Fabrizio Rompani
2023-Mar-08 17:09 UTC
[Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
----- Messaggio originale ----- Da: "Rowland Penny via samba" <samba at lists.samba.org> A: "samba" <samba at lists.samba.org> Cc: "Rowland Penny" <rpenny at samba.org> Inviato: Mercoled?, 8 marzo 2023 17:01:34 Oggetto: Re: [Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND) Please do not 'cc' me or reply to 'all', just reply to the list sure, sorry ! On 08/03/2023 15:20, Fabrizio Rompani wrote:> > > ----- Messaggio originale ----- > Da: "Rowland Penny via samba" <samba at lists.samba.org> > A: "samba" <samba at lists.samba.org> > Cc: "Rowland Penny" <rpenny at samba.org> > Inviato: Mercoled?, 8 marzo 2023 16:05:30 > Oggetto: Re: [Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND) > > On 08/03/2023 14:38, Fabrizio Rompani via samba wrote: >> hi , >> thank's for your reply . >> no , current DC doesn't have that GUID: >> >> samba-tool spn list zimbra$ >> zimbra$ >> ... >> ldap/3ecb2a51-b21d-4bef-84ed-700db7963ff4._msdcs.domain.lan >> >> >> samba-tool spn list landc$ >> landc$ >> ... >> ldap/5bf8cf1f-1e35-40c6-a20d-0abc88238d92._msdcs.domain.lan >> >> >> that GUID is of the machine we are trying to join to: >> samba-tool spn list nextcloud$ >> nextcloud$ >> ... >> ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan >> >> is there some other we can look at? >> thank's >> > > I might be misunderstanding something here, but it sounds like you are > trying to join a running DC to a running domain > > Forget you have three 'potential' DC's for a moment, the way to join a > new DC goes like this: > > You have a fully working DC, lets call it DC1 > You now want to add another DC, lets call this DC2 > > You go to DC2 (which it this point isn't a DC), you configure it to use > DC1 as its name server, you remove the smb.conf and stop any running > Samba daemons. You then run the command to join as a DC: > samba-tool domain join domain.lan DC ................... > > This should then replicate most of the AD records from an existing AD DC > to what is becoming your new DC (the rest are created when the new DC is > started or shortly after) > > Is this basically what you are doing ? > > > Yes, that's exactly what we 're doing. > more precisly: > previously we have dc2 joined as DC and all fully functioning . > we have demoted and removed samba . > than upgraded from 4.14 to samba 4.17 > and finally triyng to re-join as you described : remove smb.conf , stop samba , samba-tool domain join domain.lan DC . > at this stage , on the new dc node seems everything ok: ALL GOOD > but the remote ones are in error with WERR_FILE_NOT_FOUND.So, these errors are occurring after the join has completed, what, if anything, are you doing to trigger them ? yes , after join completed . error is trigged with the command : root at landc:~# samba-tool drs showrepl --summary There are failing connections Failing outbound connections: CN=Configuration,DC=domain,DC=lan Default-First-Site-Name\NEXTCLOUD via RPC DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347 Last attempt @ Wed Mar 8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND) 4 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=domain,DC=lan Default-First-Site-Name\NEXTCLOUD via RPC DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347 Last attempt @ Wed Mar 8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND) 4 consecutive failure(s). Last success @ NTTIME(0) Can you ping the other two DC's from each DC ? yes Please define 'remote'. there is one DC in lan , and 2 "remote" DC's in cloud connected via VPN . Is each DC using its own ipaddress as its first nameserver in /etc/resolv.conf ? yes but one of them has 127.0.0.1 can make any difference ? Have you checked replication with: samba-tool drs relication yes, OK Have you checked each DC's database with: samba-tool dbcheck yes, OK have you tried to replicate from the DC that holds the PDC_Emulator FSMO role to the other two yes Have you checked replication with: samba-tool ldapcmp there' s error: samba-tool ldapcmp ldap://landc ldap://nextcloud domain -U administrator * Comparing [DOMAIN] context... * Objects to be compared: 309 Comparing: 'CN=NEXTCLOUD,OU=DOMAIN CONTROLLERS,DC=DOMAIN,DC=LAN' [ldap://landc] 'CN=NEXTCLOUD,OU=DOMAIN CONTROLLERS,DC=DOMAIN,DC=LAN' [ldap://nextcloud] Difference in attribute values: servicePrincipalName => [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347/domain.lan', b'GC/nextcloud.domain.lan/domain.lan', b'HOST/NEXTCLOUD', b'HOST/nextcloud.domain.lan'] [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347/domain.lan', b'GC/nextcloud.domain.lan/domain.lan', b'HOST/NEXTCLOUD', b'HOST/nextcloud.domain.lan', b'HOST/nextcloud.domain.lan/WORKGROUP', b'HOST/nextcloud.domain.lan/domain.lan', b'RestrictedKrbHost/NEXTCLOUD', b'RestrictedKrbHost/nextcloud.domain.lan', b'ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan', b'ldap/NEXTCLOUD', b'ldap/nextcloud.domain.lan', b'ldap/nextcloud.domain.lan/DomainDnsZones.domain.lan', b'ldap/nextcloud.domain.lan/WORKGROUP', b'ldap/nextcloud.domain.lan/ForestDnsZones.domain.lan', b'ldap/nextcloud.domain.lan/domain.lan'] FAILED * Result for [DOMAIN]: FAILURE SUMMARY --------- Attributes with different values: servicePrincipalName ERROR: Compare failed: -1 thank's rf Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Michael Tokarev
2023-Mar-08 17:20 UTC
[Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
08.03.2023 20:09, Fabrizio Rompani via samba ?????: ...> root at landc:~# samba-tool drs showrepl --summary > There are failing connections > Failing outbound connections: > CN=Configuration,DC=domain,DC=lan > Default-First-Site-Name\NEXTCLOUD via RPC > DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347 > Last attempt @ Wed Mar 8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND) > 4 consecutive failure(s). > Last success @ NTTIME(0)That all smells quite similar to what I were seeing here before, and what someone else were seeing too, all with 4.17[.4]. This famouse WERR_FILE_NOT_FOUND error too. FWIW. /mjt
Rowland Penny
2023-Mar-08 17:39 UTC
[Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
On 08/03/2023 17:09, Fabrizio Rompani via samba wrote:> > yes , after join completed . > error is trigged with the command : > > root at landc:~# samba-tool drs showrepl --summary > There are failing connections > Failing outbound connections: > CN=Configuration,DC=domain,DC=lan > Default-First-Site-Name\NEXTCLOUD via RPC > DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347 > Last attempt @ Wed Mar 8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND) > 4 consecutive failure(s). > Last success @ NTTIME(0) > > DC=ForestDnsZones,DC=domain,DC=lan > Default-First-Site-Name\NEXTCLOUD via RPC > DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347 > Last attempt @ Wed Mar 8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND) > 4 consecutive failure(s). > Last success @ NTTIME(0) > > >> Is each DC using its own ipaddress as its first nameserver in > /etc/resolv.conf ? > > yes but one of them has 127.0.0.1 can make any difference ?There have been problems in the past when '127.0.0.1' has been used, I don't think it will help much, but I would change it to the DC's ipaddress, you never know your luck.> > > Have you checked replication with: > samba-tool drs relication > yes, OK > > Have you checked each DC's database with: > samba-tool dbcheck > yes, OK > > > have you tried to replicate from the DC that holds the PDC_Emulator FSMO > role to the other two > yes > > Have you checked replication with: > samba-tool ldapcmp > > there' s error: > > samba-tool ldapcmp ldap://landc ldap://nextcloud domain -U administrator > > * Comparing [DOMAIN] context... > > * Objects to be compared: 309 > > Comparing: > 'CN=NEXTCLOUD,OU=DOMAIN CONTROLLERS,DC=DOMAIN,DC=LAN' [ldap://landc] > 'CN=NEXTCLOUD,OU=DOMAIN CONTROLLERS,DC=DOMAIN,DC=LAN' [ldap://nextcloud] > Difference in attribute values: > servicePrincipalName => > [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347/domain.lan', b'GC/nextcloud.domain.lan/domain.lan', b'HOST/NEXTCLOUD', b'HOST/nextcloud.domain.lan'] > [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347/domain.lan', b'GC/nextcloud.domain.lan/domain.lan', b'HOST/NEXTCLOUD', b'HOST/nextcloud.domain.lan', b'HOST/nextcloud.domain.lan/WORKGROUP', b'HOST/nextcloud.domain.lan/domain.lan', b'RestrictedKrbHost/NEXTCLOUD', b'RestrictedKrbHost/nextcloud.domain.lan', b'ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan', b'ldap/NEXTCLOUD', b'ldap/nextcloud.domain.lan', b'ldap/nextcloud.domain.lan/DomainDnsZones.domain.lan', b'ldap/nextcloud.domain.lan/WORKGROUP', b'ldap/nextcloud.domain.lan/ForestDnsZones.domain.lan', b'ldap/nextcloud.domain.lan/domain.lan'] > > FAILED > > * Result for [DOMAIN]: FAILURE > > SUMMARY > --------- > > Attributes with different values: > > servicePrincipalName > ERROR: Compare failed: -1You have a serious problem there, there are 4 SPN's on landc and 15 on the other, there seems to something going wrong and, at the moment, it is escaping me. You could try a forced sync from nextcloud with 'samba-tool drs replicate' using the '--sync-forced' switch Rowland
Possibly Parallel Threads
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)