Heinz Hölzl
2016-Sep-28 17:12 UTC
[Samba] ?==?utf-8?q? ?==?utf-8?q? ?= samba-tool domain join DC hang
Hi, the only thing i did, was to assign every user to a ohter group. After this i changed the primary group to this new groups and the samba-server itself assigned the users to the group "domain users"automatically (attribute: member). Now i try to revert this and to rechange the primary group to 513. So i can have again a Domain users object with small number of members. Thanx heinz Am Mittwoch, 28. September 2016 18:41 CEST, Denis Cardon <dcardon at tranquil.it> schrieb:> Hi Heinz, > > > > yes, the problem initiated after changing the primary group of all my 11034 users. > > > > I changed the primary group to different groups. This caused that now every user is member of the LDAP object "Domain users" > > > > ldapsearch -LLL -x -h dc1 -x -b "cn=domain users,cn=users,dc=example,dc=net" member | grep ^member: | wc -l > > 11034 > > > > After this action the replication doesn't working anymore. > > > > Now i try to change teh primary group to "Domain users" again ... > > each user entry has a default primary group (primaryGroupId attribute), > which is "domain users" by default (513). Every user is already part of > that group when you create one! You don't need to add them afterward. So > now you have to remove all the users from the group, it will probably > take the night, as committing the transaction after changing the group > membership takes a while on large groups. It is doable, I had to do that > cleanup last year on a similarly sized network. > > Cheers, > > Denis > > > > > regards, > > heinz > > > > > > > >> you have quite a few objects (>12000) in you main partition. Do you have > >> a large group with all those objects inside? The commit of large group > >> used to result in very very long commit time. There should have been > >> some improvement in 4.5 though. > >> > > > >> One way to join faster is to add the --domain-critical-only. It will > >> sync only the necessary objects during the join, then after first samba > >> startup it will start replicating objects. Actually it is not solution > >> to the problem, it just move the problem a little bit downstream, so you > >> can have more debug options. > >> > >>> Is my AD to large???? > >> > >> no > >> > >> Cheers, > >> > >> Denis > >> > >> > >>> > >>> > >>> > >>> > >>> > >>> root at dc2:# samba-tool drs showrepl > >>> Default-First-Site-Name\DC2 > >>> DSA Options: 0x00000001 > >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95 > >>> DSA invocationId: 49a80da8-975f-49ef-834b-224b2bbf0805 > >>> > >>> ==== INBOUND NEIGHBORS ===> >>> > >>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610699, 'The operation cannot be performed.') > >>> > >>> > >>> > >>> root at dc1:~# samba-tool drs showrepl > >>> Default-First-Site-Name\DC1 > >>> DSA Options: 0x00000001 > >>> DSA object GUID: 3b97b772-7006-4e18-b572-e05932f63986 > >>> DSA invocationId: 84cac16c-79dd-4949-8a0f-e0638b251483 > >>> > >>> ==== INBOUND NEIGHBORS ===> >>> > >>> DC=ForestDnsZones,DC=example,DC=net > >>> Default-First-Site-Name\DC2 via RPC > >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95 > >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE) > >>> 30 consecutive failure(s). > >>> Last success @ NTTIME(0) > >>> > >>> DC=DomainDnsZones,DC=example,DC=net > >>> Default-First-Site-Name\DC2 via RPC > >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95 > >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE) > >>> 30 consecutive failure(s). > >>> Last success @ NTTIME(0) > >>> > >>> DC=example,DC=net > >>> Default-First-Site-Name\DC2 via RPC > >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95 > >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE) > >>> 30 consecutive failure(s). > >>> Last success @ NTTIME(0) > >>> > >>> CN=Schema,CN=Configuration,DC=example,DC=net > >>> Default-First-Site-Name\DC2 via RPC > >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95 > >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE) > >>> 30 consecutive failure(s). > >>> Last success @ NTTIME(0) > >>> > >>> CN=Configuration,DC=example,DC=net > >>> Default-First-Site-Name\DC2 via RPC > >>> DSA object GUID: e9d31c7e-acb3-4473-823a-39b06ab9fa95 > >>> Last attempt @ Wed Sep 28 16:15:13 2016 CEST failed, result 2 (WERR_BADFILE) > >>> 30 consecutive failure(s). > >>> Last success @ NTTIME(0) > >>> > >>> ==== OUTBOUND NEIGHBORS ===> >>> > >>> ==== KCC CONNECTION OBJECTS ===> >>> > >>> Connection -- > >>> Connection name: 3005b361-e2ec-465c-92f1-620c8d0b0bec > >>> Enabled : TRUE > >>> Server DNS name : dc2.example.net > >>> Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net > >>> TransportType: RPC > >>> options: 0x00000001 > >>> Warning: No NC replicated for Connection! > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> regards, > >>> heinz > >>> > >>>> Hi list, > >>>> > >>>> i removed my second DC from the domain, and now the re-join as DC hangs. > >>>> > >>>> the join hangs now for ca. 2 hours at the step "Committing SAM database" > >>>> > >>>> version: samba 4.5.0 on ubuntu 14.04 > >>>> > >>>> > >>>> with a "strace -p " i see this: > >>>> > >>>> strace -p 1793 > >>>> Process 1793 attached > >>>> brk(0x35e18000) = 0x35e18000 > >>>> brk(0x35e39000) = 0x35e39000 > >>>> brk(0x35e5a000) = 0x35e5a000 > >>>> brk(0x35e7b000) = 0x35e7b000 > >>>> brk(0x35e9c000) = 0x35e9c000 > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- > > > >>>> > >>>> > >>>> > >>>> my smb.conf: > >>>> > >>>> # Global parameters > >>>> [global] > >>>> bind interfaces only = Yes > >>>> interfaces = lo eth0 eth2 > >>>> netbios name = DC1 > >>>> realm = EXAMPLE.NET > >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > >>>> workgroup = EXAMPLE > >>>> server role = active directory domain controller > >>>> idmap_ldb:use rfc2307 = yes > >>>> comment > >>>> template homedir = /home/%U > >>>> template shell = /bin/bash > >>>> ldap server require strong auth = No > >>>> > >>>> > >>>> [netlogon] > >>>> path = /srv/samba/var/locks/sysvol/example.net/scripts > >>>> read only = No > >>>> > >>>> [sysvol] > >>>> path = /srv/samba/var/locks/sysvol > >>>> read only = No > >>>> > >>>> > >>>> samba-tool domain join example.net DC --option="interfaces=lo eth0" --option="bind interfaces only"=yes --realm=example.net --dns-backend=BIND9_DLZ -Uadministrator > >>>> Finding a writeable DC for domain 'example.net' > >>>> Found DC dc1.example.net > >>>> Password for [EXAMPLE\administrator]: > >>>> workgroup is EXAMPLE > >>>> realm is example.net > >>>> Adding CN=DC2,OU=Domain Controllers,DC=example,DC=net > >>>> Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net > >>>> Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net > >>>> Adding SPNs to CN=DC2,OU=Domain Controllers,DC=example,DC=net > >>>> Setting account password for DC2$ > >>>> Enabling account > >>>> Adding DNS account CN=dns-DC2,CN=Users,DC=example,DC=net with dns/ SPN > >>>> Setting account password for dns-DC2 > >>>> Calling bare provision > >>>> Looking up IPv4 addresses > >>>> Looking up IPv6 addresses > >>>> No IPv6 address will be assigned > >>>> Setting up share.ldb > >>>> Setting up secrets.ldb > >>>> Setting up the registry > >>>> Setting up the privileges database > >>>> Setting up idmap db > >>>> Setting up SAM db > >>>> Setting up sam.ldb partitions and settings > >>>> Setting up sam.ldb rootDSE > >>>> Pre-loading the Samba 4 and AD schema > >>>> A Kerberos configuration suitable for Samba 4 has been generated at /srv/samba/private/krb5.conf > >>>> Provision OK for domain DN DC=example,DC=net > >>>> Starting replication > >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[402/1550] linked_values[0/0] > >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[804/1550] linked_values[0/0] > >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[1206/1550] linked_values[0/0] > >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=net] objects[1550/1550] linked_values[0/0] > >>>> Analyze and apply schema objects > >>>> Partition[CN=Configuration,DC=example,DC=net] objects[402/1628] linked_values[0/0] > >>>> Partition[CN=Configuration,DC=example,DC=net] objects[804/1628] linked_values[0/0] > >>>> Partition[CN=Configuration,DC=example,DC=net] objects[1206/1628] linked_values[0/0] > >>>> Partition[CN=Configuration,DC=example,DC=net] objects[1608/1628] linked_values[0/0] > >>>> Partition[CN=Configuration,DC=example,DC=net] objects[1628/1628] linked_values[30/0] > >>>> Replicating critical objects from the base DN of the domain > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1402/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[98/98] linked_values[679/0] > >>>> > >>>> Partition[DC=example,DC=net] objects[500/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[902/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[1304/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[1706/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[2108/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[2510/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[2912/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[3314/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[3716/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[4118/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[4520/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[4922/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[5324/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[5726/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[6128/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[6530/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[6932/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[7334/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[7736/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[8138/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[8540/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[8942/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[9344/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[9746/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[10148/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[10550/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[10952/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[11354/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[11756/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[12158/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[12560/12791] linked_values[0/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1171/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[1500/0] > >>>> Partition[DC=example,DC=net] objects[12889/12791] linked_values[405/0] > >>>> Done with always replicated NC (base, config, schema) > >>>> Replicating DC=DomainDnsZones,DC=example,DC=net > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[402/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[804/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[1206/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[1608/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2010/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2412/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[2814/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[3216/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[3618/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4020/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4422/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[4824/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[5226/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[5628/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6030/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6432/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[6834/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[7236/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[7638/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8040/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8442/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[8844/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[9246/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[9648/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10050/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10452/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[10854/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[11256/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[11658/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[12060/12122] linked_values[0/0] > >>>> Partition[DC=DomainDnsZones,DC=example,DC=net] objects[12122/12122] linked_values[0/0] > >>>> Replicating DC=ForestDnsZones,DC=example,DC=net > >>>> Partition[DC=ForestDnsZones,DC=example,DC=net] objects[22/22] linked_values[0/0] > >>>> Committing SAM database > >>>> > >>>> > >>>> > >>>> can someone help me please? > >>>> > >>>> regards, > >>>> heinz > >>>> > >>>> > >>> > >>> > >>> > >> > >> -- > >> Denis Cardon > >> Tranquil IT Systems > >> Les Espaces Jules Verne, bâtiment A > >> 12 avenue Jules Verne > >> 44230 Saint Sébastien sur Loire > >> tel : +33 (0) 2.40.97.57.55 > >> http://www.tranquil-it-systems.fr > >> > > > > > > > > -- > Denis Cardon > Tranquil IT Systems > Les Espaces Jules Verne, bâtiment A > 12 avenue Jules Verne > 44230 Saint Sébastien sur Loire > tel : +33 (0) 2.40.97.57.55 > http://www.tranquil-it-systems.fr >
Rowland Penny
2016-Sep-28 17:22 UTC
[Samba] ?= ?==?utf-8?q? samba-tool domain join DC hang
On Wed, 28 Sep 2016 19:12:09 +0200 Heinz Hölzl via samba <samba at lists.samba.org> wrote:> > > > Hi, > > the only thing i did, was to assign every user to a ohter group. > After this i changed the primary group to this new groups and the > samba-server itself assigned the users to the group "domain > users"automatically (attribute: member). Now i try to revert this and > to rechange the primary group to 513. So i can have again a Domain > users object with small number of members. >Domain Users should seemingly have no members, but all users will be members. Rowland