samba - May 2017 - report on issue of samba_upgradedns

Hi,

This is just a report I wanted to share. Maybe someone can put it on the wiki. I
created a
new DC for a new site using the samba internal dns option. Later, I decided to
go with
bind. So I ran the command, and got this error:

[root at theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-theoden account
Traceback (most recent call last):
   File "/sbin/samba_upgradedns", line 433, in <module>
     "DNSNAME" : dnsname }
   File
"/usr/lib64/python2.7/site-packages/samba/provision/common.py", line
55, in
setup_add_ldif
     ldb.add_ldif(data, controls)
   File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line
225, in add_ldif
     self.add(msg, controls)
_ldb.LdbError: (53, '../source4/dsdb/samdb/ldb_modules/ridalloc.c:556: No
RID Set DN -
Remote RID Set creation needed')

Since it mentions RID creation, I went to the RID master server, looking into
the logs, I
found:

   ../source4/rpc_server/drsuapi/getncchanges.c:829: Failed extended allocation
RID pool
operation - ../source4/dsdb/samdb/ldb_modules/ridalloc.c:727: Failed to find 
serverReference in 
CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br -
(null)

In this case, THEODEN is the new DC.

Then, doing the following search for:

ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=THEODEN)' --cross-ncs

on both the new DC and the Rid Master, I find out that the entry 
CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br
lacks the
attribute serverReference on the Rid Master.

So I created the following ldif file:

[root at aragorn samba]# cat /root/theoden-fix.ldif
dn:
CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br
changetype: modify
add: serverReference
serverReference: CN=THEODEN,OU=Domain Controllers,DC=e-trust,DC=com,DC=br

And added it to the RID Master's database:

[root at aragorn samba]# ldbmodify -H /var/lib/samba/private/sam.ldb
/root/theoden-fix.ldif
Modified 1 records successfully

Then, I restarted the samba services on the rid master. After that, I was able
to run the
samba_upgradedns script successfully:

[root at theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-theoden account
See /var/lib/samba/private/named.conf for an example configuration include file
for BIND
and /var/lib/samba/private/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the
internal dns
starting. Please make sure you add '-dns' to your server services line
in your smb.conf.


Regards.

-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.

On Mon, 15 May 2017 12:41:44 -0300
Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> This is just a report I wanted to share. Maybe someone can put it on
> the wiki. I created a new DC for a new site using the samba internal
> dns option. Later, I decided to go with bind. So I ran the command,
> and got this error:
> 
> [root at theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
> DNS records will be automatically created
> DNS partitions already exist
> Adding dns-theoden account
> Traceback (most recent call last):
>    File "/sbin/samba_upgradedns", line 433, in <module>
>      "DNSNAME" : dnsname }
>    File
> "/usr/lib64/python2.7/site-packages/samba/provision/common.py",
line
> 55, in setup_add_ldif ldb.add_ldif(data, controls)
>    File "/usr/lib64/python2.7/site-packages/samba/__init__.py",
line
> 225, in add_ldif self.add(msg, controls)
> _ldb.LdbError: (53,
> '../source4/dsdb/samdb/ldb_modules/ridalloc.c:556: No RID Set DN -
> Remote RID Set creation needed')
> 
What version of Samba is this ?
This sounds very similar to this bug:

https://bugzilla.samba.org/show_bug.cgi?id=9954

Which I thought was fixed from 4.5.2

Rowland