Le 02/03/2015 12:58, Rowland Penny a ?crit :> On 02/03/15 11:02, Jean-Fran?ois Morcillo wrote: >> Le 06/02/2015 17:49, Marc Muehlfeld a ?crit : >>> Hello Jean-Fran?ois, >>> >>> Am 04.02.2015 um 17:51 schrieb Jean-Fran?ois Morcillo: >>>> Troubles come into the place when I try to create a user on the 2nd >>>> DC, >>>> I get the following error message: >>>> samba-tool user create usr1 usr1 >>>> ERROR(ldb): Failed to add user 'usr1': - >>>> ../source4/dsdb/samdb/ldb_modules/ridalloc.c:547: No RID Set DN - >>>> Remote >>>> RID Set creation needed >>> This sounds like your DC, didn't got an RID pool assigned from the RID >>> master. See >>> https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles#RID_Master >>> >>> for details. >>> >>> If you just have two DCs in your domain, then the first one has this >>> role, if you haven't transfered. >>> >>> Did you had more DCs in the past and maybe haven't demoted correctly >>> and >>> the AD still thinks one of the missing DCs is RID master? >>> >>> Please check, which DC owns the RID master role: >>> # samba-tool fsmo show >>> >>> >>> >>>> More over, new users created on the first DC are never synced to the >>>> second one. >>> Does your replication works in both direction? Check with >>> # samba-tool drs showrepl >>> >>> >>> >>> Regards, >>> Marc >>> >>> >> Hello, >> >> Just for information, if someone face the same issue, the problem was >> due to the way we manage the DNS (manually). >> As far as I understand, for the purpose of synchronization, samba >> contacts the first DC using an alias (which looks like an UUID, this can >> be seen in samba.log) and we were lacking this alias in our DNS. >> >> Anyway, thank you for your reply. >> > > Hi, can you share with us just how you were managing DNS and what you > are doing now. > > Rowland >Hello, DNS is not managed in any way by samba. The DNS on both DCs are bind, theirs configuration is managed by an inhouse tool (which also does the synchronization of the DNS database). This tools reads the samba database and fetch information about the DCs (filter is '(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer))') In the servicePrincipalName attribute, it gets the value that start with 'ldap/' and ends with '_msdcs.<realm>' then it adds an alias with this "UUID" in the DNS database. That's basically how I solved my issue. it's a little bit ?hacky? but it works and it is supposed to be simplified in a near future. -- Jean-Fran?ois
On 02/03/15 18:12, Jean-Fran?ois Morcillo wrote:> Le 02/03/2015 12:58, Rowland Penny a ?crit : >> On 02/03/15 11:02, Jean-Fran?ois Morcillo wrote: >>> Le 06/02/2015 17:49, Marc Muehlfeld a ?crit : >>>> Hello Jean-Fran?ois, >>>> >>>> Am 04.02.2015 um 17:51 schrieb Jean-Fran?ois Morcillo: >>>>> Troubles come into the place when I try to create a user on the 2nd >>>>> DC, >>>>> I get the following error message: >>>>> samba-tool user create usr1 usr1 >>>>> ERROR(ldb): Failed to add user 'usr1': - >>>>> ../source4/dsdb/samdb/ldb_modules/ridalloc.c:547: No RID Set DN - >>>>> Remote >>>>> RID Set creation needed >>>> This sounds like your DC, didn't got an RID pool assigned from the RID >>>> master. See >>>> https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles#RID_Master >>>> >>>> for details. >>>> >>>> If you just have two DCs in your domain, then the first one has this >>>> role, if you haven't transfered. >>>> >>>> Did you had more DCs in the past and maybe haven't demoted correctly >>>> and >>>> the AD still thinks one of the missing DCs is RID master? >>>> >>>> Please check, which DC owns the RID master role: >>>> # samba-tool fsmo show >>>> >>>> >>>> >>>>> More over, new users created on the first DC are never synced to the >>>>> second one. >>>> Does your replication works in both direction? Check with >>>> # samba-tool drs showrepl >>>> >>>> >>>> >>>> Regards, >>>> Marc >>>> >>>> >>> Hello, >>> >>> Just for information, if someone face the same issue, the problem was >>> due to the way we manage the DNS (manually). >>> As far as I understand, for the purpose of synchronization, samba >>> contacts the first DC using an alias (which looks like an UUID, this can >>> be seen in samba.log) and we were lacking this alias in our DNS. >>> >>> Anyway, thank you for your reply. >>> >> Hi, can you share with us just how you were managing DNS and what you >> are doing now. >> >> Rowland >> > Hello, > > DNS is not managed in any way by samba. > The DNS on both DCs are bind, theirs configuration is managed by an > inhouse tool (which also does the synchronization of the DNS database). > This tools reads the samba database and fetch information about the DCs > (filter is > '(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer))') > In the servicePrincipalName attribute, it gets the value that start with > 'ldap/' and ends with '_msdcs.<realm>' > then it adds an alias with this "UUID" in the DNS database. > That's basically how I solved my issue. it's a little bit ?hacky? but it > works and it is supposed to be simplified in a near future. > >If you are running samba4 in AD DC mode, you need to use either the internal DNS server or a bind9 DNS server running on the server, why are you jumping through hoops to get something that is clearly not working ???? That will only get records for DCs and it sounds like incorrect records at that. You need records in AD like this (this is a computer) : dn: DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20140812120544.0Z uSNCreated: 3780 showInAdvancedViewOnly: TRUE name: ThinkPad objectGUID: 66cce7bf-5d9c-445d-bb44-73caac0d7966 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com dc: ThinkPad whenChanged: 20150302182424.0Z dnsRecord:: BAABAAXwAABIAAAAAAAOEAAAAACiZTcAwKgA1w=uSNChanged: 28272 distinguishedName: DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,D C=example,DC=com Rowland
Le 02/03/2015 19:44, Rowland Penny a ?crit :> On 02/03/15 18:12, Jean-Fran?ois Morcillo wrote: >> Le 02/03/2015 12:58, Rowland Penny a ?crit : >>> On 02/03/15 11:02, Jean-Fran?ois Morcillo wrote: >>>> Le 06/02/2015 17:49, Marc Muehlfeld a ?crit : >>>>> Hello Jean-Fran?ois, >>>>> >>>>> Am 04.02.2015 um 17:51 schrieb Jean-Fran?ois Morcillo: >>>>>> Troubles come into the place when I try to create a user on the 2nd >>>>>> DC, >>>>>> I get the following error message: >>>>>> samba-tool user create usr1 usr1 >>>>>> ERROR(ldb): Failed to add user 'usr1': - >>>>>> ../source4/dsdb/samdb/ldb_modules/ridalloc.c:547: No RID Set DN - >>>>>> Remote >>>>>> RID Set creation needed >>>>> This sounds like your DC, didn't got an RID pool assigned from the >>>>> RID >>>>> master. See >>>>> https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles#RID_Master >>>>> >>>>> >>>>> for details. >>>>> >>>>> If you just have two DCs in your domain, then the first one has this >>>>> role, if you haven't transfered. >>>>> >>>>> Did you had more DCs in the past and maybe haven't demoted correctly >>>>> and >>>>> the AD still thinks one of the missing DCs is RID master? >>>>> >>>>> Please check, which DC owns the RID master role: >>>>> # samba-tool fsmo show >>>>> >>>>> >>>>> >>>>>> More over, new users created on the first DC are never synced to the >>>>>> second one. >>>>> Does your replication works in both direction? Check with >>>>> # samba-tool drs showrepl >>>>> >>>>> >>>>> >>>>> Regards, >>>>> Marc >>>>> >>>>> >>>> Hello, >>>> >>>> Just for information, if someone face the same issue, the problem was >>>> due to the way we manage the DNS (manually). >>>> As far as I understand, for the purpose of synchronization, samba >>>> contacts the first DC using an alias (which looks like an UUID, >>>> this can >>>> be seen in samba.log) and we were lacking this alias in our DNS. >>>> >>>> Anyway, thank you for your reply. >>>> >>> Hi, can you share with us just how you were managing DNS and what you >>> are doing now. >>> >>> Rowland >>> >> Hello, >> >> DNS is not managed in any way by samba. >> The DNS on both DCs are bind, theirs configuration is managed by an >> inhouse tool (which also does the synchronization of the DNS database). >> This tools reads the samba database and fetch information about the DCs >> (filter is >> '(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer))') >> >> In the servicePrincipalName attribute, it gets the value that start with >> 'ldap/' and ends with '_msdcs.<realm>' >> then it adds an alias with this "UUID" in the DNS database. >> That's basically how I solved my issue. it's a little bit ?hacky? but it >> works and it is supposed to be simplified in a near future. >> >> > > If you are running samba4 in AD DC mode, you need to use either the > internal DNS server or a bind9 DNS server running on the server, why > are you jumping through hoops to get something that is clearly not > working ???? > > That will only get records for DCs and it sounds like incorrect > records at that. > > You need records in AD like this (this is a computer) : > > dn: > DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20140812120544.0Z > uSNCreated: 3780 > showInAdvancedViewOnly: TRUE > name: ThinkPad > objectGUID: 66cce7bf-5d9c-445d-bb44-73caac0d7966 > objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com > dc: ThinkPad > whenChanged: 20150302182424.0Z > dnsRecord:: BAABAAXwAABIAAAAAAAOEAAAAACiZTcAwKgA1w=> uSNChanged: 28272 > distinguishedName: > DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,D > C=example,DC=com > > Rowland >Hello, Thank you for those advices. Please, consider that this is a work in progress. *For the moment*, bind9 is installed on the same server as samba but not managed by samba and I'm asked to make them work together even if that does not sounds like the best choice. I hope to switch to the BIND9_DLZ backend soon. Regards, -- - no title specified Jean-Fran?ois