samba - Nov 2015 - Domain join failure - error during DRS repl ADD: No objectClass found in replPropertyMetaData

Hello Colleagues and Mentors,

I'm attempting to join a Samba AD DC that I compiled with samba 4.3.1 on
Ubuntu 14.04.3 to a group of three AD DCs, also running Samba on Ubuntu 14.04.3,
but each of them is running Canonical's pre-compiled Samba package, v4.1.6.

This already-existing domain has had it's schema updated to include Kerio
Connect-specific schema (to support our mail server).

When I run the following command as root:

  samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan
--dns-backend=SAMBA_INTERNAL

I see the following output:

  Finding a writeable DC for domain 'mydomain.lan'
  Found DC AC-DC10.mydomain.lan
  Password for [WORKGROUP\administrator]:
  workgroup is MYDOMAIN
  realm is mydomain.lan
  checking sAMAccountName
  Adding CN=AD-DC00,OU=Domain Controllers,DC=mydomain,DC=lan
  Adding
CN=AD-DC00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  Adding CN=NTDS
Settings,CN=AD-DC00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  Adding SPNs to CN=AD-DC00,OU=Domain Controllers,DC=mydomain,DC=lan
  Setting account password for AD-DC00$
  Enabling account
  Calling bare provision
  Looking up IPv4 addresses
  Looking up IPv6 addresses
  No IPv6 address will be assigned
  Setting up share.ldb
  Setting up secrets.ldb
  Setting up the registry
  Setting up the privileges database
  Setting up idmap db
  Setting up SAM db
  Setting up sam.ldb partitions and settings
  Setting up sam.ldb rootDSE
  Pre-loading the Samba 4 and AD schema
  A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
  Provision OK for domain DN DC=mydomain,DC=lan
  Starting replication
  Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=lan] objects[402/1578]
linked_values[0/0]
  Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=lan] objects[804/1578]
linked_values[0/0]
  Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=lan] objects[1206/1578]
linked_values[0/0]
  Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=lan] objects[1578/1578]
linked_values[0/0]
  Analyze and apply schema objects
  Partition[CN=Configuration,DC=mydomain,DC=lan] objects[402/1688]
linked_values[0/0]
  Partition[CN=Configuration,DC=mydomain,DC=lan] objects[804/1688]
linked_values[0/0]
  Partition[CN=Configuration,DC=mydomain,DC=lan] objects[1206/1688]
linked_values[0/0]
  Partition[CN=Configuration,DC=mydomain,DC=lan] objects[1608/1688]
linked_values[0/0]
  Partition[CN=Configuration,DC=mydomain,DC=lan] objects[1688/1688]
linked_values[45/0]
  Replicating critical objects from the base DN of the domain
  Partition[DC=mydomain,DC=lan] objects[100/100] linked_values[34/0]
  Partition[DC=mydomain,DC=lan] objects[502/755] linked_values[0/0]
  No objectClass found in replPropertyMetaData for
CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC=lan!
  
  Failed to apply records: replmd_replicated_apply_add: error during DRS repl
ADD: No objectClass found in replPropertyMetaData for
CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC=lan!
  : Object class violation
  Failed to commit objects: WERR_GENERAL_FAILURE
  Join failed - cleaning up
  checking sAMAccountName
  Deleted CN=AD-DC00,OU=Domain Controllers,DC=mydomain,DC=lan
  Deleted CN=NTDS
Settings,CN=AD-DC00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  Deleted
CN=AD-DC00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  ERROR(<type 'exceptions.TypeError'>): uncaught exception -
Failed to process chunk: NT_STATUS_UNSUCCESSFUL
    File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
      return self.run(*args, **kwargs)
    File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 621, in run
      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1183, in join_DC
      ctx.do_join()
    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1088, in do_join
      ctx.join_replicate()
    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 828, in join_replicate
      replica_flags=ctx.domain_replica_flags)
    File
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line 257, in replicate
      schema=schema, req_level=req_level, req=req)

It appears to me that this initial replication is choking here:

  No objectClass found in replPropertyMetaData for
CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC=lan!

This makes me think something about my addition of specialized schema has
triggered, or tripped on, a bug somewhere downstream. I searched for strings on
the internet with similar warnings and found this conversation between Rowland
Penny and Luke Bigum:

  https://lists.samba.org/archive/samba/2015-June/192516.html

I'm wondering if I'm in a similar pickle. Could this be the bug I'm
hitting?

  https://bugzilla.samba.org/show_bug.cgi?id=10973#c8

Any advice on how to get myself out of this, via work-arounds or whatever, would
be greatly appreciated. Thank you in advance!

Matthew

©2015 KNOCK, inc.  All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged.  If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
 Please be aware that such actions are prohibited.  If you have received this
transmission in error, kindly notify the sender by e-mail.  Your cooperation is
appreciated.

On Sun, 2015-11-15 at 20:36 -0600, Matthew Delfino
wrote:
> Hello Colleagues and Mentors,
> 
> I'm attempting to join a Samba AD DC that I compiled with samba 4.3.1
> on Ubuntu 14.04.3 to a group of three AD DCs, also running Samba on
> Ubuntu 14.04.3, but each of them is running Canonical's pre-compiled
> Samba package, v4.1.6.
> It appears to me that this initial replication is choking here:
> 
>   No objectClass found in replPropertyMetaData for
> CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC=lan
> !
> 
> This makes me think something about my addition of specialized schema
> has triggered, or tripped on, a bug somewhere downstream. I searched
> for strings on the internet with similar warnings and found this
> conversation between Rowland Penny and Luke Bigum:
> 
>   https://lists.samba.org/archive/samba/2015-June/192516.html
> 
> I'm wondering if I'm in a similar pickle. Could this be the bug
I'm
> hitting?
> 
>   https://bugzilla.samba.org/show_bug.cgi?id=10973#c8
> 
> Any advice on how to get myself out of this, via work-arounds or
> whatever, would be greatly appreciated. Thank you in advance!
Yes, this is the same issue.  You need to upgrade to Samba 4.3 on the
source DC, run dbcheck, fix the issues, and then you can join another
DC to the domain.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2015.11.16, at 2:53 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2015-11-15 at 20:36 -0600, Matthew Delfino wrote:
>> Hello Colleagues and Mentors,
>> 
>> I'm attempting to join a Samba AD DC that I compiled with samba
4.3.1
>> on Ubuntu 14.04.3 to a group of three AD DCs, also running Samba on
>> Ubuntu 14.04.3, but each of them is running Canonical's
pre-compiled
>> Samba package, v4.1.6.
> 
>> It appears to me that this initial replication is choking here:
>> 
>>  No objectClass found in replPropertyMetaData for
>> CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC=lan
>> !
>> 
>> This makes me think something about my addition of specialized schema
>> has triggered, or tripped on, a bug somewhere downstream. I searched
>> for strings on the internet with similar warnings and found this
>> conversation between Rowland Penny and Luke Bigum:
>> 
>>  https://lists.samba.org/archive/samba/2015-June/192516.html
>> 
>> I'm wondering if I'm in a similar pickle. Could this be the bug
I'm
>> hitting?
>> 
>>  https://bugzilla.samba.org/show_bug.cgi?id=10973#c8
>> 
>> Any advice on how to get myself out of this, via work-arounds or
>> whatever, would be greatly appreciated. Thank you in advance!
> 
> Yes, this is the same issue.  You need to upgrade to Samba 4.3 on the
> source DC, run dbcheck, fix the issues, and then you can join another
> DC to the domain.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
I’m breathing a sigh of relief this morning in rainy Minneapolis because this is
very encouraging to hear. Thank you!

HOWEVER… this opens a door to another room I’ve never been in because I know the
Debian/Ubuntu version of Samba 4.1.6 has been configured with some tweaks to
install it differently (sbin and bin binaries installed into existing
directories, conf file installed under /etc/samba/, etc.).

How would an expert do this? Just apt-get remove samba and install the latest
version from source? Any configure tweaks? Where would I move the existing
databases and other files? What do I need to keep? What can I leave behind? I’m
not expecting you to answer all of these questions, but perhaps you know of a
helpful tutorial online? I can’t seem to find a good one…

Matthew

©2015 KNOCK, inc.  All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged.  If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
 Please be aware that such actions are prohibited.  If you have received this
transmission in error, kindly notify the sender by e-mail.  Your cooperation is
appreciated.