samba - Mar 2016 - missing DomainDnsZones and ForestDnsZones ?

Rowland penny wrote on 3/18/16 1:19 PM:
> See inline comments
>
>
> On 18/03/16 20:11, Robert Moulton wrote:
>> Rowland penny wrote on 3/18/16 12:58 PM:
>>> On 18/03/16 19:27, Robert Moulton wrote:
>>>> Rowland penny wrote on 3/18/16 11:48 AM:
>>>>> On 18/03/16 18:19, Robert Moulton wrote:
>>>>>> Greetings - On our samba 4 (4.3.3) AD controller I just
noticed
>>>>>> something odd. When I run 'samba-tool fsmo
show' I get an error:
>>>>>>
>>>>>> # samba-tool fsmo show
>>>>>> ERROR(ldb): uncaught exception - No such Base DN:
>>>>>>
CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>>>   File
>>>>>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>
>>>>>>
>>>>>> line 175, in _run
>>>>>>     return self.run(*args, **kwargs)
>>>>>>   File
>>>>>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
>>>>>>
>>>>>> line 395, in run
>>>>>>     domaindnszonesMaster = get_fsmo_roleowner(samdb,
domaindns_dn)
>>>>>>   File
>>>>>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
>>>>>>
>>>>>> line 40, in get_fsmo_roleowner
>>>>>>     scope=ldb.SCOPE_BASE,
attrs=["fSMORoleOwner"])
>>>>>>
>>>>>> And 'ldbsearch' verifies that DomainDnsZones is
missing:
>>>>>>
>>>>>> # ldbsearch --cross-ncs -H
/usr/local/samba/private/sam.ldb
>>>>>> '(fsmoroleowner=*)' | grep 'dn:'
>>>>>> dn:
CN=Schema,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>>> dn:
CN=Partitions,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>>> dn: DC=biostat,DC=washington,DC=edu
>>>>>> dn: CN=Infrastructure,DC=biostat,DC=washington,DC=edu
>>>>>> dn: CN=RID
Manager$,CN=System,DC=biostat,DC=washington,DC=edu
>>>>>>
>>>>>> What might explain this anomaly, and more importantly,
what should be
>>>>>> done to address it?
>>>>>>
>>>>>> thanks,
>>>>>> -r
>>>>>>
>>>>>
>>>>> OK, as for how did you get to here, how was the domain
provisioned ??
>>>>
>>>> Provisioning was a 'classicupgrade' of a samba 3 domain
with LDAP
>>>> backend.
>>>
>>> I don't suppose you can remember the actual command you ran to
upgrade ?
>>
>> I remember:
>>
>> samba-tool domain classicupgrade --dbdir=/var/tmp/dbdir/
>> --use-xattrs=yes --realm=biostat.washington.edu
>> --dns-backend=BIND9_FLATFILE --option="interfaces=lo eth0"
>> --option="bind interfaces only=yes" /var/tmp/dbdir/smb.conf
>>
>
> And there is your problem, --dns-backend=BIND9_FLATFILE
>
> Flatfiles do not store their info in AD
>
> Please tell me that this domain is only a test domain and you can re-run
> the upgrade with '--dns-backend=BIND9_DLZ' or
> '--dns-backend=SAMBA_INTERNAL'
>
> Rowland
It's a production domain. We run our own DNS and tried BIND9_DLZ but our 
DNS setup is complicated enough that we ended up resorting to flatfile, 
manually updating our BIND zone files as needed. We know it isn't ideal 
but we haven't encountered any problems until now.

Couldn't we simply add the missing DNs (along with corresponding DNS 
records, if necessary)?
>> (output is appended below)
>>
>>>
>>>>
>>>>> You are actually missing two fsmo roleowners, your
ldbsearch should
>>>>> return these as well as the other 5:
>>>>>
>>>>> dn:
>>>>>
CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>> dn:
>>>>>
CN=Infrastructure,DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu
>>>>>
>>>>> Do the 'DNs' exist ?
>>>>>
>>>>> try this:
>>>>>
>>>>> ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb
-b
>>>>> 'DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu'
-s sub
>>>>> '(cn=Infrastructure)'
>>>>>
>>>>> Does it return anything ?
>>>>>
>>>>
>>>> uh-oh, no such base dn ...
>>>>
>>>> # ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>>>> 'DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu' -s
sub
>>>> '(cn=Infrastructure)'
>>>> search error - No such Base DN:
>>>> DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>
>>>>> Run it again, but replace 'DC=DomainDnsZones' with
>>>>> 'DC=ForestDnsZones',
>>>>> does this return anything ?
>>>>
>>>> ... and again:
>>>>
>>>> [root at porter ~]# ldbsearch --cross-ncs -H
>>>> /usr/local/samba/private/sam.ldb -b
>>>> 'DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu' -s
sub
>>>> '(cn=Infrastructure)'
>>>> search error - No such Base DN:
>>>> DC=ForestDnsZones,DC=biostat,DC=washington,DC=edu
>>>>
>>>> should they be added with ldbadd?
>>>
>>> It is not as simple as that, You probably have a lot more missing.
>>>
>>> When you ran the upgrade command, did you cut and paste it from the
wiki
>>> ? If so, you may have missed half the command line. I have just
looked
>>> at the wiki page and altered it so it shows all the command.
>>>
>>> I have never been in this position, so I am unsure if you can add
the
>>> DNS objects to AD and if you can, I do not know how.
>>>
>>> Rowland
>>>>
>>>>> If the objects exist, then you need to add the fsmo
roleowners with
>>>>> ldbmodify
>>>>>
>>>>> You need to create an ldif
>>>>>
>>>>> dn:
>>>>>
CN=Infrastructure,DC=DomainDnsZones,DC=biostat,DC=washington,DC=edu
>>>>> changetype: modify
>>>>> add: fSMORoleOwner
>>>>> fSMORoleOwner: CN=NTDS
>>>>>
Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=biostat,DC=washington,DC=edu
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Then use ldbmodify to add the ldif, repeat for the
ForestDnsZones
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>> # /usr/local/samba/bin/samba-tool domain classicupgrade
>> --dbdir=/var/tmp/dbdir/ --use-xattrs=yes
>> --realm=biostat.washington.edu --dns-backend=BIND9_FLATFILE
>> --option="interfaces=lo eth0" --option="bind interfaces
only=yes"
>> /var/tmp/dbdir/smb.conf
>> Reading smb.conf
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Exporting users
>> Ignoring group memberships of 'root'
>> S-1-5-21-1900679799-3721262086-4005390970-1001: Unable to enumerate
>> group memberships, (-1073741596,This error indicates that the
>> requested operation cannot be completed due to a catastrophic media
>> failure or an on-disk data structure corruption.)
>>   Skipping wellknown rid=500 (for username=Administrator)
>> Next rid = 23307
>> Exporting posix attributes
>> Reading WINS database
>> Cannot open wins database, Ignoring: [Errno 2] No such file or
>> directory: '/var/tmp/dbdir/wins.dat'
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Adding DomainDN: DC=biostat,DC=washington,DC=edu
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Setting acl on sysvol skipped
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=biostat,DC=washington,DC=edu
>> rndc: 'freeze' failed: not found
>> rndc: 'unfreeze' failed: not found
>> See /usr/local/samba/private/named.conf for an example configuration
>> include file for BIND
>> and /usr/local/samba/private/named.txt for further documentation
>> required for secure DNS updates
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba 4 has been generated at
>> /usr/local/samba/private/krb5.conf
>> Setting up fake yp server settings
>> Once the above files are installed, your Samba4 server will be ready
>> to use
>> Server Role:           active directory domain controller
>> Hostname:              marzen
>> NetBIOS Domain:        BIOSTAT
>> DNS Domain:            biostat.washington.edu
>> DOMAIN SID:            S-1-5-21-1900679799-3721262086-4005390970
>> Importing WINS database
>> Importing Account policy
>> Importing idmap database
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or
directory
>> Adding groups
>> Importing groups
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-512, groupname=Domain
>> Admins existing_groupname=Domain Admins, Ignoring.
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-515, groupname=Domain
>> Computers existing_groupname=Domain Computers, Ignoring.
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-514, groupname=Domain
>> Guests existing_groupname=Domain Guests, Ignoring.
>> Group already exists
>> sid=S-1-5-21-1900679799-3721262086-4005390970-513, groupname=Domain
>> Users existing_groupname=Domain Users, Ignoring.
>> Group already exists sid=S-1-5-32-544, groupname=Administrators
>> existing_groupname=Administrators, Ignoring.
>> Group already exists sid=S-1-5-32-545, groupname=Users
>> existing_groupname=Users, Ignoring.
>> Committing 'add groups' transaction to disk
>> Adding users
>> Importing users
>> User root has been kept in the directory, it should be removed in
>> favour of the Administrator user
>> Committing 'add users' transaction to disk
>> Adding users to groups
>> Committing 'add users to groups' transaction to disk
>> Setting password for administrator
>> Administrator password has been set to password of user 'root'
>
>

On 18/03/16 20:38, Robert Moulton wrote:
>
>
> It's a production domain. We run our own DNS and tried BIND9_DLZ but 
> our DNS setup is complicated enough that we ended up resorting to 
> flatfile, manually updating our BIND zone files as needed. We know it 
> isn't ideal but we haven't encountered any problems until now.
>
> Couldn't we simply add the missing DNs (along with corresponding DNS 
> records, if necessary)?
Thinking about it, if you do not have the dns zones in AD, you probably 
don't need the dns fsmo roles.

I don't understand why you think storing DNS is AD is complicated, as 
long as you don't use your normal dns domain for AD and use something 
like 'internal. your.domain.com' for AD, the Samba DNS would deal with 
anything for the AD domain and forward anything it doesn't know about to 
your normal DNS server. It is however your AD and you can do as you please.

Rowland

On Fri, 2016-03-18 at 21:01 +0000, Rowland penny wrote:
> On 18/03/16 20:38, Robert Moulton wrote:
> > 
> > 
> > It's a production domain. We run our own DNS and tried BIND9_DLZ
> > but 
> > our DNS setup is complicated enough that we ended up resorting to 
> > flatfile, manually updating our BIND zone files as needed. We know
> > it 
> > isn't ideal but we haven't encountered any problems until now.
> > 
> > Couldn't we simply add the missing DNs (along with corresponding
> > DNS 
> > records, if necessary)?
> 
> Thinking about it, if you do not have the dns zones in AD, you
> probably 
> don't need the dns fsmo roles.
> 
> I don't understand why you think storing DNS is AD is complicated, as
> long as you don't use your normal dns domain for AD and use something
> like 'internal. your.domain.com' for AD, the Samba DNS would deal
> with 
> anything for the AD domain and forward anything it doesn't know about
> to 
> your normal DNS server. It is however your AD and you can do as you
> please.
> 
> Rowland
Very well put Rowland.  I guess we need a patch to catch those
exceptions. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba