >>>> workgroup = INTERNAL >>>> realm = INTERNAL.DOMAIN.TLD >>>> netbios name = DC1 >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, >>>cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate >>>> >>>> ## Dont forget to set the idmap_ldb on ALL DC's if >>>you use it >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> interfaces = 127.0.0.1 192.168.0.1 >>>> bind interfaces only = yes >>>> time server = yes >>>> wins support = yes >>>> >>>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >>>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >>>> sdb:schema update allowed = no >>>> >>>> ## map id's outside to domain to tdb files. >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> ## map ids from the domain and (*) the range may >>>not overlap ! >>>> idmap config INTERNAL: backend = ad >>>> idmap config INTERNAL: schema_mode = rfc2307 >>>> idmap config INTERNAL: range = 10000-3999999 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind expand groups = 3 >>>> >>>> #template shell = /bin/bash >>>> #template homedir = /home/users/%ACCOUNTNAME% >>>> >>>> ## Disable printing completely >>>> load printers = no >>>> printing = bsd >>>> printcap name = /dev/null >>>> disable spoolss = yes >>>> >>>> [netlogon] >>>> path = /home/samba/sysvol/internal.domain.tld/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /home/samba/sysvol >>>> read only = No >>>> >>> >>>-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...( bug(s) found )
- samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...
- A and/or PTR record deleted after pc wake-up
- DNS Update not working after update to 4.5.3
- Does automatic DNS PTR generation in Samba4 AD DC work at all?