samba - Jul 2015 - 4.2.2 as AD with 2 DCs: database incoherency

On 23/07/15 16:23, mathias dufresne wrote:
> Hi all,
>
> I tried "samba-tool ldapcmp" several times to solve this issue,
without
> success.
>
> On DC acting as full FSMO:
> dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
> ldap://dc20.ad.dgfip.lan domain
> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 968, in run
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 80, in __init__
>      self.server_names = self.find_servers()
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
> 106, in find_servers
>      scope=SCOPE_SUBTREE, expression="(objectClass=computer)",
attrs=["cn"])
>
> On the other one, which is the one with more group than the other:
> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
> ldap://dc20.ad.dgfip.lan domain
> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 968, in run
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 83,
> in __init__
>      self.get_sid_map()
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 257, in get_sid_map
>      expression="(objectSid=*)", scope=SCOPE_SUBTREE,
attrs=["objectSid",
> "sAMAccountName"])
>
> After modifying hostname configuration on FSMO which is a Centos for that
> system does not reply FQDN when running "hostname" and not
replying short
> name when running "hostname --fqdn", the error changed a bit on
non-FSMO:
>
> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
> ldap://dc20.ad.dgfip.lan domain
>
> * Comparing [DOMAIN] context...
> Failed search of base=DC=ad,DC=dgfip,DC=lan
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 979, in run
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 698, in __init__
>      self.dn_list = self.get_dn_list(context)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 841, in get_dn_list
>      res = self.con.ldb.search(base=self.search_base,
> scope=self.search_scope, attrs=["dn"])
>
> Finally I tried to demote non-FSMO DC:
>
> dc00:~# samba-tool domain demote -Uadministrator
> Using dc20.ad.dgfip.lan as partner server for the demotion
> ERROR(<class 'samba.drs_utils.drsException'>): uncaught
exception -
> drsException: DRS connection to dc20.ad.dgfip.lan failed: (-1073741643,
> '{Device Timeout} The specified I/O operation on %hs was not completed
> before the time-out period expired.')
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 693,
> in run
>      (drsuapiBind, drsuapi_handle, supportedExtensions) >
drsuapi_connect(server, lp, creds)
>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 54, in
> drsuapi_connect
>      raise drsException("DRS connection to %s failed: %s" %
(server, e))
>
> And now before trying a MS Windows script to remove some broken DC from AD,
> I come back to see if anyone has any clue to help me to solve that issue...
>
> Best regards,
>
> mathias
>
>
> 2015-07-16 17:31 GMT+02:00 Reindl Harald <h.reindl at thelounge.net>:
>
>>
>> Am 16.07.2015 um 17:18 schrieb Rowland Penny:
>>
>>> On 16/07/15 13:27, Reindl Harald wrote:
>>>
>>>> Am 16.07.2015 um 14:02 schrieb Rowland Penny:
>>>>
>>>>> /etc/hosts should be:
>>>>>
>>>>> 127.0.0.1    localhost.localdomain    localhost
>>>>>
>>>> uhm no - you want 127.0.0.1 normally resolved to localhost and
hence
>>>> 127.0.0.1    localhost    localhost.localdomain
>>>>
>>> Ah NO, only if you are using a brain dead OS like red-hat :-)
>>>
>>>   From 'man hosts'
>>>
>>> For each host a single line should be present with the following
>>> information:
>>>
>>>                 IP_address canonical_hostname [aliases...]
>>>
>>> Optional aliases provide for name changes, alternate spellings,
shorter
>>> hostnames,  or  generic  hostnames  (for  example, localhost)
>>>
>> you quote exactly what i said
>> gethostbyaddr will answer the canonical_hostname and not a random alias
>>
>> the real name for 127.0.0.1 is always localhost and hence that should
not
>> be the alias, frankly nobody needs the localhost.localdomain at all
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
This sounds more & more like a DNS problem. I tried Centos and had a 
hard time getting DNS to work properly, something that is easy on Debian.

You need to be able to ping each DC from the other, by short hostname 
and by FQDN, you should also be able to run 'host -t A 
<short_hostname_of_other_DC>' and 'host -t A 
<fqdn_hostname_of_other_DC>' and get a result.

/etc/resolv.conf needs to point first at the other DC, then to itself
/etc/hosts should contain at a minimum '127.0.0.1    localhost' , you 
can also have '127.0.0.1    localhost.localdomain    localhost'
You can add the ipaddresses of the DCs to /etc/hosts i.e.
192.168.0.2    dc1.example.com    dc1
192.168.0.3    dc2.example.com    dc2

Though you shouldn't have to, if the DNS servers are working correctly.

Running 'hostname' should return just the short hostname, running 
'hostname -f' or 'hostname --fqdn' should return the FQDN
hostname,
/etc/hostname should contain just the DCs short hostname, when I tried 
out Centos, I seem to remember finding that it contained 
'localhost.localdomain', something it should never contain.

Rowland

The following commands work on both DC:
host -t A <short_hostname_of_other_DC>
host -t A <fqdn_hostname_of_other_DC>

hostname and hostname --fqdn are working on both DC.The simplest way is to
not declare external IP /etc/hosts


SRV DNS entries which are working are:
host -t SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld
host -t SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld

host -t SRV _kerberos._tcp.ad.domain.tld
host -t SRV _ldap._tcp.ad.domain.tld

host -t SRV _kerberos._tcp.ad.domain.tld
host -t SRV _ldap._tcp.ad.domain.tld

host -t SRV
_ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld
No _kerberos defined there.

All of them return both DC FQDN.

In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 kind of
entries:
_ldap
_kerberos
_kpasswd
_gc

When in others _tcp containers there are less entries (missing _kpasswd,
missing _kpasswd and _gc or missing _kpasswd, _kerberos and _gc).

This was for direct search zone.

For condiftional redir and inverted search zone (rough translation) I have
no entry at all.

2015-07-23 19:41 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 23/07/15 16:23, mathias dufresne wrote:
>
>> Hi all,
>>
>> I tried "samba-tool ldapcmp" several times to solve this
issue, without
>> success.
>>
>> On DC acting as full FSMO:
>> dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
>> ldap://dc20.ad.dgfip.lan domain
>> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
>>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
>> 968, in run
>>      outf=self.outf, errf=self.errf)
>>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
>> 80, in __init__
>>      self.server_names = self.find_servers()
>>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line
>> 106, in find_servers
>>      scope=SCOPE_SUBTREE,
expression="(objectClass=computer)",
>> attrs=["cn"])
>>
>> On the other one, which is the one with more group than the other:
>> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
>> ldap://dc20.ad.dgfip.lan domain
>> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 968, in run
>>      outf=self.outf, errf=self.errf)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 83,
>> in __init__
>>      self.get_sid_map()
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 257, in get_sid_map
>>      expression="(objectSid=*)", scope=SCOPE_SUBTREE,
attrs=["objectSid",
>> "sAMAccountName"])
>>
>> After modifying hostname configuration on FSMO which is a Centos for
that
>> system does not reply FQDN when running "hostname" and not
replying short
>> name when running "hostname --fqdn", the error changed a bit
on non-FSMO:
>>
>> dc00:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan
>> ldap://dc20.ad.dgfip.lan domain
>>
>> * Comparing [DOMAIN] context...
>> Failed search of base=DC=ad,DC=dgfip,DC=lan
>> ERROR(ldb): uncaught exception - LDAP client internal error:
>> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 979, in run
>>      outf=self.outf, errf=self.errf)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 698, in __init__
>>      self.dn_list = self.get_dn_list(context)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 841, in get_dn_list
>>      res = self.con.ldb.search(base=self.search_base,
>> scope=self.search_scope, attrs=["dn"])
>>
>> Finally I tried to demote non-FSMO DC:
>>
>> dc00:~# samba-tool domain demote -Uadministrator
>> Using dc20.ad.dgfip.lan as partner server for the demotion
>> ERROR(<class 'samba.drs_utils.drsException'>): uncaught
exception -
>> drsException: DRS connection to dc20.ad.dgfip.lan failed: (-1073741643,
>> '{Device Timeout} The specified I/O operation on %hs was not
completed
>> before the time-out period expired.')
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
>> 693,
>> in run
>>      (drsuapiBind, drsuapi_handle, supportedExtensions) >>
drsuapi_connect(server, lp, creds)
>>    File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in
>> drsuapi_connect
>>      raise drsException("DRS connection to %s failed: %s" %
(server, e))
>>
>> And now before trying a MS Windows script to remove some broken DC from
>> AD,
>> I come back to see if anyone has any clue to help me to solve that
>> issue...
>>
>> Best regards,
>>
>> mathias
>>
>>
>> 2015-07-16 17:31 GMT+02:00 Reindl Harald <h.reindl at
thelounge.net>:
>>
>>
>>> Am 16.07.2015 um 17:18 schrieb Rowland Penny:
>>>
>>>  On 16/07/15 13:27, Reindl Harald wrote:
>>>>
>>>>  Am 16.07.2015 um 14:02 schrieb Rowland Penny:
>>>>>
>>>>>  /etc/hosts should be:
>>>>>>
>>>>>> 127.0.0.1    localhost.localdomain    localhost
>>>>>>
>>>>>>  uhm no - you want 127.0.0.1 normally resolved to
localhost and hence
>>>>> 127.0.0.1    localhost    localhost.localdomain
>>>>>
>>>>>  Ah NO, only if you are using a brain dead OS like red-hat
:-)
>>>>
>>>>   From 'man hosts'
>>>>
>>>> For each host a single line should be present with the
following
>>>> information:
>>>>
>>>>                 IP_address canonical_hostname [aliases...]
>>>>
>>>> Optional aliases provide for name changes, alternate spellings,
shorter
>>>> hostnames,  or  generic  hostnames  (for  example, localhost)
>>>>
>>>>  you quote exactly what i said
>>> gethostbyaddr will answer the canonical_hostname and not a random
alias
>>>
>>> the real name for 127.0.0.1 is always localhost and hence that
should not
>>> be the alias, frankly nobody needs the localhost.localdomain at all
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
> This sounds more & more like a DNS problem. I tried Centos and had a
hard
> time getting DNS to work properly, something that is easy on Debian.
>
> You need to be able to ping each DC from the other, by short hostname and
> by FQDN, you should also be able to run 'host -t A
> <short_hostname_of_other_DC>' and 'host -t A
<fqdn_hostname_of_other_DC>'
> and get a result.
>
> /etc/resolv.conf needs to point first at the other DC, then to itself
> /etc/hosts should contain at a minimum '127.0.0.1    localhost' ,
you can
> also have '127.0.0.1    localhost.localdomain    localhost'
> You can add the ipaddresses of the DCs to /etc/hosts i.e.
> 192.168.0.2    dc1.example.com    dc1
> 192.168.0.3    dc2.example.com    dc2
>
> Though you shouldn't have to, if the DNS servers are working correctly.
>
> Running 'hostname' should return just the short hostname, running
> 'hostname -f' or 'hostname --fqdn' should return the FQDN
hostname,
> /etc/hostname should contain just the DCs short hostname, when I tried out
> Centos, I seem to remember finding that it contained
> 'localhost.localdomain', something it should never contain.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 24/07/15 13:53, mathias dufresne wrote:
> The following commands work on both DC:
> host -t A <short_hostname_of_other_DC>
> host -t A <fqdn_hostname_of_other_DC>
>
> hostname and hostname --fqdn are working on both DC.The simplest way 
> is to not declare external IP /etc/hosts
>
>
> SRV DNS entries which are working are:
> host -t SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld
> host -t SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld
>
> host -t SRV _kerberos._tcp.ad.domain.tld
> host -t SRV _ldap._tcp.ad.domain.tld
>
> host -t SRV _kerberos._tcp.ad.domain.tld
> host -t SRV _ldap._tcp.ad.domain.tld
>
> host -t SRV 
>
_ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld
> No _kerberos defined there.
>
> All of them return both DC FQDN.
>
> In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 
> kind of entries:
> _ldap
> _kerberos
> _kpasswd
> _gc
>
> When in others _tcp containers there are less entries (missing 
> _kpasswd, missing _kpasswd and _gc or missing _kpasswd, _kerberos and 
> _gc).
>
> This was for direct search zone.
>
> For condiftional redir and inverted search zone (rough translation) I 
> have no entry at all.
>
not sure what you mean by 'condiftional redir' but I think 'inverted
search zone' is bad English for 'reverse zone' :-)

If so, you need to create this, it is not created automatically:

samba-tool dns zonecreate dc1.example.com 0.168.192.in-addr.arpa

Where 'dc1.example.com' is the FQDN of the first DC and the network is 
192.168.0.0/24, from this you get the 0.168.192.

Rowland