Hi guys, My samba4 PDC (we have only one in our LAN) has crashed. I did a backup yesterday, following the instructions described here https://wiki.samba.org/index.php/Backup_and_Recovery. Now, I'm trying to restore the backup to a new server. I've performed the restore procedures but I'm getting the following errors when I try to start samba4 on the new server: Calling DNS name update script Failed to find object (null) for attribute fsmoRoleOwner - Cannot find DN (null) to get attribute fsmoRoleOwner for reference dn: Unsupported critical extension 1.2.840.113556.1.4.529 Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in (null) failed: Cannot find DN (null) to get attribute fsmoRoleOwner for reference dn: Unsupported critical extension 1.2.840.113556.1.4.529 Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search Failed to find our own NTDS Settings DN in the ldb! Failed to find our own NTDS Settings objectGUID in the ldb! task_server_terminate: [dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE ] samba_terminate: dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE Calling SPN name update script Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search Failed to find our own NTDS Settings DN in the ldb! Failed to find our own NTDS Settings options in the ldb! I've attached the error.log file. What I have to do now ? Could someone help me, please ? Thanks
Hello, Am 16.07.2013 15:45, schrieb TI:> Calling DNS name update script > Failed to find object (null) for attribute fsmoRoleOwner - Cannot find DN (null) to get attribute fsmoRoleOwner for reference dn: Unsupported critical extension 1.2.840.113556.1.4.529 > Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in (null) failed: Cannot find DN (null) to get attribute fsmoRoleOwner for reference dn: Unsupported critical extension 1.2.840.113556.1.4.529 > Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search > Failed to find our own NTDS Settings DN in the ldb! > Failed to find our own NTDS Settings objectGUID in the ldb! > task_server_terminate: [dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE > ] > samba_terminate: dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE > > Calling SPN name update script > > > Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search > Failed to find our own NTDS Settings DN in the ldb! > Failed to find our own NTDS Settings options in the ldb!Did you use the backup script that is shipped with samba or a modified or other version? Have you renamed all *.bak files back to it's origin name? Have you started samba before you unpacked the .tar.bz2 files from you installation directory? If yes, samba had already created some files new. Then remove your /usr/local/samba, run 'make install' again to have an virgin installation. Then unpack your backuped files like described in the wiki. Regards, Marc
Hello, Am 16.07.2013 21:31, schrieb TI:> /usr/local/samba/lib/private/libntvfs.so: version `SAMBA_4.0.7'> not found (required by /usr/local/samba/sbin/samba)> > Ok, my bad. I have compiled the version 4.0.7 for the> new server and the crashed one was probably 4.0.1. This was what I ment with "Never do a restore and a version change at once!" I was puting in bold in the wiki when I wrote this HowTo ;-) I suggest you start over, but with 4.0.1 and restore again. If everything works like expected, upgrade to 4.0.7 (but read all the different release notes from the later version. Some early 4.0 version release notes said to run samba-tool dbcheck... and samba-tool ntacl ...).> Is it ./lib/private directory from backup so important to restore> process ? Should I run something to restore the admins power ? You can remove this from the backup. The backup script is very basic and includes a bit more than necessary. That's another reason, why restore with release change at once isn't a good idea. Can you retry with 4.0.1 and say if your Admin accounts are working as expected then (without upgrading to 4.0.7)? Regards Marc
Hello Edison, Am 16.07.2013 22:53, schrieb TI:> Through the strings command (on the library from backup files),> I saw that correct version is 4.0.3. So I've compiled and > installed samba 4.0.3.> > I've restored all backup files and renamed the .bak ones. The samba> has started without error, but the admin users doesn't have the same > rights. I can't run dsa.msc in a Windows Machine anymore.> > Do you know how to fix that ?Do any errors appear in the samba logs on startup or when you try to use ADUC or other administrative programs? If not, maybe something interesting comes up if you increase the debug level (I guess 3 should be enough). Regards Marc
Hello, Am 17.07.2013 07:25, schrieb TI:> Hi Marc, > > In the samba logs, I saw these errors: > > /usr/local/samba/sbin/samba_dnsupdate: Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.1.1.12 > /usr/local/samba/sbin/samba_dnsupdate: Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.1.1.200 > /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 509, in <module> > /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 122, in get_credentials > /usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename) > /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for L01SAPP01$@INTRANET.ENXUTO.COM.BR failed (Cannot contact any KDC for requested realm) > /usr/local/samba/sbin/samba_dnsupdate: > Child /usr/local/samba/sbin/samba_dnsupdate exited with status 1 - Operation not permitted > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_ACCESS_DENIED > > I think it happened because the new server has a different ip address. So, I ran /usr/local/samba/sbin/samba_dnsupdate and it has added the new ip address (10.1.1.150) to the list.100%. I'll add this to the Wiki page, too. Make sure, you restore on a machine, that is 100% like the old in important things (IP, Hostname, Samba version, etc.)> host l01sapp01.intranet.enxuto.com.br. > l01sapp01.intranet.enxuto.com.br has address 10.1.1.12 > l01sapp01.intranet.enxuto.com.br has address 10.1.1.200 > l01sapp01.intranet.enxuto.com.br has address 10.1.1.150 > > After that, the error has disappear and I could login again (it seems that the admin rights are back). However I couldn't run dsa.msc. I'll try translate the message I'm receiving: > > There is no User and Computer data available from Active Directory [l01sapp01.intranet.enxuto.com.br] in Domain Controler l01sapp01.intranet.enxuto.com.br. The server is reluctant in process your request. > > I think that the Windows Machine is trying to connect to 10.1.1.12 (which is the first response received from the internal dns server) instead of 10.1.1.150 (the last and the correct one) > > What do you think ? > > Could we remove the old records from dns server ? I'm using the internal server.I wrote an Howto (http://wiki.samba.org/index.php/Change_IP_address_of_the_DC) about changing the IP on a DC a while ago. But I would not combine this with a restore. I think the highest priority should be to get your system restored, so that it is like the one you backuped. Later you can do changes. Regards, Marc