Hi,
After a recent hardware failure where I did not have a working backup,
I am trying to re-create one of my DCs (DC1). This is a Samba 4.9.0
environment throughout. I have DC1 (the one that is hopefully being
re-joined), but also DC2, DC3 and DC4 which are still present, and
these have not experienced issues.
After running the following:
$ sudo samba-tool domain join mydomain.org DC -U myadmin --site=mysite
--server=dc3
all seems well, until:
[...]
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs
[... and also ...]
Replicating critical objects from the base DN of the domain
Partition[DC=mydomain,DC=org] objects[99/99] linked_values[28/28]
Partition[DC=mydomain,DC=org] objects[501/886] linked_values[0/61]
Partition[DC=mydomain,DC=org] objects[903/886] linked_values[0/718]
../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in
CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for
index on servicePrincipalName, duplicate of objectGUID
00000000-1111-2222-3333-444444444444 in
@INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC
[lots of these]
Should I be worried by either of these two messages? (unable to
determine DomainSID, and the multiple duplicate attribute values)?
The domain has been in existence for a while, and has been upgraded
from 4.0.0 right up to 4.9.0 where it is today, so there might be
something in the database that isn't quite right.. I have tried
targetting a couple of different DCs for the domain join, with the
same result so far.
Samba does seem to run on DC1 after it is joined to the domain, but
I'm not sure it's working properly.. my test script for freeradius
(which I run on each DC) fails on DC1.
Any pointers/advice would be appreciated, as always!
Thanks :)
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
On Tue, 13 Nov 2018 20:55:08 +0000 Jonathan Hunter via samba <samba at lists.samba.org> wrote:> Hi, > > After a recent hardware failure where I did not have a working backup, > I am trying to re-create one of my DCs (DC1). This is a Samba 4.9.0 > environment throughout. I have DC1 (the one that is hopefully being > re-joined), but also DC2, DC3 and DC4 which are still present, and > these have not experienced issues. > > After running the following: > $ sudo samba-tool domain join mydomain.org DC -U myadmin --site=mysite > --server=dc3 > all seems well, until: > [...] > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local domainSIDs > [... and also ...] > Replicating critical objects from the base DN of the domain > Partition[DC=mydomain,DC=org] objects[99/99] linked_values[28/28] > Partition[DC=mydomain,DC=org] objects[501/886] linked_values[0/61] > Partition[DC=mydomain,DC=org] objects[903/886] linked_values[0/718] > ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > index on servicePrincipalName, duplicate of objectGUID > 00000000-1111-2222-3333-444444444444 in > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > [lots of these] > > Should I be worried by either of these two messages? (unable to > determine DomainSID, and the multiple duplicate attribute values)? > > The domain has been in existence for a while, and has been upgraded > from 4.0.0 right up to 4.9.0 where it is today, so there might be > something in the database that isn't quite right.. I have tried > targetting a couple of different DCs for the domain join, with the > same result so far. > > Samba does seem to run on DC1 after it is joined to the domain, but > I'm not sure it's working properly.. my test script for freeradius > (which I run on each DC) fails on DC1. > > Any pointers/advice would be appreciated, as always! > > Thanks :) > > Jonathan >I think you may be running into this bug: https://bugzilla.samba.org/show_bug.cgi?id=8929 You may have duplicate SPN's e.g. one 'HOST/somePC' and another 'host/somepc' Also there were several problems with 4.9.0, so I would rapidly upgrade to 4.9.2 Rowland
On Tue, 13 Nov 2018 at 21:26, Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Tue, 13 Nov 2018 20:55:08 +0000 > Jonathan Hunter via samba <samba at lists.samba.org> wrote: > > > After running the following: > > $ sudo samba-tool domain join mydomain.org DC -U myadmin --site=mysite > > --server=dc3 > > all seems well, until: > > [...] > > Setting up secrets.ldb > > Setting up the registry > > Setting up the privileges database > > Setting up idmap db > > Setting up SAM db > > Setting up sam.ldb partitions and settings > > Setting up sam.ldb rootDSE > > Pre-loading the Samba 4 and AD schema > > Unable to determine the DomainSID, can not enforce uniqueness > > constraint on local domainSIDs > > [... and also ...] > > Replicating critical objects from the base DN of the domain > > Partition[DC=mydomain,DC=org] objects[99/99] linked_values[28/28] > > Partition[DC=mydomain,DC=org] objects[501/886] linked_values[0/61] > > Partition[DC=mydomain,DC=org] objects[903/886] linked_values[0/718] > > ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > > index on servicePrincipalName, duplicate of objectGUID > > 00000000-1111-2222-3333-444444444444 in > > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > > [lots of these] > > I think you may be running into this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=8929 > > You may have duplicate SPN's e.g. one 'HOST/somePC' and another > 'host/somepc'You could well be right, thank you. It's entirely possible - my domain has been upgraded through various samba versions so that might be the case. Looks like this is an old bug, so I am guessing that a) it isn't likely to be fixed imminently, and b) until I can get rid of the duplicate entries somehow, I won't be able to join any DCs back into my domain...> Also there were several problems with 4.9.0, so I would rapidly upgrade > to 4.9.2I did check the release notes and couldn't see anything critical for my environment at the time, but I may well have missed something - so am upgrading now and will try again. The other message that worried me was the one about "Unable to determine the DomainSID", I don't know what is causing that... (or if indeed it would be a problem) Many thanks as always, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein