Rich Webb
2020-May-25  14:26 UTC
[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
----- On May 24, 2020, at 11:30 PM, samba samba at lists.samba.org wrote:> On Sun, 2020-05-24 at 23:01 -0400, Rich Webb via samba wrote: >> Hello, >> >> I'm attempting to join a new samba 4 server version 4.12.3 to an >> existing samba 4 domain running on Zentyal 3.2 (samba version >> 4.1.7). >> >> I'm getting the error in the subject line: Failed to commit objects: >> DOS code 0x000021bf > > If you turn up the log level is there more information? (eg -d4)? > > But yes, Samba 4.1.7 is before we fixed a number of issues in the > replication protocol, and I'm not surprised you have issues. > > Andrew Bartlett > > --Also I am currently using 4.10.15 as I tried to backrev to a version that would join properly. The -d4 produced a ton of output... Let me know if you need more but here is the final pieces that would likely give a clue. I have no idea what mail-fs1 is.. that may have been an old host name possibly left hanging around in DNS? The DC's name is fs1: Missing parent while attempting to apply records: No parent with GUID fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely known as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local Failed to commit objects: WERR_DS_DRA_MISSING_PARENT Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for TCA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=TCA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /opt/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC1,OU=Domain Controllers,DC=tca,DC=local Deleted CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tca,DC=local Deleted CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tca,DC=local ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT") File "/opt/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/opt/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run backend_store=backend_store) File "/opt/samba/lib64/python3.6/site-packages/samba/join.py", line 1544, in join_DC ctx.do_join() File "/opt/samba/lib64/python3.6/site-packages/samba/join.py", line 1438, in do_join ctx.join_replicate() File "/opt/samba/lib64/python3.6/site-packages/samba/join.py", line 982, in join_replicate replica_flags=ctx.domain_replica_flags) File "/opt/samba/lib64/python3.6/site-packages/samba/drs_utils.py", line 356, in replicate raise e File "/opt/samba/lib64/python3.6/site-packages/samba/drs_utils.py", line 343, in replicate self.process_chunk(level, ctr, schema, req_level, req, first_chunk) File "/opt/samba/lib64/python3.6/site-packages/samba/drs_utils.py", line 237, in process_chunk schema=schema, req_level=req_level, req=req)
Rowland penny
2020-May-25  14:52 UTC
[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
On 25/05/2020 15:26, Rich Webb via samba wrote:> > Also I am currently using 4.10.15 as I tried to backrev to a version that would join properly. The -d4 produced a ton of output... Let me know if you need more but here is the final pieces that would likely give a clue. I have no idea what mail-fs1 is.. that may have been an old host name possibly left hanging around in DNS? The DC's name is fs1: > > Missing parent while attempting to apply records: No parent with GUID fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely known as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > Join failed - cleaning upI think you might not get anywhere here, I don't think Zentyal 3.2 actually was a pure AD DC, I think it ran openldap as well, possibly on a different port. Rowland
Rich Webb
2020-May-25  15:14 UTC
[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
So there is no migration path? I really don't want to rebuild my domain if I can help it. I wouldn't mind so much having to recreate users as much as having user's desktop profiles be orphaned. How would I tell if it was openldap vs pure samba ad-dc? Rich ----- On May 25, 2020, at 10:52 AM, samba samba at lists.samba.org wrote:> On 25/05/2020 15:26, Rich Webb via samba wrote: >> >> Also I am currently using 4.10.15 as I tried to backrev to a version that would >> join properly. The -d4 produced a ton of output... Let me know if you need more >> but here is the final pieces that would likely give a clue. I have no idea >> what mail-fs1 is.. that may have been an old host name possibly left hanging >> around in DNS? The DC's name is fs1: >> >> Missing parent while attempting to apply records: No parent with GUID >> fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely known as >> CN=mail-fs1,OU=Kerberos,DC=tca,DC=local >> Failed to commit objects: WERR_DS_DRA_MISSING_PARENT >> Join failed - cleaning up > > I think you might not get anywhere here, I don't think Zentyal 3.2 > actually was a pure AD DC, I think it ran openldap as well, possibly on > a different port. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2020-May-25  21:22 UTC
[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
On Mon, 2020-05-25 at 10:26 -0400, Rich Webb via samba wrote:> ----- On May 24, 2020, at 11:30 PM, samba samba at lists.samba.org > wrote: > > > On Sun, 2020-05-24 at 23:01 -0400, Rich Webb via samba wrote: > > > Hello, > > > > > > I'm attempting to join a new samba 4 server version 4.12.3 to an > > > existing samba 4 domain running on Zentyal 3.2 (samba version > > > 4.1.7). > > > > > > I'm getting the error in the subject line: Failed to commit > > > objects: > > > DOS code 0x000021bf > > > > If you turn up the log level is there more information? (eg -d4)? > > > > But yes, Samba 4.1.7 is before we fixed a number of issues in the > > replication protocol, and I'm not surprised you have issues. > > > > Andrew Bartlett > > > > -- > > Also I am currently using 4.10.15 as I tried to backrev to a version > that would join properly. The -d4 produced a ton of output... Let me > know if you need more but here is the final pieces that would likely > give a clue. I have no idea what mail-fs1 is.. that may have been an > old host name possibly left hanging around in DNS? The DC's name is > fs1: > > Missing parent while attempting to apply records: No parent with GUID > fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely known > as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local >> ERROR(runtime): uncaught exception - (8460, "Failed to process > 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")Thanks, this gives us the information we need. What has happened here is that Samba 4.1, indeed all Samba versions sort the returned results by the order of last change. However, before 4.4 did not know about the GET_ANC flag, to sort the results tree-wise, which we need in this situation, so we can find the parent objects before we replicate the children. This means that, to replicate from Samba 4.1, you need to carefully change a unimportant attribute in all the child objects of OU=Kerberos 'later' than the last change of OU=Kerberos itself. The only other alternative is an in-place upgrade, so the sending Samba version gains this capability. If this makes sense, then have a go. Otherwise (or if this is a large or critical network) this might be a job for a commercial support provider who will probably write a script to assist. How big is your domain? (Dreaming, with unlimited development time I would love to have Samba cope with this natively, by sorting the results on the new DC and using REPL_SINGLE_OBJECT to fill in the gaps, but this is a much bigger task). I hope this gives you a way forward. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Rich Webb
2020-May-25  21:45 UTC
[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
----- On May 25, 2020, at 5:22 PM, Andrew Bartlett abartlet at samba.org wrote:> On Mon, 2020-05-25 at 10:26 -0400, Rich Webb via samba wrote: >> ----- On May 24, 2020, at 11:30 PM, samba samba at lists.samba.org >> wrote: >> >> > On Sun, 2020-05-24 at 23:01 -0400, Rich Webb via samba wrote: >> > > Hello, >> > > >> > > I'm attempting to join a new samba 4 server version 4.12.3 to an >> > > existing samba 4 domain running on Zentyal 3.2 (samba version >> > > 4.1.7). >> > > >> > > I'm getting the error in the subject line: Failed to commit >> > > objects: >> > > DOS code 0x000021bf >> > >> > If you turn up the log level is there more information? (eg -d4)? >> > >> > But yes, Samba 4.1.7 is before we fixed a number of issues in the >> > replication protocol, and I'm not surprised you have issues. >> > >> > Andrew Bartlett >> > >> > -- >> >> Also I am currently using 4.10.15 as I tried to backrev to a version >> that would join properly. The -d4 produced a ton of output... Let me >> know if you need more but here is the final pieces that would likely >> give a clue. I have no idea what mail-fs1 is.. that may have been an >> old host name possibly left hanging around in DNS? The DC's name is >> fs1: >> >> Missing parent while attempting to apply records: No parent with GUID >> fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely known >> as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local >> > >> ERROR(runtime): uncaught exception - (8460, "Failed to process >> 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT") > > Thanks, this gives us the information we need. > > What has happened here is that Samba 4.1, indeed all Samba versions > sort the returned results by the order of last change. However, before > 4.4 did not know about the GET_ANC flag, to sort the results tree-wise, > which we need in this situation, so we can find the parent objects > before we replicate the children. > > This means that, to replicate from Samba 4.1, you need to carefully > change a unimportant attribute in all the child objects of OU=Kerberos > 'later' than the last change of OU=Kerberos itself. > > The only other alternative is an in-place upgrade, so the sending Samba > version gains this capability. > > If this makes sense, then have a go. Otherwise (or if this is a large > or critical network) this might be a job for a commercial support > provider who will probably write a script to assist. > > How big is your domain? > > (Dreaming, with unlimited development time I would love to have Samba > cope with this natively, by sorting the results on the new DC and using > REPL_SINGLE_OBJECT to fill in the gaps, but this is a much bigger > task). > > I hope this gives you a way forward. > > Andrew BartlettNot a huge domain - maybe 8 users or so. When you say in place upgrade are you talking about upgrading Zentyal so that Samba gets upgraded to at least 4.5 or above? Rich
Possibly Parallel Threads
- Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
- Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
- Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
- Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)
- Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)