On 07/07/16 17:14, Jason Waters wrote:> I'm going to keep going and see if I can get samba joined and then > migrated over. Maybe I'm still focusing on the wrong thing! Ugh.... > > On Thu, Jul 7, 2016 at 12:12 PM, Jason Waters <jason at geeknocity.com > <mailto:jason at geeknocity.com>> wrote: > > So I wanted to test if something was broke in my DC so I setup a > "new" 2003 DC with a different domain, example.com > <http://example.com>. I do the ldbsearch against that and I get > the same error instead of it listing the dns entries....So maybe > it is a 2003 thing? > > On Thu, Jul 7, 2016 at 11:55 AM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 07/07/16 16:19, Jason Waters wrote: >> search error - LDAP error 10 LDAP_REFERRAL - <0000202B: >> RefErr: DSID-0310063C, data 0, 1 access points >> ref 1: 'DomainDnsZones.fisherthompson.local' >> > <ldap://DomainDnsZones.fisherthompson.local/DC=DomainDnsZones,DC=fisherthompson,DC=local> > > If you look here: https://www.ldap.com/ldap-result-code-reference > > You will find this: > > > 10: Referral > > This indicates that the server could not process the requested > operation, but that it may succeed if attempted in another > location, as specified by the referral URIs included in the > response. > > Never having seen this before, all I can suggest is trying > what it is telling you to do, only problem is, I don't really > recognise the ldap URL > > Rowland > > >> >> On Thu, Jul 7, 2016 at 11:04 AM, Rowland penny >> <rpenny at samba.org <mailto:rpenny at samba.org>> wrote: >> >> On 07/07/16 13:56, Jason Waters wrote: >> >> So I continue to struggle getting this moved away >> from windows 2003 to >> samba. I've been working in VM's to test before >> doing it on production. I >> think something is just wrong/broken with my windows >> 2003 AD. These are a >> couple of the things I have tried. >> >> - Going from Windows 2003 to Windows 2008 to Samba >> - Seizing the roles and then joining another samba >> domain controller. But >> I'm unable to move the DomainDnsZones and >> ForestDnsZones fsmo's to the new >> samba box. Like it is coping bad data. >> - Setup a new domain with samba, joined Windows 2008 >> and migrated >> everything around fine! Another reason why I think >> something is wrong in >> my data. >> >> >> So the last thing I've been trying to figure out is >> why the command >> ldbsearch --cross-ncs -H ldap://pdc -b >> "DC=DomainDnsZones,DC=fisherthompson,DC=local" -s sub >> -Uadministrator >> >> returns a referral instead of the records. On my >> purely stock samba domain >> it works fine, so something about the windows 2003 ad? >> >> >> I think it must be, on my DC it dumps all the domain DNS >> records. What does it actually return ? >> >> Rowland >> >> >> But if I open ASDIEDIT and connect to >> DC=DomainDnsZones,DC=fisherthompson,DC=local on the >> windows 2003 DC I see >> everything like I should..... >> >> >> It seems like samba and ldbtools isn't following the >> referrals. Or they >> shouldn't be referrals? Or something else that I >> have no idea about! >> >> Any other suggestions? Thanks! >> >> Jason >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > >Try reading this: https://support.microsoft.com/en-us/kb/304489 I have also had another thought, join the samba4 DC using the internal DNS server, then use samba_upgradedns to upgrade to Bind9, this should create the dns partitions etc. Not really sure if this will work, I have never had this problem, but it worth trying in a test environment. Rowland
So I joined with samba's internal DNS, then converted to BIND, then tested. Seems like it was working. I forced the 2003 machine out, cleaned up the meta data and everything seemed to be working ok. So I raised the domain level like this samba-tool domain level raise samba-tool domain level raise --domain-level=2008_R2 samba-tool domain level raise --forest-level=2008_R2 everything shows as 2008_R2 so now I think I'm making progress. I spin up another linux box, get it ready to join, starts to join, then fails says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' on entry 'CN=DC04,OU=Domain Controllers,DC=example,DC=local' was not found in the schema so I thought well I'm going to try having a windows 2008 r2 server join as a DC, run dcpromo and it says I need to run /forestprep on the AD. Well I can't do that now that it is on linux right? On Thu, Jul 7, 2016 at 12:29 PM, Rowland penny <rpenny at samba.org> wrote:> On 07/07/16 17:14, Jason Waters wrote: > > I'm going to keep going and see if I can get samba joined and then > migrated over. Maybe I'm still focusing on the wrong thing! Ugh.... > > On Thu, Jul 7, 2016 at 12:12 PM, Jason Waters <jason at geeknocity.com> > wrote: > >> So I wanted to test if something was broke in my DC so I setup a "new" >> 2003 DC with a different domain, example.com. I do the ldbsearch >> against that and I get the same error instead of it listing the dns >> entries....So maybe it is a 2003 thing? >> >> On Thu, Jul 7, 2016 at 11:55 AM, Rowland penny < <rpenny at samba.org> >> rpenny at samba.org> wrote: >> >>> On 07/07/16 16:19, Jason Waters wrote: >>> >>> search error - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: >>> DSID-0310063C, data 0, 1 access points >>> ref 1: 'DomainDnsZones.fisherthompson.local' >>> > >>> <ldap://DomainDnsZones.fisherthompson.local/DC=DomainDnsZones,DC=fisherthompson,DC=local> >>> >>> >>> If you look here: <https://www.ldap.com/ldap-result-code-reference> >>> https://www.ldap.com/ldap-result-code-reference >>> >>> You will find this: >>> >>> 10: Referral >>> >>> This indicates that the server could not process the requested >>> operation, but that it may succeed if attempted in another location, as >>> specified by the referral URIs included in the response. >>> >>> Never having seen this before, all I can suggest is trying what it is >>> telling you to do, only problem is, I don't really recognise the ldap URL >>> >>> Rowland >>> >>> >>> >>> On Thu, Jul 7, 2016 at 11:04 AM, Rowland penny < <rpenny at samba.org> >>> rpenny at samba.org> wrote: >>> >>>> On 07/07/16 13:56, Jason Waters wrote: >>>> >>>>> So I continue to struggle getting this moved away from windows 2003 to >>>>> samba. I've been working in VM's to test before doing it on >>>>> production. I >>>>> think something is just wrong/broken with my windows 2003 AD. These >>>>> are a >>>>> couple of the things I have tried. >>>>> >>>>> - Going from Windows 2003 to Windows 2008 to Samba >>>>> - Seizing the roles and then joining another samba domain controller. >>>>> But >>>>> I'm unable to move the DomainDnsZones and ForestDnsZones fsmo's to the >>>>> new >>>>> samba box. Like it is coping bad data. >>>>> - Setup a new domain with samba, joined Windows 2008 and migrated >>>>> everything around fine! Another reason why I think something is wrong >>>>> in >>>>> my data. >>>>> >>>>> >>>>> So the last thing I've been trying to figure out is why the command >>>>> ldbsearch --cross-ncs -H ldap://pdc -b >>>>> "DC=DomainDnsZones,DC=fisherthompson,DC=local" -s sub -Uadministrator >>>>> >>>>> returns a referral instead of the records. On my purely stock samba >>>>> domain >>>>> it works fine, so something about the windows 2003 ad? >>>>> >>>> >>>> I think it must be, on my DC it dumps all the domain DNS records. What >>>> does it actually return ? >>>> >>>> Rowland >>>> >>>> >>>>> But if I open ASDIEDIT and connect to >>>>> DC=DomainDnsZones,DC=fisherthompson,DC=local on the windows 2003 DC I >>>>> see >>>>> everything like I should..... >>>>> >>>>> >>>>> It seems like samba and ldbtools isn't following the referrals. Or >>>>> they >>>>> shouldn't be referrals? Or something else that I have no idea about! >>>>> >>>>> Any other suggestions? Thanks! >>>>> >>>>> Jason >>>>> >>>>> >>>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: <https://lists.samba.org/mailman/options/samba> >>>> https://lists.samba.org/mailman/options/samba >>>> >>> >>> >>> >> > > Try reading this: https://support.microsoft.com/en-us/kb/304489 > > I have also had another thought, join the samba4 DC using the internal DNS > server, then use samba_upgradedns to upgrade to Bind9, this should create > the dns partitions etc. Not really sure if this will work, I have never had > this problem, but it worth trying in a test environment. > > Rowland > >
On 07/07/16 21:13, Jason Waters wrote:> So I joined with samba's internal DNS, then converted to BIND, then > tested. Seems like it was working. I forced the 2003 machine out, > cleaned up the meta data and everything seemed to be working ok. So I > raised the domain level like this > > samba-tool domain level raise > samba-tool domain level raise --domain-level=2008_R2 > samba-tool domain level raise --forest-level=2008_R2 > > everything shows as 2008_R2 > > so now I think I'm making progress. I spin up another linux box, get > it ready to join, starts to join, then fails > > says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: > objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' on entry > 'CN=DC04,OU=Domain Controllers,DC=example,DC=local' was not found in > the schema > > so I thought well I'm going to try having a windows 2008 r2 server > join as a DC, run dcpromo and it says I need to run /forestprep on the > AD. Well I can't do that now that it is on linux right? >It should be there, it sounds like you have an incomplete schema, you could try running 'samba-tool dbcheck --fix' Rowland
On Thu, 2016-07-07 at 16:13 -0400, Jason Waters wrote:> So I joined with samba's internal DNS, then converted to BIND, then > tested. Seems like it was working. I forced the 2003 machine out, > cleaned > up the meta data and everything seemed to be working ok. So I raised > the > domain level like this > > samba-tool domain level raise > samba-tool domain level raise --domain-level=2008_R2 > samba-tool domain level raise --forest-level=2008_R2 > > everything shows as 2008_R2 > > so now I think I'm making progress. I spin up another linux box, get > it > ready to join, starts to join, then fails > > says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: > objectclass_attrs: > attribute 'msDS-SupportedEncryptionTypes' on entry 'CN=DC04,OU=Domain > Controllers,DC=example,DC=local' was not found in the schema > > so I thought well I'm going to try having a windows 2008 r2 server > join as > a DC, run dcpromo and it says I need to run /forestprep on the AD. > Well I > can't do that now that it is on linux right?Correct. Currently nobody has coded the magic to allow us to upgrade a schema in Samba, and dbcheck can't help with that at the moment either. The cleanest option would be to do it before joining Samba to the 2003 domain with the MS tools. We really should have a minimum schema level check on the FL raise code (bugs welcome). Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba