samba - Jan 2015 - Many errors after adding SAMBA 4.1 as 2nd AD in Win 2008 domain

Not even sure where to begin. I've attempted to setup a Ubuntu 14.04 box as
a 2nd AD controler in a Windows 2008 domain. The main domain controller is an
actual windows machine. Unfortunaly it is an older domain and is a
".local" which I know gives y'all heartburn.

After installign samba, I did not provsion it but ran this: "sudo
samba-tool domain join MYDOMAIN.LOCAL DC -U administrator"


It ran, I saw all teh info get copied over from the domain and it seemed to
work. I can go inot Windowsm and use it to open the Samba Domain controller. Th
eproblem is all the errors on both the Ubuntu box and the Windows domain
controller.

If I run " sudo samba-tool domain level show"

ldb_wrap open of secrets.ldb
Domain and forest function level for domain 'DC=MYDOMAIN,DC=local'

Forest function level: (Windows) 2008
Domain function level: (Windows) 2008
Lowest function level of a DC: (Windows) 2008



If I issue "smbclient -L localhost -U%", I get this:


Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        fileshare       Disk
        IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            VMWARE_UEB







Typical errors in /var/log/samba/log.samba

[2015/01/18 18:30:26.551835,  0] ../source4/smbd/server.c:492(binary_smbd_main)
  samba: using 'standard' process model
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
[2015/01/18 18:30:26.614689,  3]
../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server)
  DCERPC endpoint server 'rpcecho' registered
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
[2015/01/18 18:30:26.631091,  3]
../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server)
  DCERPC endpoint server 'epmapper' registered

2015/01/18 17:37:15.239428,  0]
../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at
ncacn_ip_tcp:fa2f509c-accf-442f-b7f2-9497bb286180._msdcs.MYDOMAIN.local[1029,seal,krb5]
NT_STATUS_NO_LOGON_SERVERS
[2015/01/18 17:37:25.439073,  3]
../source4/auth/gensec/gensec_gssapi.c:309(gensec_gssapi_client_creds)
  Cannot reach a KDC we require to contact
GC/WINDOWSDC.MYDOMAIN.local/MYDOMAIN.local : kinit for LINUXDC$@MYDOMAIN.local
failed (Cannot contact any KDC for requested realm)

Typical errors in Windows event log (Domain controller)

Error

Active Directory Domain Services could not use DNS to resolve the IP address of
the source domain controller listed below. To maintain the consistency of
Security groups, group policy, users and computers and their passwords, Active
Directory Domain Services successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member
computers, domain controllers or application servers in this Active Directory
Domain Services forest, including logon authentication or access to network
resources.

You should immediately resolve this DNS configuration error so that this domain
controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
 LINUXDC
Failing DNS host name:
 b952c564-4c5a-4f7d-854b-18e309f6e969._msdcs.MYDOMAIN.local


Error

Replication of application directory partition DC=MYDOMAIN,DC=local from source
b952c564-4c5a-4f7d-854b-18e309f6e969 has been aborted. Replication requires
consistent schema but last attempt to synchornize the schema had failed. It is
crucial that schema replication functions properly. See previous errors for more
diagnostics. If this issue persists, please contact Microsoft Product Support
Services for assistance. Error 8418: The replication operation failed because of
a schema mismatch between the servers involved..


Error

Replication of application directory partition
CN=Configuration,DC=MYDOMAIN,DC=local from source
b952c564-4c5a-4f7d-854b-18e309f6e969 has been aborted. Replication requires
consistent schema but last attempt to synchornize the schema had failed. It is
crucial that schema replication functions properly. See previous errors for more
diagnostics. If this issue persists, please contact Microsoft Product Support
Services for assistance. Error 8418: The replication operation failed because of
a schema mismatch between the servers involved.


Error

Active Directory Domain Services could not use DNS to resolve the IP address of
the source domain controller listed below. To maintain the consistency of
Security groups, group policy, users and computers and their passwords, Active
Directory Domain Services successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member
computers, domain controllers or application servers in this Active Directory
Domain Services forest, including logon authentication or access to network
resources.

You should immediately resolve this DNS configuration error so that this domain
controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
 LINUXDC.MYDOMAIN.local
Failing DNS host name:
 b952c564-4c5a-4f7d-854b-18e309f6e969._msdcs.MYDOMAIN.local


Error

This server is the owner of the following FSMO role, but does not consider it
valid. For the partition which contains the FSMO, this server has not replicated
successfully with any of its partners since this server has been restarted.
Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this
condition is corrected.

FSMO Role: CN=Partitions,CN=Configuration,DC=MYDOMAIN,DC=local

User Action:

1. Initial synchronization is the first early replications done by a system as
it is starting. A failure to initially synchronize may explain why a FSMO role
cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing
for all of these partners. Use the command repadmin /showrepl to display the
replication errors.  Correct the error in question. For example there maybe
problems with IP connectivity, DNS name resolution, or security authentication
that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected
occurance, perhaps because of maintenance or a disaster recovery, you can force
the role to be validated. This can be done by using NTDSUTIL.EXE to seize the
role to the same server. This may be done using the steps provided in KB
articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this
forest.
PDC: You will no longer be able to perform primary domain controller operations,
such as Group Policy updates and password resets for non-Active Directory Domain
Services accounts.
RID: You will not be able to allocation new security identifiers for new user
accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group
memberships, will not be updated properly if their target object is moved or
renamed.



Error


This server is the owner of the following FSMO role, but does not consider it
valid. For the partition which contains the FSMO, this server has not replicated
successfully with any of its partners since this server has been restarted.
Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this
condition is corrected.

FSMO Role: CN=RID Manager$,CN=System,DC=MYDOMAIN,DC=local

Error

This server is the owner of the following FSMO role, but does not consider it
valid. For the partition which contains the FSMO, this server has not replicated
successfully with any of its partners since this server has been restarted.
Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this
condition is corrected.

FSMO Role: CN=Infrastructure,DC=MYDOMAIN,DC=local


Error


This server is the owner of the following FSMO role, but does not consider it
valid. For the partition which contains the FSMO, this server has not replicated
successfully with any of its partners since this server has been restarted.
Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this
condition is corrected.

FSMO Role: DC=MYDOMAIN,DC=local





---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Samba configuration file /etc/samba/smb.conf

# Global parameters
[global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.local
    netbios name = LINUXDC
    server role = active directory domain controller
    allow dns updates = nonsecure and secure
    dns forwarder = 10.10.10.23
        log level = 3
      # this fix stops the syslog
      # being spammed by the lack of a CUPS server.
    printing = CUPS
    printcap name = /dev/nul

[netlogon]
    path = /var/lib/samba/sysvol/MYDOMAIN.local/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[fileshare]
    writeable = yes
    path = /mnt/datastorage/sambastuff



/etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.0.233
search mydomain.local


/etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = MYDOMAIN.LOCAL

[realms]
MYDOMAIN.LOCAL = {
kdc = WAREHOUSE.MYDOMAIN.LOCAL
admin_server = LINUXDC.MYDOMAIN.LOCAL
}

[domain_realm]
        .mydomain.local = MYDOMAIN.LOCAL
        mydomain.local = MYDOMAIN.LOCAL

Hi Arch,

> If I issue "smbclient -L localhost -U%", I get this:
This line does not test the whole thing. In order to test the thing 
properly, you'd better use a kinit to get a kerberos ticket, then a 
smbclient -k -L youservername to validate your environment.
>
> 2015/01/18 17:37:15.239428,  0]
../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at
ncacn_ip_tcp:fa2f509c-accf-442f-b7f2-9497bb286180._msdcs.MYDOMAIN.local[1029,seal,krb5]
NT_STATUS_NO_LOGON_SERVERS
> [2015/01/18 17:37:25.439073,  3]
../source4/auth/gensec/gensec_gssapi.c:309(gensec_gssapi_client_creds)
>    Cannot reach a KDC we require to contact
GC/WINDOWSDC.MYDOMAIN.local/MYDOMAIN.local : kinit for LINUXDC$@MYDOMAIN.local
failed (Cannot contact any KDC for requested realm)
e3514235-4b06-11d1-ab04-00c04fc2dcd2 is a guid related to replication. 
But the real issue is that the server cannot contact a valid dc server. 
Your DNS entries have probably not been properly created at your server 
startup
> /etc/resolv.conf:
>
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 10.0.0.233
> search mydomain.local
I assume 10.0.0.233 is the ip of your LINUXDC.
> /etc/krb5.conf:
>
> [libdefaults]
>      dns_lookup_realm = true
>      dns_lookup_kdc = true
>      default_realm = MYDOMAIN.LOCAL
>
> [realms]
> MYDOMAIN.LOCAL = {
> kdc = WAREHOUSE.MYDOMAIN.LOCAL
> admin_server = LINUXDC.MYDOMAIN.LOCAL
> }
>
> [domain_realm]
>          .mydomain.local = MYDOMAIN.LOCAL
>          mydomain.local = MYDOMAIN.LOCAL
>
In your krb5.conf file, if everything is going well, you should only 
need the first 4 lines.

You can try a samba_dnsupdate to see if it works properly. If everything 
is fine, it just exits without saying anything. Could you also try to 
see if the following entry do exists in your DNS, it should point to 
your linuxdc server (and since you have replication issue, check on both 
servers):

b952c564-4c5a-4f7d-854b-18e309f6e969._msdcs.MYDOMAIN.local

check also the _kerberos._tcp.MYDOMAIN.local, _ldap._tcp.MYDOMAIN.local 
and _gc._tcp.MYDOMAIN.local DNS entries, you should have entries for 
both your LINUXDC and your WINDOWS DC servers.

One last thing, since you are using the .local suffix, please check the 
/etc/nsswitch.conf file and delete all the mdns and avahi related stuff, 
and turn off avahi daemon.

Hope this helps,

Denis


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr