On 24/07/15 13:53, mathias dufresne wrote:> The following commands work on both DC: > host -t A <short_hostname_of_other_DC> > host -t A <fqdn_hostname_of_other_DC> > > hostname and hostname --fqdn are working on both DC.The simplest way > is to not declare external IP /etc/hosts > > > SRV DNS entries which are working are: > host -t SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld > host -t SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.domain.tld > > host -t SRV _kerberos._tcp.ad.domain.tld > host -t SRV _ldap._tcp.ad.domain.tld > > host -t SRV _kerberos._tcp.ad.domain.tld > host -t SRV _ldap._tcp.ad.domain.tld > > host -t SRV > _ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld > No _kerberos defined there. > > All of them return both DC FQDN. > > In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 > kind of entries: > _ldap > _kerberos > _kpasswd > _gc > > When in others _tcp containers there are less entries (missing > _kpasswd, missing _kpasswd and _gc or missing _kpasswd, _kerberos and > _gc). > > This was for direct search zone. > > For condiftional redir and inverted search zone (rough translation) I > have no entry at all. >not sure what you mean by 'condiftional redir' but I think 'inverted search zone' is bad English for 'reverse zone' :-) If so, you need to create this, it is not created automatically: samba-tool dns zonecreate dc1.example.com 0.168.192.in-addr.arpa Where 'dc1.example.com' is the FQDN of the first DC and the network is 192.168.0.0/24, from this you get the 0.168.192. Rowland
mathias dufresne
2015-Jul-27 12:45 UTC
[Samba] 4.2.2 as AD with 2 DCs: database incoherency
Thank you Rowland for this.
I tried using Sernet's Samba 4.2.2 and failed:
All the following command were ran on DC20
samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa
Password for [administrator at AD.DOMAIN.TLD]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20.ad.domain.tld,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=10.0.0.221]
NT_STATUS_IO_TIMEOUT
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line
850,
in run
dns_conn = dns_connect(server, self.lp, self.creds)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line
40,
in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
samba-tool dns zonelist dc20
Password for [administrator at AD.DOMAIN.TLD]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fdlocaladdress=10.0.0.221]
NT_STATUS_IO_TIMEOUT
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line
809,
in run
dns_conn = dns_connect(server, self.lp, self.creds)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line
40,
in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
After upgrading to 4.2.3:
kinit administrator
Password for administrator at AD.DOMAIN.TLD:
Warning: Your password will expire in 38 days on Thu Sep 3 15:16:54 2015
samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa
Zone 0.0.10.in-addr.arpa created successfully
------------------------------------
On the second DC, namely DC00:
samba-tool dns zonecreate dc00.ad.domain.tld 0.0.10.in-addr.arpa
-Uadministrator
ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
850, in
run
dns_conn = dns_connect(server, self.lp, self.creds)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
40, in
dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
----------------------------------------------------------------
So zone creation worked after upgrading to Samba4 4.2.3. I didn't yet
filled that zone but I ran:
samba-tool ldapcmp ldap://DC00.ad.domain.tld ldap://DC20.ad.domain.tld
-Uadministrator
on DC00. Just to see if previous errors were also solved after upgrade.
Regarding initial issue which was database incoherency I copied
/var/lib/samba/private/sam.ldb.d/DC=AD,DC=DOMAIN,DC=TLD from DC20 to DC00
(with both Samba services stopped) to see if this could be achieve and used
as quick answer to incoherency issue. The idea was all DC should have the
same database, let's push the database (piggy work, often efficient...)
Then I ran some ldapcmp before leaving into weekend:
samba-tool ldapcmp ldap://dc00.ad.domain.tld ldap://dc20.ad.domain.tld
domain
* Comparing [DOMAIN] context...
Failed search of base=DC=ad,DC=domain,DC=tld
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py",
line
979, in run
outf=self.outf, errf=self.errf)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py",
line
698, in __init__
self.dn_list = self.get_dn_list(context)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py",
line
841, in get_dn_list
res = self.con.ldb.search(base=self.search_base,
scope=self.search_scope, attrs=["dn"])
Followed by samba-tool dbcheck ran 2 hours after I left using "sleep"
to
give time to ldapcmp process.
This dbcheck was ran on both servers and both were counting same number of
objects before both processes hanged. On DC00 ssh connection was lost, the
VM still running but broken, on DC20 (the FSMO owner) the message should
have been "process stopped" (some "top" command remove this
message :/).
I'll continue to play with these two DC and be back later to tell how
things went.
Cheers,
mathias
2015-07-24 17:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 24/07/15 13:53, mathias dufresne wrote:
>
>> The following commands work on both DC:
>> host -t A <short_hostname_of_other_DC>
>> host -t A <fqdn_hostname_of_other_DC>
>>
>> hostname and hostname --fqdn are working on both DC.The simplest way is
>> to not declare external IP /etc/hosts
>>
>>
>> SRV DNS entries which are working are:
>> host -t SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad
>> .domain.tld
>> host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad
>> .domain.tld
>>
>> host -t SRV _kerberos._tcp.ad.domain.tld
>> host -t SRV _ldap._tcp.ad.domain.tld
>>
>> host -t SRV _kerberos._tcp.ad.domain.tld
>> host -t SRV _ldap._tcp.ad.domain.tld
>>
>> host -t SRV
>>
_ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld
>> No _kerberos defined there.
>>
>> All of them return both DC FQDN.
>>
>> In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 kind
>> of entries:
>> _ldap
>> _kerberos
>> _kpasswd
>> _gc
>>
>> When in others _tcp containers there are less entries (missing
_kpasswd,
>> missing _kpasswd and _gc or missing _kpasswd, _kerberos and _gc).
>>
>> This was for direct search zone.
>>
>> For condiftional redir and inverted search zone (rough translation) I
>> have no entry at all.
>>
>>
> not sure what you mean by 'condiftional redir' but I think
'inverted
> search zone' is bad English for 'reverse zone' :-)
>
> If so, you need to create this, it is not created automatically:
>
> samba-tool dns zonecreate dc1.example.com 0.168.192.in-addr.arpa
>
> Where 'dc1.example.com' is the FQDN of the first DC and the network
is
> 192.168.0.0/24, from this you get the 0.168.192.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
mathias dufresne
2015-Jul-30 09:29 UTC
[Samba] 4.2.2 as AD with 2 DCs: database incoherency
Hi all, So I copied $sambadir/private/sam.ldb.d/DC=SAMBA,DC=DOMAIN,,DC=TLD.ldb file from one DC (the FSMO owner) to the other one few days ago and no issue after restarting both Samba services. Then I started deletion of objects from one DC (the FSMO owner) to check if these changes would be replicated: they were. Now both database are coherent. I was told (somewhere else than here) databases differ between DCs and so we just can't copy database from one DC to another. I'm glad this was not true :) I expect it is not possible to perform that with all DB files, at least not all files in $sambadir/private. Is there an *official* point of view regarding that manoeuvrer? Regarding ldapcmp which was not working, it is still not working but I did not yet clearly checked the whole DNS configuration. I'll be back later once, I hope so, that would be solved. Cheers, mathias 2015-07-27 14:45 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Thank you Rowland for this. > > I tried using Sernet's Samba 4.2.2 and failed: > > All the following command were ran on DC20 > > samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa > Password for [administrator at AD.DOMAIN.TLD]: > Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for > ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20.ad.domain.tld,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=10.0.0.221] > NT_STATUS_IO_TIMEOUT > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The > specified I/O operation on %hs was not completed before the time-out period > expired.') > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 850, > in run > dns_conn = dns_connect(server, self.lp, self.creds) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 40, > in dns_connect > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > samba-tool dns zonelist dc20 > Password for [administrator at AD.DOMAIN.TLD]: > Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for > ncacn_ip_tcp:10.0.0.221[1024,sign,target_hostname=dc20,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fdlocaladdress=10.0.0.221] > NT_STATUS_IO_TIMEOUT > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The > specified I/O operation on %hs was not completed before the time-out period > expired.') > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 809, > in run > dns_conn = dns_connect(server, self.lp, self.creds) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 40, > in dns_connect > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > After upgrading to 4.2.3: > > kinit administrator > Password for administrator at AD.DOMAIN.TLD: > Warning: Your password will expire in 38 days on Thu Sep 3 15:16:54 2015 > > samba-tool dns zonecreate dc20.ad.domain.tld 0.0.10.in-addr.arpa > Zone 0.0.10.in-addr.arpa created successfully > > ------------------------------------ > On the second DC, namely DC00: > > samba-tool dns zonecreate dc00.ad.domain.tld 0.0.10.in-addr.arpa > -Uadministrator > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The > specified I/O operation on %hs was not completed before the time-out period > expired.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 850, > in run > dns_conn = dns_connect(server, self.lp, self.creds) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in > dns_connect > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > ---------------------------------------------------------------- > > So zone creation worked after upgrading to Samba4 4.2.3. I didn't yet > filled that zone but I ran: > samba-tool ldapcmp ldap://DC00.ad.domain.tld ldap://DC20.ad.domain.tld > -Uadministrator > on DC00. Just to see if previous errors were also solved after upgrade. > > Regarding initial issue which was database incoherency I copied > /var/lib/samba/private/sam.ldb.d/DC=AD,DC=DOMAIN,DC=TLD from DC20 to DC00 > (with both Samba services stopped) to see if this could be achieve and used > as quick answer to incoherency issue. The idea was all DC should have the > same database, let's push the database (piggy work, often efficient...) > Then I ran some ldapcmp before leaving into weekend: > > samba-tool ldapcmp ldap://dc00.ad.domain.tld ldap://dc20.ad.domain.tld > domain > > * Comparing [DOMAIN] context... > Failed search of base=DC=ad,DC=domain,DC=tld > ERROR(ldb): uncaught exception - LDAP client internal error: > NT_STATUS_UNEXPECTED_NETWORK_ERROR > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line > 979, in run > outf=self.outf, errf=self.errf) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line > 698, in __init__ > self.dn_list = self.get_dn_list(context) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/ldapcmp.py", line > 841, in get_dn_list > res = self.con.ldb.search(base=self.search_base, > scope=self.search_scope, attrs=["dn"]) > > Followed by samba-tool dbcheck ran 2 hours after I left using "sleep" to > give time to ldapcmp process. > > This dbcheck was ran on both servers and both were counting same number of > objects before both processes hanged. On DC00 ssh connection was lost, the > VM still running but broken, on DC20 (the FSMO owner) the message should > have been "process stopped" (some "top" command remove this message :/). > > I'll continue to play with these two DC and be back later to tell how > things went. > > Cheers, > > mathias > > > > 2015-07-24 17:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 24/07/15 13:53, mathias dufresne wrote: >> >>> The following commands work on both DC: >>> host -t A <short_hostname_of_other_DC> >>> host -t A <fqdn_hostname_of_other_DC> >>> >>> hostname and hostname --fqdn are working on both DC.The simplest way is >>> to not declare external IP /etc/hosts >>> >>> >>> SRV DNS entries which are working are: >>> host -t SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad >>> .domain.tld >>> host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad >>> .domain.tld >>> >>> host -t SRV _kerberos._tcp.ad.domain.tld >>> host -t SRV _ldap._tcp.ad.domain.tld >>> >>> host -t SRV _kerberos._tcp.ad.domain.tld >>> host -t SRV _ldap._tcp.ad.domain.tld >>> >>> host -t SRV >>> _ldap._tcp.e34d77b4-ff44-49fc-b29c-5373ecb0538a.domains._msdcs.ad.domain.tld >>> No _kerberos defined there. >>> >>> All of them return both DC FQDN. >>> >>> In (kind of) DNS OU named _tcp in _sites.ad.domain.tld there are 4 kind >>> of entries: >>> _ldap >>> _kerberos >>> _kpasswd >>> _gc >>> >>> When in others _tcp containers there are less entries (missing _kpasswd, >>> missing _kpasswd and _gc or missing _kpasswd, _kerberos and _gc). >>> >>> This was for direct search zone. >>> >>> For condiftional redir and inverted search zone (rough translation) I >>> have no entry at all. >>> >>> >> not sure what you mean by 'condiftional redir' but I think 'inverted >> search zone' is bad English for 'reverse zone' :-) >> >> If so, you need to create this, it is not created automatically: >> >> samba-tool dns zonecreate dc1.example.com 0.168.192.in-addr.arpa >> >> Where 'dc1.example.com' is the FQDN of the first DC and the network is >> 192.168.0.0/24, from this you get the 0.168.192. >> >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >