samba - Nov 2015 - Domain join failure - error during DRS repl ADD: No objectClass found in replPropertyMetaData

On 2015.11.16, at 2:53 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2015-11-15 at 20:36 -0600, Matthew Delfino wrote:
>> Hello Colleagues and Mentors,
>> 
>> I'm attempting to join a Samba AD DC that I compiled with samba
4.3.1
>> on Ubuntu 14.04.3 to a group of three AD DCs, also running Samba on
>> Ubuntu 14.04.3, but each of them is running Canonical's
pre-compiled
>> Samba package, v4.1.6.
> 
>> It appears to me that this initial replication is choking here:
>> 
>>  No objectClass found in replPropertyMetaData for
>> CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC=lan
>> !
>> 
>> This makes me think something about my addition of specialized schema
>> has triggered, or tripped on, a bug somewhere downstream. I searched
>> for strings on the internet with similar warnings and found this
>> conversation between Rowland Penny and Luke Bigum:
>> 
>>  https://lists.samba.org/archive/samba/2015-June/192516.html
>> 
>> I'm wondering if I'm in a similar pickle. Could this be the bug
I'm
>> hitting?
>> 
>>  https://bugzilla.samba.org/show_bug.cgi?id=10973#c8
>> 
>> Any advice on how to get myself out of this, via work-arounds or
>> whatever, would be greatly appreciated. Thank you in advance!
> 
> Yes, this is the same issue.  You need to upgrade to Samba 4.3 on the
> source DC, run dbcheck, fix the issues, and then you can join another
> DC to the domain.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
I’m breathing a sigh of relief this morning in rainy Minneapolis because this is
very encouraging to hear. Thank you!

HOWEVER… this opens a door to another room I’ve never been in because I know the
Debian/Ubuntu version of Samba 4.1.6 has been configured with some tweaks to
install it differently (sbin and bin binaries installed into existing
directories, conf file installed under /etc/samba/, etc.).

How would an expert do this? Just apt-get remove samba and install the latest
version from source? Any configure tweaks? Where would I move the existing
databases and other files? What do I need to keep? What can I leave behind? I’m
not expecting you to answer all of these questions, but perhaps you know of a
helpful tutorial online? I can’t seem to find a good one…

Matthew

©2015 KNOCK, inc.  All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged.  If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
 Please be aware that such actions are prohibited.  If you have received this
transmission in error, kindly notify the sender by e-mail.  Your cooperation is
appreciated.

On Mon, 2015-11-16 at 07:12 -0600, Matthew Delfino
wrote:
> On 2015.11.16, at 2:53 AM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> 
> > On Sun, 2015-11-15 at 20:36 -0600, Matthew Delfino wrote:
> > > Hello Colleagues and Mentors,
> > > 
> > > I'm attempting to join a Samba AD DC that I compiled with
samba
> > > 4.3.1
> > > on Ubuntu 14.04.3 to a group of three AD DCs, also running Samba
> > > on
> > > Ubuntu 14.04.3, but each of them is running Canonical's pre
> > > -compiled
> > > Samba package, v4.1.6.
> > 
> > > It appears to me that this initial replication is choking here:
> > > 
> > >  No objectClass found in replPropertyMetaData for
> > > CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC
> > > =lan
> > > !
> > > 
> > > This makes me think something about my addition of specialized
> > > schema
> > > has triggered, or tripped on, a bug somewhere downstream. I
> > > searched
> > > for strings on the internet with similar warnings and found this
> > > conversation between Rowland Penny and Luke Bigum:
> > > 
> > >  https://lists.samba.org/archive/samba/2015-June/192516.html
> > > 
> > > I'm wondering if I'm in a similar pickle. Could this be
the bug
> > > I'm
> > > hitting?
> > > 
> > >  https://bugzilla.samba.org/show_bug.cgi?id=10973#c8
> > > 
> > > Any advice on how to get myself out of this, via work-arounds or
> > > whatever, would be greatly appreciated. Thank you in advance!
> > 
> > Yes, this is the same issue.  You need to upgrade to Samba 4.3 on
> > the
> > source DC, run dbcheck, fix the issues, and then you can join
> > another
> > DC to the domain.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett                       http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT          
> > http://catalyst.net.nz/services/samba
> 
> I’m breathing a sigh of relief this morning in rainy Minneapolis
> because this is very encouraging to hear. Thank you!
> 
> HOWEVER… this opens a door to another room I’ve never been in because
> I know the Debian/Ubuntu version of Samba 4.1.6 has been configured
> with some tweaks to install it differently (sbin and bin binaries
> installed into existing directories, conf file installed under
> /etc/samba/, etc.).
> 
> How would an expert do this? Just apt-get remove samba and install
> the latest version from source? Any configure tweaks? Where would I
> move the existing databases and other files? What do I need to keep?
> What can I leave behind? I’m not expecting you to answer all of these
> questions, but perhaps you know of a helpful tutorial online? I can’t
> seem to find a good one…
Do you intend to keep the 4.1 server after fixing it?

If not, then you can install Samba from source, then run dbcheck from
the 4.3 install pointed at the 4.1 sam.ldb file with samba-tool dbcheck
-H /var/lib/samba/private/sam.ldb

That will fix the DB, and allow you to join the domain.  The DB will
only corrupt again when modifications are made to objects using
additional schema - so just don't change those until you remove the 4.1
server finally.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

If you plan to keep 4.3.x you can use --enable-fhs from configure script's
options (and the two others proposed by configure --help associated to
--enable-fhs). Doing that you should have most of your directories reused
(/etc/samba, /var/lib/samba...)

That worked for me as I don't care polluting /usr and others (I use VMs and
destroy them without a tear) on Centos 7 when I switched from Sernet
version to compiled version. No idea regarding Debian 'cause I'm not
allowed to used that system here :/

Cheers


2015-11-18 11:25 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
> On Mon, 2015-11-16 at 07:12 -0600, Matthew Delfino wrote:
> > On 2015.11.16, at 2:53 AM, Andrew Bartlett <abartlet at
samba.org>
> > wrote:
> >
> > > On Sun, 2015-11-15 at 20:36 -0600, Matthew Delfino wrote:
> > > > Hello Colleagues and Mentors,
> > > >
> > > > I'm attempting to join a Samba AD DC that I compiled
with samba
> > > > 4.3.1
> > > > on Ubuntu 14.04.3 to a group of three AD DCs, also running
Samba
> > > > on
> > > > Ubuntu 14.04.3, but each of them is running Canonical's
pre
> > > > -compiled
> > > > Samba package, v4.1.6.
> > >
> > > > It appears to me that this initial replication is choking
here:
> > > >
> > > >  No objectClass found in replPropertyMetaData for
> > > >
CN=kerio_emailgroup,OU=Services,OU=Groups,OU=knock,DC=mydomain,DC
> > > > =lan
> > > > !
> > > >
> > > > This makes me think something about my addition of
specialized
> > > > schema
> > > > has triggered, or tripped on, a bug somewhere downstream. I
> > > > searched
> > > > for strings on the internet with similar warnings and found
this
> > > > conversation between Rowland Penny and Luke Bigum:
> > > >
> > > >  https://lists.samba.org/archive/samba/2015-June/192516.html
> > > >
> > > > I'm wondering if I'm in a similar pickle. Could this
be the bug
> > > > I'm
> > > > hitting?
> > > >
> > > >  https://bugzilla.samba.org/show_bug.cgi?id=10973#c8
> > > >
> > > > Any advice on how to get myself out of this, via
work-arounds or
> > > > whatever, would be greatly appreciated. Thank you in
advance!
> > >
> > > Yes, this is the same issue.  You need to upgrade to Samba 4.3 on
> > > the
> > > source DC, run dbcheck, fix the issues, and then you can join
> > > another
> > > DC to the domain.
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett                       http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team  http://samba.org
> > > Samba Developer, Catalyst IT
> > > http://catalyst.net.nz/services/samba
> >
> > I’m breathing a sigh of relief this morning in rainy Minneapolis
> > because this is very encouraging to hear. Thank you!
> >
> > HOWEVER… this opens a door to another room I’ve never been in because
> > I know the Debian/Ubuntu version of Samba 4.1.6 has been configured
> > with some tweaks to install it differently (sbin and bin binaries
> > installed into existing directories, conf file installed under
> > /etc/samba/, etc.).
> >
> > How would an expert do this? Just apt-get remove samba and install
> > the latest version from source? Any configure tweaks? Where would I
> > move the existing databases and other files? What do I need to keep?
> > What can I leave behind? I’m not expecting you to answer all of these
> > questions, but perhaps you know of a helpful tutorial online? I can’t
> > seem to find a good one…
>
> Do you intend to keep the 4.1 server after fixing it?
>
> If not, then you can install Samba from source, then run dbcheck from
> the 4.3 install pointed at the 4.1 sam.ldb file with samba-tool dbcheck
> -H /var/lib/samba/private/sam.ldb
>
> That will fix the DB, and allow you to join the domain.  The DB will
> only corrupt again when modifications are made to objects using
> additional schema - so just don't change those until you remove the 4.1
> server finally.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>