samba - Sep 2019 - Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)

Hi Andrew,

thanks for you information, but I have some question, I'm not a samba
expert... Sorry!

Not that issue, but a very well known one.

The trouble is, Samba 4.4 was happy to get a tree like this:


 X
| |
Y Z

in an order like this:

Step 1

Y

Step 2

Y Z

Step 3
 X
| |
Y Z

As long as everything worked out in the end, it was fine.  But this had
issues, so we patched it to instead demand the objects in tree order
(GET_ANC), but of course the server needs to know what that means.

Samba 4.5 was, from memory, the first release we did that, but the
server, even with 4.4, didn't really know what that flag meant.

It wasn't until much later, Samba 4.6 or so, when we finally got the
flag right, which of course gives problems upgrading from Samba 4.4.
(We would sort the current 'page' of replication entries, but not the
whole partition).

We have continued to improve this code since, but that is the core.
The next issue is a flag called GET_TGT but that hurts much less often,
as we have a client-side workaround detecting that the server didn't
understand us.

The workaround for you is to carefully touch each object such that the
children are modified after the parents.  Or upgrade in-place that DC
and replicate from there.  Both suck, I know.

--> Not really sure where is the issue, but moved domain users to
CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!!
 Thanks!!!
During join some errors "duplciate value attribute CN=.." but I can
find what is duplicated, and some values that appears as duplciated
are not showed on RSAT tools,  any suggestion how to solve this
issues?


RFC2307, It seems that join has not added, I'll try to add manually
and also add some other config that are not added cert config


Thanks

Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de
set. 2019 a les 11:14:
>
> On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:
> > Hi,
> >
> > After reading wiki documentation about join I have tested to join a
> > second dc, but with problems.
> >
> > I need to add a second controller to our AD, and then upgrade existing
> > server (4.4.5)  and I have tried to join a new DC 4.10.7 to 4.4.5
> > server but I receive join errors, attached output  wit and without
> > debug:
> > I have executed samba-tool dbcheck --cross-ncs all seems OK
> >
> > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join
> > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a
> > second controller to ensure no downtime.
> >
> > some questions:
> > 1) Why I receive this error?
> > Replicating critical objects from the base DN of the domain
> > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0]
> > Missing parent while attempting to apply records: No parent with GUID
> > cdee5b31-365
> >
> > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain
> > Users,OU=Gru
> >
> > ps,DC=DOMAIN-TEST,DC=com
> > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> >
> > --> not sure if can be related with this issue:
> > https://bugzilla.samba.org/show_bug.cgi?id=13274
>
> Not that issue, but a very well known one.
>
> The trouble is, Samba 4.4 was happy to get a tree like this:
>
>
>  X
> | |
> Y Z
>
> in an order like this:
>
> Step 1
>
> Y
>
> Step 2
>
> Y Z
>
> Step 3
>  X
> | |
> Y Z
>
> As long as everything worked out in the end, it was fine.  But this had
> issues, so we patched it to instead demand the objects in tree order
> (GET_ANC), but of course the server needs to know what that means.
>
> Samba 4.5 was, from memory, the first release we did that, but the
> server, even with 4.4, didn't really know what that flag meant.
>
> It wasn't until much later, Samba 4.6 or so, when we finally got the
> flag right, which of course gives problems upgrading from Samba 4.4.
> (We would sort the current 'page' of replication entries, but not
the
> whole partition).
>
> We have continued to improve this code since, but that is the core.
> The next issue is a flag called GET_TGT but that hurts much less often,
> as we have a client-side workaround detecting that the server didn't
> understand us.
>
> The workaround for you is to carefully touch each object such that the
> children are modified after the parents.  Or upgrade in-place that DC
> and replicate from there.  Both suck, I know.
>
> > 2) About join in wiki appears
> > "
> > If the other DCs are Samba DCs and were provisioned with
> > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 =
yes'
> > to the join command
> > "
> >
> > But checking my command userv to migrate from samba nt doamin to our
> > actual ADDC domain this command was not used, but checking smb.conf
> > appears this:
> >  idmap_ldb:use rfc2307 = yes
> >
> > But I'm not sure if I have to use --option='idmap_ldb:use
rfc2307 > > yes' on join command
>
> Probably.  But that isn't the big deal at this point.
>
> I hope this helps a little.  We need to extend our wiki to explain this
> more I'm sure.
>
> I've CC'ed samba-technical for those there who might want to learn
the
> history a bit more.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>

Hi,

About duplicate issues warning during join, What I can do to find and
solve this errors?

Thanks

Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de set.
2019 a les 15:53:
>
> Hi Andrew,
>
> thanks for you information, but I have some question, I'm not a samba
> expert... Sorry!
>
> Not that issue, but a very well known one.
>
> The trouble is, Samba 4.4 was happy to get a tree like this:
>
>
>  X
> | |
> Y Z
>
> in an order like this:
>
> Step 1
>
> Y
>
> Step 2
>
> Y Z
>
> Step 3
>  X
> | |
> Y Z
>
> As long as everything worked out in the end, it was fine.  But this had
> issues, so we patched it to instead demand the objects in tree order
> (GET_ANC), but of course the server needs to know what that means.
>
> Samba 4.5 was, from memory, the first release we did that, but the
> server, even with 4.4, didn't really know what that flag meant.
>
> It wasn't until much later, Samba 4.6 or so, when we finally got the
> flag right, which of course gives problems upgrading from Samba 4.4.
> (We would sort the current 'page' of replication entries, but not
the
> whole partition).
>
> We have continued to improve this code since, but that is the core.
> The next issue is a flag called GET_TGT but that hurts much less often,
> as we have a client-side workaround detecting that the server didn't
> understand us.
>
> The workaround for you is to carefully touch each object such that the
> children are modified after the parents.  Or upgrade in-place that DC
> and replicate from there.  Both suck, I know.
>
> --> Not really sure where is the issue, but moved domain users to
> CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!!
>  Thanks!!!
> During join some errors "duplciate value attribute CN=.." but I
can
> find what is duplicated, and some values that appears as duplciated
> are not showed on RSAT tools,  any suggestion how to solve this
> issues?
>
>
> RFC2307, It seems that join has not added, I'll try to add manually
> and also add some other config that are not added cert config
>
>
> Thanks
>
> Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de
> set. 2019 a les 11:14:
> >
> > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:
> > > Hi,
> > >
> > > After reading wiki documentation about join I have tested to join
a
> > > second dc, but with problems.
> > >
> > > I need to add a second controller to our AD, and then upgrade
existing
> > > server (4.4.5)  and I have tried to join a new DC 4.10.7 to 4.4.5
> > > server but I receive join errors, attached output  wit and
without
> > > debug:
> > > I have executed samba-tool dbcheck --cross-ncs all seems OK
> > >
> > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join
> > > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to
add a
> > > second controller to ensure no downtime.
> > >
> > > some questions:
> > > 1) Why I receive this error?
> > > Replicating critical objects from the base DN of the domain
> > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98]
linked_values[762/0]
> > > Missing parent while attempting to apply records: No parent with
GUID
> > > cdee5b31-365
> > >
> > > d-4c8f-9368-4115b6307a19 found for object remotely known as
CN=Domain
> > > Users,OU=Gru
> > >
> > > ps,DC=DOMAIN-TEST,DC=com
> > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> > >
> > > --> not sure if can be related with this issue:
> > > https://bugzilla.samba.org/show_bug.cgi?id=13274
> >
> > Not that issue, but a very well known one.
> >
> > The trouble is, Samba 4.4 was happy to get a tree like this:
> >
> >
> >  X
> > | |
> > Y Z
> >
> > in an order like this:
> >
> > Step 1
> >
> > Y
> >
> > Step 2
> >
> > Y Z
> >
> > Step 3
> >  X
> > | |
> > Y Z
> >
> > As long as everything worked out in the end, it was fine.  But this
had
> > issues, so we patched it to instead demand the objects in tree order
> > (GET_ANC), but of course the server needs to know what that means.
> >
> > Samba 4.5 was, from memory, the first release we did that, but the
> > server, even with 4.4, didn't really know what that flag meant.
> >
> > It wasn't until much later, Samba 4.6 or so, when we finally got
the
> > flag right, which of course gives problems upgrading from Samba 4.4.
> > (We would sort the current 'page' of replication entries, but
not the
> > whole partition).
> >
> > We have continued to improve this code since, but that is the core.
> > The next issue is a flag called GET_TGT but that hurts much less
often,
> > as we have a client-side workaround detecting that the server
didn't
> > understand us.
> >
> > The workaround for you is to carefully touch each object such that the
> > children are modified after the parents.  Or upgrade in-place that DC
> > and replicate from there.  Both suck, I know.
> >
> > > 2) About join in wiki appears
> > > "
> > > If the other DCs are Samba DCs and were provisioned with
> > > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307
= yes'
> > > to the join command
> > > "
> > >
> > > But checking my command userv to migrate from samba nt doamin to
our
> > > actual ADDC domain this command was not used, but checking
smb.conf
> > > appears this:
> > >  idmap_ldb:use rfc2307 = yes
> > >
> > > But I'm not sure if I have to use --option='idmap_ldb:use
rfc2307 > > > yes' on join command
> >
> > Probably.  But that isn't the big deal at this point.
> >
> > I hope this helps a little.  We need to extend our wiki to explain
this
> > more I'm sure.
> >
> > I've CC'ed samba-technical for those there who might want to
learn the
> > history a bit more.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett                       http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT         
http://catalyst.net.nz/services/samba
> >
> >

Hi,

About duplicate issues warning during join, What I can do to find and
solve this errors?
I like to investigate source of this issue and solve this errors before join

Thanks

Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 10 de set.
2019 a les 11:14:
>
> Hi,
>
> About duplicate issues warning during join, What I can do to find and
> solve this errors?
>
> Thanks
>
> Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de
set.
> 2019 a les 15:53:
> >
> > Hi Andrew,
> >
> > thanks for you information, but I have some question, I'm not a
samba
> > expert... Sorry!
> >
> > Not that issue, but a very well known one.
> >
> > The trouble is, Samba 4.4 was happy to get a tree like this:
> >
> >
> >  X
> > | |
> > Y Z
> >
> > in an order like this:
> >
> > Step 1
> >
> > Y
> >
> > Step 2
> >
> > Y Z
> >
> > Step 3
> >  X
> > | |
> > Y Z
> >
> > As long as everything worked out in the end, it was fine.  But this
had
> > issues, so we patched it to instead demand the objects in tree order
> > (GET_ANC), but of course the server needs to know what that means.
> >
> > Samba 4.5 was, from memory, the first release we did that, but the
> > server, even with 4.4, didn't really know what that flag meant.
> >
> > It wasn't until much later, Samba 4.6 or so, when we finally got
the
> > flag right, which of course gives problems upgrading from Samba 4.4.
> > (We would sort the current 'page' of replication entries, but
not the
> > whole partition).
> >
> > We have continued to improve this code since, but that is the core.
> > The next issue is a flag called GET_TGT but that hurts much less
often,
> > as we have a client-side workaround detecting that the server
didn't
> > understand us.
> >
> > The workaround for you is to carefully touch each object such that the
> > children are modified after the parents.  Or upgrade in-place that DC
> > and replicate from there.  Both suck, I know.
> >
> > --> Not really sure where is the issue, but moved domain users to
> > CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!!
> >  Thanks!!!
> > During join some errors "duplciate value attribute CN=.."
but I can
> > find what is duplicated, and some values that appears as duplciated
> > are not showed on RSAT tools,  any suggestion how to solve this
> > issues?
> >
> >
> > RFC2307, It seems that join has not added, I'll try to add
manually
> > and also add some other config that are not added cert config
> >
> >
> > Thanks
> >
> > Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl.,
9 de
> > set. 2019 a les 11:14:
> > >
> > > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote:
> > > > Hi,
> > > >
> > > > After reading wiki documentation about join I have tested to
join a
> > > > second dc, but with problems.
> > > >
> > > > I need to add a second controller to our AD, and then
upgrade existing
> > > > server (4.4.5)  and I have tried to join a new DC 4.10.7 to
4.4.5
> > > > server but I receive join errors, attached output  wit and
without
> > > > debug:
> > > > I have executed samba-tool dbcheck --cross-ncs all seems OK
> > > >
> > > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then
join
> > > > 4.10.7 to update DC to 4.10.7 and then works, bu first I
need to add a
> > > > second controller to ensure no downtime.
> > > >
> > > > some questions:
> > > > 1) Why I receive this error?
> > > > Replicating critical objects from the base DN of the domain
> > > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98]
linked_values[762/0]
> > > > Missing parent while attempting to apply records: No parent
with GUID
> > > > cdee5b31-365
> > > >
> > > > d-4c8f-9368-4115b6307a19 found for object remotely known as
CN=Domain
> > > > Users,OU=Gru
> > > >
> > > > ps,DC=DOMAIN-TEST,DC=com
> > > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> > > >
> > > > --> not sure if can be related with this issue:
> > > > https://bugzilla.samba.org/show_bug.cgi?id=13274
> > >
> > > Not that issue, but a very well known one.
> > >
> > > The trouble is, Samba 4.4 was happy to get a tree like this:
> > >
> > >
> > >  X
> > > | |
> > > Y Z
> > >
> > > in an order like this:
> > >
> > > Step 1
> > >
> > > Y
> > >
> > > Step 2
> > >
> > > Y Z
> > >
> > > Step 3
> > >  X
> > > | |
> > > Y Z
> > >
> > > As long as everything worked out in the end, it was fine.  But
this had
> > > issues, so we patched it to instead demand the objects in tree
order
> > > (GET_ANC), but of course the server needs to know what that
means.
> > >
> > > Samba 4.5 was, from memory, the first release we did that, but
the
> > > server, even with 4.4, didn't really know what that flag
meant.
> > >
> > > It wasn't until much later, Samba 4.6 or so, when we finally
got the
> > > flag right, which of course gives problems upgrading from Samba
4.4.
> > > (We would sort the current 'page' of replication entries,
but not the
> > > whole partition).
> > >
> > > We have continued to improve this code since, but that is the
core.
> > > The next issue is a flag called GET_TGT but that hurts much less
often,
> > > as we have a client-side workaround detecting that the server
didn't
> > > understand us.
> > >
> > > The workaround for you is to carefully touch each object such
that the
> > > children are modified after the parents.  Or upgrade in-place
that DC
> > > and replicate from there.  Both suck, I know.
> > >
> > > > 2) About join in wiki appears
> > > > "
> > > > If the other DCs are Samba DCs and were provisioned with
> > > > --use-rfc2307, you Should add --option='idmap_ldb:use
rfc2307 = yes'
> > > > to the join command
> > > > "
> > > >
> > > > But checking my command userv to migrate from samba nt
doamin to our
> > > > actual ADDC domain this command was not used, but checking
smb.conf
> > > > appears this:
> > > >  idmap_ldb:use rfc2307 = yes
> > > >
> > > > But I'm not sure if I have to use
--option='idmap_ldb:use rfc2307 > > > > yes' on join command
> > >
> > > Probably.  But that isn't the big deal at this point.
> > >
> > > I hope this helps a little.  We need to extend our wiki to
explain this
> > > more I'm sure.
> > >
> > > I've CC'ed samba-technical for those there who might want
to learn the
> > > history a bit more.
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett                       http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team  http://samba.org
> > > Samba Developer, Catalyst IT         
http://catalyst.net.nz/services/samba
> > >
> > >