Hello Samba-ers,
I tried to continue my Samba setup after a long pause doing other stuff.
To recall, I want to run two Samba DCs for one domain as virtual machines on
two Windows systems (I switched from VirtualBox to Hyper V, which helps to
run them automatically at system startup, but I don´t think that really
matters). Both DCs shall use themselves as DNS server as the VPN in between
is unreliable, but I tried the following with the DNS resolver on DC2
pointing to either DC1 or DC2.
DC1 is running fine, I can edit users, and actually the changes are
replicated to DC2.
DC2 appears to be readonly. In the log file I noticed:
[2016/11/17 18:51:28.847526, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable and
[2016/11/17 18:51:29.145815, 0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_UNSUCCESSFUL
I tried to resolve this via
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
including the workaround described in
https://bugzilla.samba.org/show_bug.cgi?id=10882, but I keep getting
samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS
accounts already exist No zone file
/var/lib/samba/private/dns/samba.lindenberg.one.zone
DNS records will be automatically created DNS partitions already exist
Adding dns-dc2 account Traceback (most recent call last):
File "/usr/sbin/samba_upgradedns", line 438, in <module>
"DNSNAME" : dnsname }
File "/usr/lib/python2.7/dist-packages/samba/provision/common.py",
line
55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 225,
in
add_ldif
self.add(msg, controls)
_ldb.LdbError: (68, '../ldb_tdb/ldb_index.c:1216: Failed to re-index
objectSid in CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,DC=one -
../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,D\xe0')
With plenty of error messages that I don´t like to see, and after that
"klist -k /var/lib/samba/private/dns.keytab"
still reports "klist: Key table file
'/var/lib/samba/private/dns.keytab' not
found while starting keytab scan".
host -t A dc2.samba.lindenberg.one @..samba.lindenberg.one works fine on DC1
but reports NXDOMAIN on DC2.
What´s wrong? How can I get DC2 to be writable? What other information to
check?
Or should I delete all DC2 information from DC1 and try a rejoin,
temporarily setting DNS to DC1?
Thanks & Best Regards, Joachim
On Thu, 2016-11-17 at 18:31 +0000, Jo L via samba wrote:> Hello Samba-ers, > > I tried to continue my Samba setup after a long pause doing other > stuff. > To recall, I want to run two Samba DCs for one domain as virtual > machines on > two Windows systems (I switched from VirtualBox to Hyper V, which > helps to > run them automatically at system startup, but I don´t think that > really > matters). Both DCs shall use themselves as DNS server as the VPN in > between > is unreliable, but I tried the following with the DNS resolver on DC2 > pointing to either DC1 or DC2. > > DC1 is running fine, I can edit users, and actually the changes are > replicated to DC2. > DC2 appears to be readonly. In the log file I noticed: > > [2016/11/17 18:51:28.847526, 0] > ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) > /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is > unacceptable and > [2016/11/17 18:51:29.145815, 0] > ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > NT_STATUS_UNSUCCESSFUL > > I tried to resolve this via > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacc > eptable > including the workaround described in > https://bugzilla.samba.org/show_bug.cgi?id=10882, but I keep getting > > samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information > DNS > accounts already exist No zone file > /var/lib/samba/private/dns/samba.lindenberg.one.zone > DNS records will be automatically created DNS partitions already > exist > Adding dns-dc2 account Traceback (most recent call last): > File "/usr/sbin/samba_upgradedns", line 438, in <module> > "DNSNAME" : dnsname } > File "/usr/lib/python2.7/dist-packages/samba/provision/common.py", > line > 55, in setup_add_ldif > ldb.add_ldif(data, controls) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line > 225, in > add_ldif > self.add(msg, controls) > _ldb.LdbError: (68, '../ldb_tdb/ldb_index.c:1216: Failed to re-index > objectSid in CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,DC=one - > ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in > CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,D\xe0') > > With plenty of error messages that I don´t like to see, and after > that > "klist -k /var/lib/samba/private/dns.keytab" > still reports "klist: Key table file > '/var/lib/samba/private/dns.keytab' not > found while starting keytab scan". > > host -t A dc2.samba.lindenberg.one @..samba.lindenberg.one works fine > on DC1 > but reports NXDOMAIN on DC2. > > What´s wrong? How can I get DC2 to be writable? What other > information to > check? > Or should I delete all DC2 information from DC1 and try a rejoin, > temporarily setting DNS to DC1? > > Thanks & Best Regards, JoachimSomehow the RID Set has been allocated incorrectly, or a duplicate RID pool allocated, perhaps due to a steal of the RID Manager role during a replication failure. The dbcheck code in master attempts to address some of this by looking for this situation and bumping the ridNextRid value. It should also look for duplicate rid pools, but doesn't currently. If you don't need DC2, and don't have any data that is only on that server, blow it away (samba-tool domain demote --remove-other-dead- server=DC2 on DC1) and start again. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Fri, 18 Nov 2016 07:50:03 +1300 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Thu, 2016-11-17 at 18:31 +0000, Jo L via samba wrote: > > Hello Samba-ers, > > > > I tried to continue my Samba setup after a long pause doing other > > stuff. > > To recall, I want to run two Samba DCs for one domain as virtual > > machines on > > two Windows systems (I switched from VirtualBox to Hyper V, which > > helps to > > run them automatically at system startup, but I don´t think that > > really > > matters). Both DCs shall use themselves as DNS server as the VPN in > > between > > is unreliable, but I tried the following with the DNS resolver on > > DC2 pointing to either DC1 or DC2. > > > > DC1 is running fine, I can edit users, and actually the changes are > > replicated to DC2. > > DC2 appears to be readonly. In the log file I noticed: > > > > [2016/11/17 18:51:28.847526, 0] > > ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) > > /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is > > unacceptable and > > [2016/11/17 18:51:29.145815, 0] > > ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) > > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > > NT_STATUS_UNSUCCESSFUL > > > > I tried to resolve this via > > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacc > > eptable > > including the workaround described in > > https://bugzilla.samba.org/show_bug.cgi?id=10882, but I keep > > getting > > > > samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information > > DNS > > accounts already exist No zone file > > /var/lib/samba/private/dns/samba.lindenberg.one.zone > > DNS records will be automatically created DNS partitions already > > exist > > Adding dns-dc2 account Traceback (most recent call last): > > File "/usr/sbin/samba_upgradedns", line 438, in <module> > > "DNSNAME" : dnsname } > > File "/usr/lib/python2.7/dist-packages/samba/provision/common.py", > > line > > 55, in setup_add_ldif > > ldb.add_ldif(data, controls) > > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line > > 225, in > > add_ldif > > self.add(msg, controls) > > _ldb.LdbError: (68, '../ldb_tdb/ldb_index.c:1216: Failed to re-index > > objectSid in CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,DC=one - > > ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in > > CN=dns-dc2,CN=Users,DC=samba,DC=lindenberg,D\xe0') > > > > With plenty of error messages that I don´t like to see, and after > > that > > "klist -k /var/lib/samba/private/dns.keytab" > > still reports "klist: Key table file > > '/var/lib/samba/private/dns.keytab' not > > found while starting keytab scan". > > > > host -t A dc2.samba.lindenberg.one @..samba.lindenberg.one works > > fine on DC1 > > but reports NXDOMAIN on DC2. > > > > What´s wrong? How can I get DC2 to be writable? What other > > information to > > check? > > Or should I delete all DC2 information from DC1 and try a rejoin, > > temporarily setting DNS to DC1? > > > > Thanks & Best Regards, Joachim > > Somehow the RID Set has been allocated incorrectly, or a duplicate RID > pool allocated, perhaps due to a steal of the RID Manager role during > a replication failure. > > The dbcheck code in master attempts to address some of this by looking > for this situation and bumping the ridNextRid value. It should also > look for duplicate rid pools, but doesn't currently. > > If you don't need DC2, and don't have any data that is only on that > server, blow it away (samba-tool domain demote --remove-other-dead- > server=DC2 on DC1) and start again. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > >Hang on, could this be bug 10928 ? Before you blow the second DC away, have a look here: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record Rowland