Hi,
After reading wiki documentation about join I have tested to join a
second dc, but with problems.
I need to add a second controller to our AD, and then upgrade existing
server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5
server but I receive join errors, attached output wit and without
debug:
I have executed samba-tool dbcheck --cross-ncs all seems OK
I have made a test upgrading actual 4.4.5 to 4.10.7 and then join
4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a
second controller to ensure no downtime.
some questions:
1) Why I receive this error?
Replicating critical objects from the base DN of the domain
Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
Missing parent while attempting to apply records: No parent with GUID
cdee5b31-365
d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain
Users,OU=Gru
ps,DC=DOMAIN-TEST,DC=com
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
--> not sure if can be related with this issue:
https://bugzilla.samba.org/show_bug.cgi?id=13274
2) About join in wiki appears
"
If the other DCs are Samba DCs and were provisioned with
--use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes'
to the join command
"
But checking my command userv to migrate from samba nt doamin to our
actual ADDC domain this command was not used, but checking smb.conf
appears this:
idmap_ldb:use rfc2307 = yes
But I'm not sure if I have to use --option='idmap_ldb:use rfc2307
yes' on join command
smb.conf DC1
[global]
bind interfaces only = Yes
interfaces = lo eth0 eth0:0
netbios name = DC1
realm = DOMAIN-TEST.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN-TEST
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
comment
winbind enum users = yes
winbind enum groups = yes
tls enabled = yes
tls keyfile = tls/dc1.pem.nopass.key
tls certfile = tls/dc1.pem.crt
tls cafile = tls/cert_ca.pem.crt
tls verify peer = ca_and_name
ldap server require strong auth = no
##############################
output join 4.10.7 to 4.4.5
# samba-tool domain join domain-test.com DC
-U"domain-test.com\Administrador" --d
ns-backend=BIND9_DLZ --option="interfaces=lo eth0 eth0:0"
--option="bind interface s
only=yes"
INFO 2019-09-09 10:05:35,198 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #104: Finding a writeable DC for domain
'domain-test.com'
INFO 2019-09-09 10:05:35,222 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #106: Found DC dc1.domain-test.com
Password for [domain-test.com\Administrador]:
INFO 2019-09-09 10:05:39,773 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #1528: workgroup is DOMAIN-TEST
INFO 2019-09-09 10:05:39,773 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #1531: realm is domain-test.com
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
DOMAIN-TEST,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
Configuration,DC=DOMAIN-TEST,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
INFO 2019-09-09 10:05:41,671 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2088: Looking up IPv4 addresses
WARNING 2019-09-09 10:05:41,672 pid:27665
/usr/local/samba/lib/python3.4/site-pack
ages/samba/provision/__init__.py #2094: More than one IPv4 address
found. Using 19
4.0.100.60
INFO 2019-09-09 10:05:41,672 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2105: Looking up IPv6 addresses
WARNING 2019-09-09 10:05:41,673 pid:27665
/usr/local/samba/lib/python3.4/site-pack
ages/samba/provision/__init__.py #2112: No IPv6 address will be assigned
INFO 2019-09-09 10:05:42,184 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2278: Setting up share.ldb
INFO 2019-09-09 10:05:42,219 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2282: Setting up secrets.ldb
INFO 2019-09-09 10:05:42,247 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2288: Setting up the registry
INFO 2019-09-09 10:05:42,325 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2291: Setting up the privileges database
INFO 2019-09-09 10:05:42,369 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2294: Setting up idmap db
INFO 2019-09-09 10:05:42,403 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2301: Setting up SAM db
INFO 2019-09-09 10:05:42,413 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings
INFO 2019-09-09 10:05:42,415 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE
INFO 2019-09-09 10:05:42,422 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #1302: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local
domainSIDs
INFO 2019-09-09 10:05:42,482 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2351: A Kerberos configuration suitable
for Samba A D
has been generated at /usr/local/samba/private/krb5.conf
INFO 2019-09-09 10:05:42,482 pid:27665
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2352: Merge the contents of this file
with your sys tem
krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=DOMAIN-TEST,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[402/1550] linked_va
lues[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[804/1550] linked_va
lues[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[1206/1550] linked_v
alues[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[1550/1550] linked_v
alues[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[402/1615]
linked_values[0/0]
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[804/1615]
linked_values[0/0]
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1206/1615]
linked_values[0/0]
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1608/1615]
linked_values[0/0]
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1615/1615]
linked_values[30/0
]
Replicating critical objects from the base DN of the domain
Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com
Deleted CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
=Configuration,DC=DOMAIN-TEST,DC=com
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
=DOMAIN-TEST,DC=com
ERROR(runtime): uncaught exception - (8460, "Failed to process
'chunk'
of DRS repl
icated objects: WERR_DS_DRA_MISSING_PARENT")
File
"/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/__init__.py",
li ne
185, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/domain.py",
line
700, in run
backend_store=backend_store)
File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py",
line 1544, in
join_DC
ctx.do_join()
File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py",
line 1438, in
do_join
ctx.join_replicate()
File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py",
line 982, in
join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 356 ,
in replicate
raise e
File
"/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 343 ,
in replicate
self.process_chunk(level, ctr, schema, req_level, req, first_chunk)
File
"/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 237 ,
in process_chunk
schema=schema, req_level=req_level, req=req)
with debug -d 3
root at DC2:~# samba-tool domain join domain-test.com DC
-U"domain-test.com\Administrador" --d
ns-backend=BIND9_DLZ --option="interfaces=lo eth0 eth0:0"
--option="bind interface
s only=yes" -d 3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
INFO 2019-09-09 10:06:11,792 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #104: Finding a writeable DC for domain
'domain-test.com'
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.domain-test.com<0x0>
INFO 2019-09-09 10:06:11,813 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #106: Found DC dc1.domain-test.com
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.domain-test.com<0x20>
Password for [domain-test.com\Administrador]:
INFO 2019-09-09 10:06:15,655 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #1528: workgroup is DOMAIN-TEST
INFO 2019-09-09 10:06:15,656 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/join.py #1531: realm is domain-test.com
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
DOMAIN-TEST,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
Configuration,DC=DOMAIN-TEST,DC=com
Using binding ncacn_ip_tcp:dc1.domain-test.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.domain-test.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.domain-test.com<0x20>
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
INFO 2019-09-09 10:06:17,446 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2088: Looking up IPv4 addresses
WARNING 2019-09-09 10:06:17,447 pid:27673
/usr/local/samba/lib/python3.4/site-pack
ages/samba/provision/__init__.py #2094: More than one IPv4 address
found. Using 19
4.0.100.60
INFO 2019-09-09 10:06:17,447 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2105: Looking up IPv6 addresses
WARNING 2019-09-09 10:06:17,448 pid:27673
/usr/local/samba/lib/python3.4/site-pack
ages/samba/provision/__init__.py #2112: No IPv6 address will be assigned
INFO 2019-09-09 10:06:18,001 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2282: Setting up secrets.ldb
INFO 2019-09-09 10:06:18,035 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2288: Setting up the registry
ldb_wrap open of hklm.ldb
INFO 2019-09-09 10:06:18,053 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2291: Setting up the privileges database
INFO 2019-09-09 10:06:18,096 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2294: Setting up idmap db
INFO 2019-09-09 10:06:18,129 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2301: Setting up SAM db
INFO 2019-09-09 10:06:18,139 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings
INFO 2019-09-09 10:06:18,141 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE
INFO 2019-09-09 10:06:18,148 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #1302: Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null )
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local
domainSIDs
INFO 2019-09-09 10:06:18,205 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2351: A Kerberos configuration suitable
for Samba A D
has been generated at /usr/local/samba/private/krb5.conf
INFO 2019-09-09 10:06:18,206 pid:27673
/usr/local/samba/lib/python3.4/site-package
s/samba/provision/__init__.py #2352: Merge the contents of this file
with your sys tem
krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=DOMAIN-TEST,DC=com
Starting replication
Using binding ncacn_ip_tcp:dc1.domain-test.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.domain-test.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.domain-test.com<0x20>
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[402/1550] linked_va
lues[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[804/1550] linked_va
lues[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[1206/1550] linked_v
alues[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com]
objects[1550/1550] linked_v
alues[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=ho
sppal,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[402/1617]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[804/1617]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1206/1617]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1608/1617]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1617/1617]
linked_values[32/0
]
Missing target while attempting to apply records: Deleted target
CN=NTDS Settings\
0ADEL:193acd86-264a-462a-87aa-a4948f35c908,CN=DC2\0ADEL:c6bef0f5-e4cb-42d4-baf2-a
e344091d09b,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hos
ppal,DC=com GUID 193acd86-264a-462a-87aa-a4948f35c908 linked from
CN=7ac4d0d7-beb3-
4f47-b192-9b4e2547f787,CN=Partitions,CN=Configuration,DC=DOMAIN-TEST,DC=com
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[2019/1617]
linked_values[32/0
]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[2421/1617]
linked_values[32/0
]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[2823/1617]
linked_values[32/0
]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[3225/1617]
linked_values[32/0
]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[3234/1617]
linked_values[64/0
]
Replicated 9 objects (32 linked attributes) for
CN=Configuration,DC=DOMAIN-TEST,DC=com
Replicating critical objects from the base DN of the domain
Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
Missing parent while attempting to apply records: No parent with GUID
cdee5b31-365
d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain
Users,OU=Gru
ps,DC=DOMAIN-TEST,DC=com
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch
machine accoun t
password for DOMAIN-TEST from both secrets.ldb (Could not find entry
to match filter:
'(&(flatname=DOMAIN-TEST)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No
such object: dsdb_search at ../../source4/dsdb/common/util.c:4712) and
from /usr/l
ocal/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com
Deleted CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
=Configuration,DC=DOMAIN-TEST,DC=com
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
=DOMAIN-TEST,DC=com
ERROR(runtime): uncaught exception - (8460, "Failed to process
'chunk'
of DRS repl
icated objects: WERR_DS_DRA_MISSING_PARENT")
File
"/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/__init__.py",
li ne
185, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/domain.py",
line
700, in run
backend_store=backend_store)
File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py",
line 1544, in
join_DC
ctx.do_join()
File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py",
line 1438, in
do_join
ctx.join_replicate()
File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py",
line 982, in
join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 356 ,
in replicate
raise e
File
"/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 343 ,
in replicate
self.process_chunk(level, ctr, schema, req_level, req, first_chunk)
File
"/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
line 237 ,
in process_chunk
schema=schema, req_level=req_level, req=req)
##############################
thanks
On 09/09/2019 09:33, Trenta sis via samba wrote:> Hi, > > After reading wiki documentation about join I have tested to join a > second dc, but with problems. > > I need to add a second controller to our AD, and then upgrade existing > server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5 > server but I receive join errors, attached output wit and without > debug: > I have executed samba-tool dbcheck --cross-ncs all seems OK >You seem to have two errors, the first: Missing target while attempting to apply records: Deleted target CN=NTDS Settings\0ADEL:193acd86-264a-462a-87aa-a4948f35c908,CN=DC2\0ADEL:c6bef0f5-e4cb-42d4-baf2-ae344091d09b,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain-test,DC=com GUID 193acd86-264a-462a-87aa-a4948f35c908 linked from CN=7ac4d0d7-beb3-4f47-b192-9b4e2547f787,CN=Partitions,CN=Configuration,DC=DOMAIN-TEST,DC=com Is referring to a deleted object and as such isn't really a problem, but cleaning up deleted objects would remove this. The second is where it falls apart: Missing parent while attempting to apply records: No parent with GUID cdee5b31-365d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain Users,OU=Grups,DC=DOMAIN-TEST,DC=com Failed to commit objects: WERR_DS_DRA_MISSING_PARENT First, is it actually 'OU=Grups' ? or is it 'OU=Groups' ? (I had to stitch your output together, but I am sure the 'o' wasn't there) Second, does the GUID 'cdee5b31-365d-4c8f-9368-4115b6307a19' exist in AD or has it been deleted ? Third, why move 'Domain Users' from 'CN=Users,DC=DOMAIN-TEST,DC=COM' ? Rowland
Andrew Bartlett
2019-Sep-09 09:14 UTC
[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:> Hi, > > After reading wiki documentation about join I have tested to join a > second dc, but with problems. > > I need to add a second controller to our AD, and then upgrade existing > server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5 > server but I receive join errors, attached output wit and without > debug: > I have executed samba-tool dbcheck --cross-ncs all seems OK > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a > second controller to ensure no downtime. > > some questions: > 1) Why I receive this error? > Replicating critical objects from the base DN of the domain > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > Missing parent while attempting to apply records: No parent with GUID > cdee5b31-365 > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain > Users,OU=Gru > > ps,DC=DOMAIN-TEST,DC=com > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > > --> not sure if can be related with this issue: > https://bugzilla.samba.org/show_bug.cgi?id=13274Not that issue, but a very well known one. The trouble is, Samba 4.4 was happy to get a tree like this: X | | Y Z in an order like this: Step 1 Y Step 2 Y Z Step 3 X | | Y Z As long as everything worked out in the end, it was fine. But this had issues, so we patched it to instead demand the objects in tree order (GET_ANC), but of course the server needs to know what that means. Samba 4.5 was, from memory, the first release we did that, but the server, even with 4.4, didn't really know what that flag meant. It wasn't until much later, Samba 4.6 or so, when we finally got the flag right, which of course gives problems upgrading from Samba 4.4. (We would sort the current 'page' of replication entries, but not the whole partition). We have continued to improve this code since, but that is the core. The next issue is a flag called GET_TGT but that hurts much less often, as we have a client-side workaround detecting that the server didn't understand us. The workaround for you is to carefully touch each object such that the children are modified after the parents. Or upgrade in-place that DC and replicate from there. Both suck, I know.> 2) About join in wiki appears > " > If the other DCs are Samba DCs and were provisioned with > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' > to the join command > " > > But checking my command userv to migrate from samba nt doamin to our > actual ADDC domain this command was not used, but checking smb.conf > appears this: > idmap_ldb:use rfc2307 = yes > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 > yes' on join commandProbably. But that isn't the big deal at this point. I hope this helps a little. We need to extend our wiki to explain this more I'm sure. I've CC'ed samba-technical for those there who might want to learn the history a bit more. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi, Thanks, I'll try to answer your questions: You seem to have two errors, the first: Missing target while attempting to apply records: Deleted target CN=NTDS Settings\0ADEL:193acd86-264a-462a-87aa-a4948f35c908,CN=DC2\0ADEL:c6bef0f5-e4cb-42d4-baf2-ae344091d09b,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain-test,DC=com GUID 193acd86-264a-462a-87aa-a4948f35c908 linked from CN=7ac4d0d7-beb3-4f47-b192-9b4e2547f787,CN=Partitions,CN=Configuration,DC=DOMAIN-TEST,DC=com --> How can I know what object is this? Is referring to a deleted object and as such isn't really a problem, but cleaning up deleted objects would remove this. The second is where it falls apart: Missing parent while attempting to apply records: No parent with GUID cdee5b31-365d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain Users,OU=Grups,DC=DOMAIN-TEST,DC=com Failed to commit objects: WERR_DS_DRA_MISSING_PARENT First, is it actually 'OU=Grups' ? or is it 'OU=Groups' ? (I had to stitch your output together, but I am sure the 'o' wasn't there) --> IS a ou created to move ou new groups and also domain users group Second, does the GUID 'cdee5b31-365d-4c8f-9368-4115b6307a19' exist in AD or has it been deleted ? --> How can I know what is this objects, where I can find this guid and real name? Third, why move 'Domain Users' from 'CN=Users,DC=DOMAIN-TEST,DC=COM' ? --> was moved to our new ou to organize, I'll try to test moving to Users and I'll reports the results thanks!!! Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de set. 2019 a les 10:33:> > Hi, > > After reading wiki documentation about join I have tested to join a > second dc, but with problems. > > I need to add a second controller to our AD, and then upgrade existing > server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5 > server but I receive join errors, attached output wit and without > debug: > I have executed samba-tool dbcheck --cross-ncs all seems OK > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a > second controller to ensure no downtime. > > some questions: > 1) Why I receive this error? > Replicating critical objects from the base DN of the domain > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > Missing parent while attempting to apply records: No parent with GUID > cdee5b31-365 > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain > Users,OU=Gru > > ps,DC=DOMAIN-TEST,DC=com > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > > --> not sure if can be related with this issue: > https://bugzilla.samba.org/show_bug.cgi?id=13274 > > 2) About join in wiki appears > " > If the other DCs are Samba DCs and were provisioned with > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' > to the join command > " > > But checking my command userv to migrate from samba nt doamin to our > actual ADDC domain this command was not used, but checking smb.conf > appears this: > idmap_ldb:use rfc2307 = yes > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 > yes' on join command > > smb.conf DC1 > [global] > > bind interfaces only = Yes > interfaces = lo eth0 eth0:0 > netbios name = DC1 > realm = DOMAIN-TEST.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = DOMAIN-TEST > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > comment > > winbind enum users = yes > winbind enum groups = yes > > tls enabled = yes > tls keyfile = tls/dc1.pem.nopass.key > tls certfile = tls/dc1.pem.crt > tls cafile = tls/cert_ca.pem.crt > > tls verify peer = ca_and_name > ldap server require strong auth = no > > ############################## > output join 4.10.7 to 4.4.5 > # samba-tool domain join domain-test.com DC > -U"domain-test.com\Administrador" --d > > ns-backend=BIND9_DLZ --option="interfaces=lo eth0 eth0:0" > --option="bind interface s > > only=yes" > INFO 2019-09-09 10:05:35,198 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #104: Finding a writeable DC for domain 'domain-test.com' > INFO 2019-09-09 10:05:35,222 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #106: Found DC dc1.domain-test.com > Password for [domain-test.com\Administrador]: > INFO 2019-09-09 10:05:39,773 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #1528: workgroup is DOMAIN-TEST > INFO 2019-09-09 10:05:39,773 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #1531: realm is domain-test.com > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com > Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC> > DOMAIN-TEST,DC=com > Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> > Configuration,DC=DOMAIN-TEST,DC=com > Adding SPNs to CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com > Setting account password for DC2$ > Enabling account > Adding DNS account CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com with dns/ SPN > Setting account password for dns-DC2 > Calling bare provision > INFO 2019-09-09 10:05:41,671 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2088: Looking up IPv4 addresses > WARNING 2019-09-09 10:05:41,672 pid:27665 > /usr/local/samba/lib/python3.4/site-pack > > ages/samba/provision/__init__.py #2094: More than one IPv4 address > found. Using 19 > > 4.0.100.60 > INFO 2019-09-09 10:05:41,672 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2105: Looking up IPv6 addresses > WARNING 2019-09-09 10:05:41,673 pid:27665 > /usr/local/samba/lib/python3.4/site-pack > > ages/samba/provision/__init__.py #2112: No IPv6 address will be assigned > INFO 2019-09-09 10:05:42,184 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2278: Setting up share.ldb > INFO 2019-09-09 10:05:42,219 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2282: Setting up secrets.ldb > INFO 2019-09-09 10:05:42,247 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2288: Setting up the registry > INFO 2019-09-09 10:05:42,325 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2291: Setting up the privileges database > INFO 2019-09-09 10:05:42,369 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2294: Setting up idmap db > INFO 2019-09-09 10:05:42,403 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2301: Setting up SAM db > INFO 2019-09-09 10:05:42,413 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings > INFO 2019-09-09 10:05:42,415 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE > INFO 2019-09-09 10:05:42,422 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #1302: Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local > > domainSIDs > > INFO 2019-09-09 10:05:42,482 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2351: A Kerberos configuration suitable > for Samba A D > > has been generated at /usr/local/samba/private/krb5.conf > INFO 2019-09-09 10:05:42,482 pid:27665 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2352: Merge the contents of this file > with your sys tem > > krb5.conf or replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=DOMAIN-TEST,DC=com > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[402/1550] linked_va > > lues[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[804/1550] linked_va > > lues[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[1206/1550] linked_v > > alues[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[1550/1550] linked_v > > alues[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[402/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[804/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1206/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1608/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1615/1615] > linked_values[30/0 > > ] > Replicating critical objects from the base DN of the domain > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > Join failed - cleaning up > Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com > Deleted CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com > Deleted CN=NTDS > Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN > > =Configuration,DC=DOMAIN-TEST,DC=com > Deleted CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC > > =DOMAIN-TEST,DC=com > ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' > of DRS repl > > icated objects: WERR_DS_DRA_MISSING_PARENT") > File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/__init__.py", > li ne > > 185, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/domain.py", > line > > 700, in run > backend_store=backend_store) > File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py", > line 1544, in > > join_DC > ctx.do_join() > File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py", > line 1438, in > > do_join > ctx.join_replicate() > File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py", > line 982, in > > join_replicate > replica_flags=ctx.domain_replica_flags) > File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py", > line 356 , > > in replicate > raise e > File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py", > line 343 , > > in replicate > self.process_chunk(level, ctr, schema, req_level, req, first_chunk) > File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py", > line 237 , > > in process_chunk > schema=schema, req_level=req_level, req=req) > > > > > with debug -d 3 > root at DC2:~# samba-tool domain join domain-test.com DC > -U"domain-test.com\Administrador" --d > > ns-backend=BIND9_DLZ --option="interfaces=lo eth0 eth0:0" > --option="bind interface > > s only=yes" -d 3 > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > INFO 2019-09-09 10:06:11,792 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #104: Finding a writeable DC for domain 'domain-test.com' > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.domain-test.com<0x0> > INFO 2019-09-09 10:06:11,813 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #106: Found DC dc1.domain-test.com > resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain-test.com<0x20> > Password for [domain-test.com\Administrador]: > INFO 2019-09-09 10:06:15,655 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #1528: workgroup is DOMAIN-TEST > INFO 2019-09-09 10:06:15,656 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/join.py #1531: realm is domain-test.com > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com > Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC> > DOMAIN-TEST,DC=com > Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> > Configuration,DC=DOMAIN-TEST,DC=com > Using binding ncacn_ip_tcp:dc1.domain-test.com[,seal] > resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain-test.com<0x20> > resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain-test.com<0x20> > Adding SPNs to CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com > Setting account password for DC2$ > Enabling account > Adding DNS account CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com with dns/ SPN > Setting account password for dns-DC2 > Calling bare provision > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf > INFO 2019-09-09 10:06:17,446 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2088: Looking up IPv4 addresses > WARNING 2019-09-09 10:06:17,447 pid:27673 > /usr/local/samba/lib/python3.4/site-pack > > ages/samba/provision/__init__.py #2094: More than one IPv4 address > found. Using 19 > > 4.0.100.60 > INFO 2019-09-09 10:06:17,447 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2105: Looking up IPv6 addresses > WARNING 2019-09-09 10:06:17,448 pid:27673 > /usr/local/samba/lib/python3.4/site-pack > > ages/samba/provision/__init__.py #2112: No IPv6 address will be assigned > INFO 2019-09-09 10:06:18,001 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2282: Setting up secrets.ldb > INFO 2019-09-09 10:06:18,035 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2288: Setting up the registry > ldb_wrap open of hklm.ldb > INFO 2019-09-09 10:06:18,053 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2291: Setting up the privileges database > INFO 2019-09-09 10:06:18,096 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2294: Setting up idmap db > INFO 2019-09-09 10:06:18,129 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2301: Setting up SAM db > INFO 2019-09-09 10:06:18,139 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings > INFO 2019-09-09 10:06:18,141 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE > INFO 2019-09-09 10:06:18,148 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #1302: Pre-loading the Samba 4 and AD schema > partition_metadata: Migrating partition metadata: open of metadata.tdb > gave: (null ) > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local > > domainSIDs > > INFO 2019-09-09 10:06:18,205 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2351: A Kerberos configuration suitable > for Samba A D > > has been generated at /usr/local/samba/private/krb5.conf > INFO 2019-09-09 10:06:18,206 pid:27673 > /usr/local/samba/lib/python3.4/site-package > > s/samba/provision/__init__.py #2352: Merge the contents of this file > with your sys tem > > krb5.conf or replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=DOMAIN-TEST,DC=com > Starting replication > Using binding ncacn_ip_tcp:dc1.domain-test.com[,seal] > resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain-test.com<0x20> > resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain-test.com<0x20> > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[402/1550] linked_va > > lues[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[804/1550] linked_va > > lues[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[1206/1550] linked_v > > alues[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN-TEST,DC=com] > objects[1550/1550] linked_v > > alues[0/0] > Analyze and apply schema objects > Replicated 1550 objects (0 linked attributes) for > CN=Schema,CN=Configuration,DC=ho > > sppal,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[402/1617] > linked_values[0/0] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[804/1617] > linked_values[0/0] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1206/1617] > linked_values[0/0] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1608/1617] > linked_values[0/0] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[1617/1617] > linked_values[32/0 > > ] > Missing target while attempting to apply records: Deleted target > CN=NTDS Settings\ > > 0ADEL:193acd86-264a-462a-87aa-a4948f35c908,CN=DC2\0ADEL:c6bef0f5-e4cb-42d4-baf2-a > > e344091d09b,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hos > > ppal,DC=com GUID 193acd86-264a-462a-87aa-a4948f35c908 linked from > CN=7ac4d0d7-beb3- > > 4f47-b192-9b4e2547f787,CN=Partitions,CN=Configuration,DC=DOMAIN-TEST,DC=com > > Failed to commit objects: DOS code 0x000021bf > Missing target object - retrying with DRS_GET_TGT > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[2019/1617] > linked_values[32/0 > > ] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[2421/1617] > linked_values[32/0 > > ] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[2823/1617] > linked_values[32/0 > > ] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[3225/1617] > linked_values[32/0 > > ] > Replicated 402 objects (0 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Partition[CN=Configuration,DC=DOMAIN-TEST,DC=com] objects[3234/1617] > linked_values[64/0 > > ] > Replicated 9 objects (32 linked attributes) for > CN=Configuration,DC=DOMAIN-TEST,DC=com > Replicating critical objects from the base DN of the domain > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > Missing parent while attempting to apply records: No parent with GUID > cdee5b31-365 > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain > Users,OU=Gru > > ps,DC=DOMAIN-TEST,DC=com > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > Join failed - cleaning up > ldb_wrap open of secrets.ldb > Could not find machine account in secrets database: Failed to fetch > machine accoun t > > password for DOMAIN-TEST from both secrets.ldb (Could not find entry > to match filter: > > '(&(flatname=DOMAIN-TEST)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No > > such object: dsdb_search at ../../source4/dsdb/common/util.c:4712) and > from /usr/l > > ocal/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN-TEST,DC=com > Deleted CN=dns-DC2,CN=Users,DC=DOMAIN-TEST,DC=com > Deleted CN=NTDS > Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN > > =Configuration,DC=DOMAIN-TEST,DC=com > Deleted CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC > > =DOMAIN-TEST,DC=com > ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' > of DRS repl > > icated objects: WERR_DS_DRA_MISSING_PARENT") > File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/__init__.py", > li ne > > 185, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/domain.py", > line > > 700, in run > backend_store=backend_store) > File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py", > line 1544, in > > join_DC > ctx.do_join() > File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py", > line 1438, in > > do_join > ctx.join_replicate() > File "/usr/local/samba/lib/python3.4/site-packages/samba/join.py", > line 982, in > > join_replicate > replica_flags=ctx.domain_replica_flags) > File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py", > line 356 , > > in replicate > raise e > File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py", > line 343 , > > in replicate > self.process_chunk(level, ctr, schema, req_level, req, first_chunk) > File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py", > line 237 , > > in process_chunk > schema=schema, req_level=req_level, req=req) > > ############################## > thanks
Trenta sis
2019-Sep-09 13:53 UTC
[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
Hi Andrew, thanks for you information, but I have some question, I'm not a samba expert... Sorry! Not that issue, but a very well known one. The trouble is, Samba 4.4 was happy to get a tree like this: X | | Y Z in an order like this: Step 1 Y Step 2 Y Z Step 3 X | | Y Z As long as everything worked out in the end, it was fine. But this had issues, so we patched it to instead demand the objects in tree order (GET_ANC), but of course the server needs to know what that means. Samba 4.5 was, from memory, the first release we did that, but the server, even with 4.4, didn't really know what that flag meant. It wasn't until much later, Samba 4.6 or so, when we finally got the flag right, which of course gives problems upgrading from Samba 4.4. (We would sort the current 'page' of replication entries, but not the whole partition). We have continued to improve this code since, but that is the core. The next issue is a flag called GET_TGT but that hurts much less often, as we have a client-side workaround detecting that the server didn't understand us. The workaround for you is to carefully touch each object such that the children are modified after the parents. Or upgrade in-place that DC and replicate from there. Both suck, I know. --> Not really sure where is the issue, but moved domain users to CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!! Thanks!!! During join some errors "duplciate value attribute CN=.." but I can find what is duplicated, and some values that appears as duplciated are not showed on RSAT tools, any suggestion how to solve this issues? RFC2307, It seems that join has not added, I'll try to add manually and also add some other config that are not added cert config Thanks Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de set. 2019 a les 11:14:> > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote: > > Hi, > > > > After reading wiki documentation about join I have tested to join a > > second dc, but with problems. > > > > I need to add a second controller to our AD, and then upgrade existing > > server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5 > > server but I receive join errors, attached output wit and without > > debug: > > I have executed samba-tool dbcheck --cross-ncs all seems OK > > > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join > > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a > > second controller to ensure no downtime. > > > > some questions: > > 1) Why I receive this error? > > Replicating critical objects from the base DN of the domain > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > > Missing parent while attempting to apply records: No parent with GUID > > cdee5b31-365 > > > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain > > Users,OU=Gru > > > > ps,DC=DOMAIN-TEST,DC=com > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > > > > --> not sure if can be related with this issue: > > https://bugzilla.samba.org/show_bug.cgi?id=13274 > > Not that issue, but a very well known one. > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > X > | | > Y Z > > in an order like this: > > Step 1 > > Y > > Step 2 > > Y Z > > Step 3 > X > | | > Y Z > > As long as everything worked out in the end, it was fine. But this had > issues, so we patched it to instead demand the objects in tree order > (GET_ANC), but of course the server needs to know what that means. > > Samba 4.5 was, from memory, the first release we did that, but the > server, even with 4.4, didn't really know what that flag meant. > > It wasn't until much later, Samba 4.6 or so, when we finally got the > flag right, which of course gives problems upgrading from Samba 4.4. > (We would sort the current 'page' of replication entries, but not the > whole partition). > > We have continued to improve this code since, but that is the core. > The next issue is a flag called GET_TGT but that hurts much less often, > as we have a client-side workaround detecting that the server didn't > understand us. > > The workaround for you is to carefully touch each object such that the > children are modified after the parents. Or upgrade in-place that DC > and replicate from there. Both suck, I know. > > > 2) About join in wiki appears > > " > > If the other DCs are Samba DCs and were provisioned with > > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' > > to the join command > > " > > > > But checking my command userv to migrate from samba nt doamin to our > > actual ADDC domain this command was not used, but checking smb.conf > > appears this: > > idmap_ldb:use rfc2307 = yes > > > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 > > yes' on join command > > Probably. But that isn't the big deal at this point. > > I hope this helps a little. We need to extend our wiki to explain this > more I'm sure. > > I've CC'ed samba-technical for those there who might want to learn the > history a bit more. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > >
Possibly Parallel Threads
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Duplicate attribute value warnings from ldb
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Error join samba 4.10.7 to samba 4.4.5