Aleksey Vladimirov
2018-Jun-28 08:28 UTC
[Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
After update I have got this:
samba-tool drs kcc -Uadm2 -d 9
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
tevent: 9
auth_audit: 9
auth_json_audit: 9
kerberos: 9
drs_repl: 9
smb2: 9
smb2_credits: 9
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Scan]"
Processing section "[print$]"
Processing section "[printers]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:sklad-dc.almi-russia.local[,seal,print]
Mapped to DCERPC endpoint 135
added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
sklad-dc.almi-russia.local<0x20>
getlmhostsent: lmhost entry: 192.168.32.12 SKLAD-DC
getlmhostsent: lmhost entry: 192.168.31.12 DCSRV
getlmhostsent: lmhost entry: 192.168.32.12 ALMI-RUSSIA
Mapped to DCERPC endpoint 49152
added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
sklad-dc.almi-russia.local<0x20>
getlmhostsent: lmhost entry: 192.168.32.12 SKLAD-DC
getlmhostsent: lmhost entry: 192.168.31.12 DCSRV
getlmhostsent: lmhost entry: 192.168.32.12 ALMI-RUSSIA
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [ALMI-RUSSIA\adm2]:
Received smb_krb5 packet of length 199
Received smb_krb5 packet of length 106
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 199
Received smb_krb5 packet of length 106
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:192.168.32.12[49152,seal,print,target_hostname=sklad-dc.almi-russia.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.32.12]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
sklad-dc.almi-russia.local failed - drsException: DRS connection to
sklad-dc.almi-russia.local failed: (3221225581, 'The attempted logon is
invalid. This is either due to a bad username or authentication
information.')
File "/usr/lib/python2.7/site-packages/samba/netcmd/drs.py", line
44, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/site-packages/samba/drs_utils.py", line 58,
in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server,
e))
and in the log:
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
ldb: Failed to lock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110
in process 1130
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
/ Protocol error for DC=almi-russia,DC=local
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
[2018/06/28 11:27:05.026829, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
ldb: Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid
1110 in process 1130
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
/ Protocol error for metadata partition
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
[2018/06/28 11:27:05.027064, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
ldb: Failed to unlock db: Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing
ldb opend by pid 1110 in process 1130
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
/ Protocol error for metadata partition / Protocol error
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
[2018/06/28 11:27:05.027346, 0]
../source4/dsdb/dns/dns_update.c:127(dnsupdate_rebuild)
Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]: task[dnsupdate][1130]:
../source4/dsdb/dns/dns_update.c:127: Unable to find DCs list - Failed to unlock
db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1130
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881556, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110
in process 1112
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]: /
Success for CN=Schema,CN=Configuration,DC=almi-russia,DC=local
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881642, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110
in process 1112
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]: /
Protocol error for CN=Configuration,DC=almi-russia,DC=local
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881682, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110
in process 1112
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]: /
Protocol error for DC=DomainDnsZones,DC=almi-russia,DC=local
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881718, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110
in process 1112
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]: /
Protocol error for DC=ForestDnsZones,DC=almi-russia,DC=local
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881755, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110
in process 1112
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]: /
Protocol error for DC=almi-russia,DC=local
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881790, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid
1110 in process 1112
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]: /
Protocol error for metadata partition
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28 11:27:30.881825, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to unlock db: Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing
ldb opend by pid 1110 in process 1112
marcel at linux-ng.de
2018-Jul-10 14:48 UTC
[Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
Hi Aleksey,
did you find any solution for this?
I just updated from 4.8.2 to 4.8.3 and had very similar
effects:
Login was no longer possible with 4.8.3 - log file was full of
"ldb: Failed to unlock db"
messages.
I had to downgrade to 4.8.2 in order to make samba work again.
Bye,
Marcel
June 28, 2018 10:28 AM, "Aleksey Vladimirov via samba" <samba at
lists.samba.org> wrote:
> After update I have got this:
>
> samba-tool drs kcc -Uadm2 -d 9
> INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> quota: 9
> acls: 9
> locking: 9
> msdfs: 9
> dmapi: 9
> registry: 9
> scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> auth_audit: 9
> auth_json_audit: 9
> kerberos: 9
> drs_repl: 9
> smb2: 9
> smb2_credits: 9
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[Scan]"
> Processing section "[print$]"
> Processing section "[printers]"
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:sklad-dc.almi-russia.local[,seal,print]
> Mapped to DCERPC endpoint 135
> added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
> added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
sklad-dc.almi-russia.local<0x20>
> getlmhostsent: lmhost entry: 192.168.32.12 SKLAD-DC
> getlmhostsent: lmhost entry: 192.168.31.12 DCSRV
> getlmhostsent: lmhost entry: 192.168.32.12 ALMI-RUSSIA
> Mapped to DCERPC endpoint 49152
> added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
> added interface enp2s0 ip=192.168.32.12 bcast=192.168.32.255
netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
sklad-dc.almi-russia.local<0x20>
> getlmhostsent: lmhost entry: 192.168.32.12 SKLAD-DC
> getlmhostsent: lmhost entry: 192.168.31.12 DCSRV
> getlmhostsent: lmhost entry: 192.168.32.12 ALMI-RUSSIA
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Password for [ALMI-RUSSIA\adm2]:
> Received smb_krb5 packet of length 199
> Received smb_krb5 packet of length 106
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically sealed
> dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 199
> Received smb_krb5 packet of length 106
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically sealed
> dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>
ncacn_ip_tcp:192.168.32.12[49152,seal,print,target_hostname=sklad-dc.almi-russia.local,abstract_synt
>
x=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.32.12]
> NT_STATUS_LOGON_FAILURE
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to sklad-dc.almi-russia.local failed
> - drsException: DRS connection to sklad-dc.almi-russia.local failed:
(3221225581, 'The attempted
> logon is invalid. This is either due to a bad username or authentication
information.')
> File "/usr/lib/python2.7/site-packages/samba/netcmd/drs.py", line
44, in drsuapi_connect
> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) >
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
> File "/usr/lib/python2.7/site-packages/samba/drs_utils.py", line
58, in drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" % (server,
e))
>
> and in the log:
>
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: ldb: Failed to lock
> db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1130
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: / Protocol error for
> DC=almi-russia,DC=local
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: [2018/06/28
> 11:27:05.026829, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: ldb: Failed to
> unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in
process 1130
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: / Protocol error for
> metadata partition
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: [2018/06/28
> 11:27:05.027064, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: ldb: Failed to
> unlock db: Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend
by pid 1110 in process
> 1130
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: / Protocol error for
> metadata partition / Protocol error
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]: [2018/06/28
> 11:27:05.027346, 0] ../source4/dsdb/dns/dns_update.c:127(dnsupdate_rebuild)
> Jun 28 11:27:05 sklad-dc.almi-russia.local samba[1130]:
task[dnsupdate][1130]:
> ../source4/dsdb/dns/dns_update.c:127: Unable to find DCs list - Failed to
unlock db:
> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1130
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881556, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db:
> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1112
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
/ Success for
> CN=Schema,CN=Configuration,DC=almi-russia,DC=local
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881642, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db:
> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1112
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
/ Protocol error for
> CN=Configuration,DC=almi-russia,DC=local
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881682, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db:
> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1112
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
/ Protocol error for
> DC=DomainDnsZones,DC=almi-russia,DC=local
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881718, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db:
> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1112
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
/ Protocol error for
> DC=ForestDnsZones,DC=almi-russia,DC=local
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881755, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to lock db:
> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1112
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
/ Protocol error for
> DC=almi-russia,DC=local
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881790, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to unlock
> db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process 1112
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
/ Protocol error for
> metadata partition
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
[2018/06/28
> 11:27:30.881825, 0] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
> Jun 28 11:27:30 sklad-dc.almi-russia.local samba[1112]: task[dcesrv][1112]:
ldb: Failed to unlock
> db: Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid
1110 in process 1112
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2018-Jul-10 18:58 UTC
[Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
On Tue, 2018-07-10 at 14:48 +0000, Marcel via samba wrote:> Hi Aleksey, > > did you find any solution for this? > > I just updated from 4.8.2 to 4.8.3 and had very similar > effects: > > Login was no longer possible with 4.8.3 - log file was full of > "ldb: Failed to unlock db" > messages. > > I had to downgrade to 4.8.2 in order to make samba work again.Very interesting. Did you somehow install ldb 1.4.0 and build against that? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
marcel at linux-ng.de
2018-Jul-11 05:56 UTC
[Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
Hi Andrew, yes, I was compiling/running samba 4.8.3 against ldb 1.4.0. Just a site note: I had trouble running some tests with ldb 1.3.4, that's why I switched to 1.4.0. (Those tests however failed only within our build environment, which made it hard to debug). Bye, Marcel July 10, 2018 8:58 PM, "Andrew Bartlett" <abartlet at samba.org> wrote:> On Tue, 2018-07-10 at 14:48 +0000, Marcel via samba wrote: > >> Hi Aleksey, >> >> did you find any solution for this? >> >> I just updated from 4.8.2 to 4.8.3 and had very similar >> effects: >> >> Login was no longer possible with 4.8.3 - log file was full of >> "ldb: Failed to unlock db" >> messages. >> >> I had to downgrade to 4.8.2 in order to make samba work again. > > Very interesting. Did you somehow install ldb 1.4.0 and build against > that? > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
marcel at linux-ng.de
2018-Jul-11 08:13 UTC
[Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
Hi there,
I had some off list conversation with Aleksey and wanted
to give an update on our findings (s. below).
I'm currently preparing a test stack with
ldb 1.4.0 (without lmdb support)
and
samba 4.8.3
build on top of it, to check whether lmdb support causes
the mentioned trouble.
An on a site note:
When compiling ldb 1.4.0 with "--without-ldb-lmdb" a general
error occurs during "make test":
"make test called, but ldb was built --without-ldb-lmdb"
Is this behavior intended?
Bye,
Marcel
July 11, 2018 9:39 AM, marcel at linux-ng.de wrote:
> Hi Aleksey,
>
> according to the PKGBUILD lmdb was a build requirement, so I guess
> your version of ldb was build with mldb support.
>
> I'll try to re-compile my whole samba stack without mldb support
> in ldb 1.4.0 and give it a try.
> Maybe that's the reason for all the troubles.
>
> I'll keep you informed about my findings.
>
> Should we post the conversation to the samba mailing list, so Andrew
> is up to date on our discussion?
>
> Bye,
> Marcel
>
> July 11, 2018 9:32 AM, "Aleksey Vladimirov" <A.Vladimirov at
almi-russia.ru> wrote:
>
>> Hi!
>> ./configure --prefix=/usr \
>> --disable-rpath \
>> --disable-rpath-install \
>> --bundled-libraries=NONE \
>> --builtin-libraries=replace \
>> --with-modulesdir=/usr/lib/ldb/modules \
>> --with-privatelibdir=/usr/lib/ldb
>>
>> So, I use a default package and rebuild it on-place with original
PKGBUILD
>>
https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/ldb
>> I has troubles with sync because services can't authorize in PDC...
>>
>> smbd[9579]: [2018/07/11 10:18:32.365265, 0]
>> ../source4/auth/unix_token.c:78(security_token_to_unix_token)
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Unable to convert first
SID
>> (S-1-5-21-3696438273-4232299451-4172622461-1886) in user token to a
UID. Conversion was returned as
>> type 0, full token:
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: [2018/07/11
10:18:32.365396, 0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Security token SIDs
(30):
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 0]:
>> S-1-5-21-3696438273-4232299451-4172622461-1886
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 1]:
>> S-1-5-21-3696438273-4232299451-4172622461-513
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 2]:
>> S-1-5-21-3696438273-4232299451-4172622461-1924
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 3]:
>> S-1-5-21-3696438273-4232299451-4172622461-1916
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 4]:
>> S-1-5-21-3696438273-4232299451-4172622461-2016
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 5]:
>> S-1-5-21-3696438273-4232299451-4172622461-1998
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 6]:
>> S-1-5-21-3696438273-4232299451-4172622461-1977
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 7]:
>> S-1-5-21-3696438273-4232299451-4172622461-1971
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 8]:
>> S-1-5-21-3696438273-4232299451-4172622461-2065
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 9]:
>> S-1-5-21-3696438273-4232299451-4172622461-2059
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 10]:
>> S-1-5-21-3696438273-4232299451-4172622461-1910
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 11]:
>> S-1-5-21-3696438273-4232299451-4172622461-1763
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 12]:
>> S-1-5-21-3696438273-4232299451-4172622461-1950
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 13]:
>> S-1-5-21-3696438273-4232299451-4172622461-1928
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 14]:
>> S-1-5-21-3696438273-4232299451-4172622461-1887
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 15]:
>> S-1-5-21-3696438273-4232299451-4172622461-2077
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 16]:
>> S-1-5-21-3696438273-4232299451-4172622461-2017
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 17]:
>> S-1-5-21-3696438273-4232299451-4172622461-512
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 18]:
>> S-1-5-21-3696438273-4232299451-4172622461-1602
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 19]:
>> S-1-5-21-3696438273-4232299451-4172622461-1605
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 20]: S-1-18-1
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 21]:
>> S-1-5-21-3696438273-4232299451-4172622461-572
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 22]:
>> S-1-5-21-3696438273-4232299451-4172622461-1796
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 23]: S-1-1-0
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 24]: S-1-5-2
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 25]: S-1-5-11
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 26]: S-1-5-32-545
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 27]: S-1-5-32-544
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 28]: S-1-5-32-554
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 29]: S-1-5-32-574
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privileges (0x
1FFFFFA0):
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 0]:
SeTakeOwnershipPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 1]:
SeBackupPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 2]:
SeRestorePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 3]:
SeRemoteShutdownPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 4]:
SePrintOperatorPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 5]:
SeDiskOperatorPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 6]:
SeSecurityPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 7]:
SeSystemtimePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 8]:
SeShutdownPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 9]:
SeDebugPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 10]:
SeSystemEnvironmentPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 11]:
SeSystemProfilePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 12]:
SeProfileSingleProcessPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 13]:
SeIncreaseBasePriorityPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 14]:
SeLoadDriverPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 15]:
SeCreatePagefilePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 16]:
SeIncreaseQuotaPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 17]:
SeChangeNotifyPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 18]:
SeUndockPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 19]:
SeManageVolumePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 20]:
SeImpersonatePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 21]:
SeCreateGlobalPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 22]:
SeEnableDelegationPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Rights (0x 403):
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Right[ 0]:
SeInteractiveLogonRight
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Right[ 1]:
SeNetworkLogonRight
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Right[ 2]:
SeRemoteInteractiveLogonRight
>>
>> I can't find a cause of this troubles and stil waiting maybe
someone can do it :)
>>
>> Best regards/
>>
>> -----Original Message-----
>> From: marcel at linux-ng.de [mailto:marcel at linux-ng.de]
>> Sent: Wednesday, July 11, 2018 10:18 AM
>> To: Aleksey Vladimirov <A.Vladimirov at almi-russia.ru>
>> Subject: Re: [Samba] DRS and DNS sync are not working after update from
4.8.2 to 4.8.3
>>
>> Hi Aleksey,
>>
>> ok - so looks like these are just hints/warnings in the log, not the
real cause of my trouble. So
>> I'll keep looking ...
>>
>> BTW:
>> There was a commit just yesterday to samba git, mentioning that the
mldb backend (that seems to be
>> used by default with ldb 1.4.0) is
>> experimental:
>>
>> WHATSNEW.txt:
>>
>> 101 New Experimental LMDB LDB backend
>> 102 ---------------------------------
>> 103
>> 104 A new experimental LDB backend using LMBD is now available. This
allows
>> 105 databases larger than 4Gb (Currently the limit is set to 6Gb, but
this will be
>> 106 increased in a future release). To enable lmdb, provision or join a
domain using
>> 107 the --backend-store=mdb option.
>> 108
>> 109 This requires that a version of lmdb greater than 0.9.16 is
installed and that
>> 110 samba has not been built with the --without-ldb-lmdb option.
>> 111
>> 112 Please note this is an experimental feature and is not recommended
for
>> 113 production deployments.
>>
>> Can you tell whether your version of ldb was build with or without lmdb
support?
>>
>> Bye,
>> Marcel
>>
>> July 11, 2018 8:52 AM, "Aleksey Vladimirov" <A.Vladimirov
at almi-russia.ru> wrote:
>>
>>> Hi Marcel
>>>
>>> Yes, I have messages about lock database.
>>> task[cldapd][1122]: / Protocol error for
>>> DC=ForestDnsZones,DC=domain,DC=local
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
task[cldapd][1122]:
>>> [2018/07/11 09:50:19.349794, 0]
>>> ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
task[cldapd][1122]: ldb: Failed to lock db:
>>> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process
>>> 1122 Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
>>> task[cldapd][1122]: / Protocol error for DC=domain,DC=local Jul 11
>>> 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]:
>>> [2018/07/11 09:50:19.349950, 0]
>>> ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
task[cldapd][1122]: ldb: Failed to unlock db:
>>> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process
>>> 1122 Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
>>> task[cldapd][1122]: / Protocol error for metadata partition Jul 11
>>> 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]:
>>> [2018/07/11 09:50:19.350105, 0]
>>> ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
task[cldapd][1122]: ldb: Failed to unlock db:
>>> Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by
>>> pid 1110 in process 1122 Jul 11 09:50:19 sec-dc.domain.local
>>> samba[1122]: task[cldapd][1122]: / Protocol error for metadata
>>> partition / Protocol error
>>>
>>> -----Original Message-----
>>> From: marcel at linux-ng.de [mailto:marcel at linux-ng.de]
>>> Sent: Wednesday, July 11, 2018 9:48 AM
>>> To: Aleksey Vladimirov <A.Vladimirov at almi-russia.ru>
>>> Subject: Re: [Samba] DRS and DNS sync are not working after update
>>> from 4.8.2 to 4.8.3
>>>
>>> Hi Aleksey,
>>>
>>> I already had a [realms] section in my krb5.conf.
>>>
>>> And my problem is not limited to using DRS and DNS:
>>> Several services connecting to samba LDAP (using plain text auth)
failed after the upgrade.
>>>
>>> Did the error messages concerning database locks disappear with
your
>>> changes to krb5.conf or are they still there?
>>>
>>> Bye,
>>> Marcel
>>>
>>> July 11, 2018 8:22 AM, "Aleksey Vladimirov"
<A.Vladimirov at almi-russia.ru> wrote:
>>
>> I had this problem too.
>> After update secondary DC from 4.8.2 to 4.8.3 DRS and DNS sync are not
working.
>> Archlinux, ldb 1.4.0-1, samba 4.3.8-1, krb5 1.16.1-1, AD Win 1012R2.
>> user at domain.local is resolved, but domain\user is not.
>>
>> /etc/krb5.conf
>> [libdefaults]
>> default_realm = DOMAIN.LOCAL
>> dns_lookup_kdc = true
>> forwardable = true
>> dns_lookup_realm = false
>>
>> [domain_realm]
>> .domain.local = DOMAIN.LOCAL
>> domain.local = DOMAIN.LOCAL
>>
>> [realms]
>> domain={
>> kdc = sec-dc.domain.local
>> kdc = dcsrv.domain.local
>> admin_server = sklad-domain.local
>> default_domain=domain.local
>> }
>>
>> The section realms was added after upgrade. 4.8.2 was fine without it
>>
>> -----Original Message-----
>> From: marcel at linux-ng.de [mailto:marcel at linux-ng.de]
>> Sent: Wednesday, July 11, 2018 8:56 AM
>> To: Andrew Bartlett <abartlet at samba.org>; Aleksey Vladimirov
>> <A.Vladimirov at almi-russia.ru>; samba at lists.samba.org
>> Subject: Re: [Samba] DRS and DNS sync are not working after update
>> from 4.8.2 to 4.8.3
>>
>> Hi Andrew,
>>
>> yes, I was compiling/running samba 4.8.3 against ldb 1.4.0.
>>
>> Just a site note:
>> I had trouble running some tests with ldb 1.3.4, that's why I
switched to 1.4.0.
>> (Those tests however failed only within our build environment, which
made it hard to debug).
>>
>> Bye,
>> Marcel
>>
>> July 10, 2018 8:58 PM, "Andrew Bartlett" <abartlet at
samba.org> wrote:
>>> On Tue, 2018-07-10 at 14:48 +0000, Marcel via samba wrote:
>>
>> Hi Aleksey,
>>
>> did you find any solution for this?
>>
>> I just updated from 4.8.2 to 4.8.3 and had very similar
>> effects:
>>
>> Login was no longer possible with 4.8.3 - log file was full of
>> "ldb: Failed to unlock db"
>> messages.
>>
>> I had to downgrade to 4.8.2 in order to make samba work again.
>>> Very interesting. Did you somehow install ldb 1.4.0 and build
>>> against that?
>>>
>>> Andrew Bartlett
>>> --
>>> Andrew Bartlett http://samba.org/~abartlet Authentication
Developer,
>>> Samba Team http://samba.org Samba Developer, Catalyst IT
>>> http://catalyst.net.nz/services/samba
Andrew Bartlett
2018-Jul-11 09:31 UTC
[Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
On Wed, 2018-07-11 at 08:13 +0000, marcel at linux-ng.de wrote:> Hi there, > > I had some off list conversation with Aleksey and wanted > to give an update on our findings (s. below). > > I'm currently preparing a test stack with > ldb 1.4.0 (without lmdb support) > and > samba 4.8.3 > build on top of it, to check whether lmdb support causes > the mentioned trouble.I can asssure you this is an intended an deliberate feature of ldb 1.4.0 on top of versions of Samba < 4.8. I'm sorry for not putting in a blocker against the compilation. There really isn't any need to test --without-ldb-lmdb, this pid check was specifically requested to be generic, not limited to the lmdb backend.> An on a site note: > > When compiling ldb 1.4.0 with "--without-ldb-lmdb" a general > error occurs during "make test": > > "make test called, but ldb was built --without-ldb-lmdb" > > Is this behavior intended?Yes. We have a history where patches to make part of tests optional have on multiple occasions caused tests not to run at all, so we lock down the selftest to operating with the full feature set. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Seemingly Similar Threads
- DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
- DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- mixed-effects model using lmer
- Unable to join DC to domain