Anantha Raghava
2017-Oct-29  03:41 UTC
[Samba] Make Samba 4 as Additional DC to Windows Server 2003R2
Hi, I did upgrade the server to Windows Server 2008 R2 along with AD. However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller. I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend. Error message: ------------------------------------------------------------------------------------------- /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA=../lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA=../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4824: Failed to rename conflict dn 'CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com' to 'CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com' - ../lib/ldb/ldb_tdb/ldb_index.c:1272: Failed to re-index objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com - ../lib/ldb/ldb_tdb/ldb_index.c:1196: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897\0ACNF:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com Failed to commit objects: WERR_GEN_FAILURE Join failed - cleaning up Deleted CN=DC3,OU=Domain Controllers,DC=corp,DC=dtdc,DC=com Deleted CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=dtdc,DC=com Deleted CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=dtdc,DC=com ERROR(runtime): uncaught exception - (31, "Failed to process 'chunk' of DRS replicated objects: WERR_GEN_FAILURE") File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1377, in do_join ctx.join_replicate() File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 936, in join_replicate replica_flags=ctx.domain_replica_flags) File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 295, in replicate schema=schema, req_level=req_level, req=req) -------------------------------------------------------------------------------------------------------------- Is this error something to do with Windows Domain Controller? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 28/10/17 4:45 PM, Andrew Bartlett wrote:> On Sat, 2017-10-28 at 16:11 +0530, Anantha Raghava via samba wrote: >> Hi, >> >> I am trying to make Samba 4 as additional DC to a Domain Hosted in >> Windows Server 2003 R2. Is it possible? Or do we have to first migrate >> to Windows Server 2008 R2 and then to Samba? >> >> samba-toll domain join command comes upto Domain Provision and it >> reports OK. However when the replication starts it fails. Error thrown is: >> >> "Failed to bind to uuid e35*****-****-****-****-************/00000**** >> ...........NT_STATUS_LOGON_FAILURE" > That is interesting. It should work, but an upgrade to 2008R2 first > would be advised for the migration, as that will allow you to get you a > 2008R2 schema and functional level, which you want. > > Andrew Bartlett >
Andrew Bartlett
2017-Oct-29  06:27 UTC
[Samba] Make Samba 4 as Additional DC to Windows Server 2003R2
On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote:> Hi, > > I did upgrade the server to Windows Server 2008 R2 along with AD. > However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller. > I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend. > Error message: > ------------------------------------------------------------------------------------------- > /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA=> > Is this error something to do with Windows Domain Controller?I have a patch for this, developed for a customer who hit the same thing, remind me if you don't get it from me tomorrow, and given the additional interest I'll figure a way to get it upstream. Samba is just stricter than windows in this area, not allowing a SID to be deleted or be a conflict object and also exist normally. Until your mail, I didn't think this could happen other than as a foreignSecurityPrincipal however, and I don't think the source domain is entirely healthy if an objectSid can be allocated to two different users, even if they are now deleted. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Anantha Raghava
2017-Oct-29  08:52 UTC
[Samba] Make Samba 4 as Additional DC to Windows Server 2003R2
Hi, Thanks for your quick help. I await the patch. I know the source DC is all that clean. I am trying to clean the source DC using "ntdsutil". I am not sure how far this exercise will be successful. -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 29/10/17 11:57 AM, Andrew Bartlett wrote:> On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote: >> Hi, >> >> I did upgrade the server to Windows Server 2008 R2 along with AD. >> However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller. >> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend. >> Error message: >> ------------------------------------------------------------------------------------------- >> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA=>> >> Is this error something to do with Windows Domain Controller? > I have a patch for this, developed for a customer who hit the same > thing, remind me if you don't get it from me tomorrow, and given the > additional interest I'll figure a way to get it upstream. > > Samba is just stricter than windows in this area, not allowing a SID to > be deleted or be a conflict object and also exist normally. > > Until your mail, I didn't think this could happen other than as a > foreignSecurityPrincipal however, and I don't think the source domain > is entirely healthy if an objectSid can be allocated to two different > users, even if they are now deleted. > > I hope this helps, > > Andrew Bartlett >
Anantha Raghava
2017-Oct-30  07:41 UTC
[Samba] Make Samba 4 as Additional DC to Windows Server 2003R2
Hello Andrew, A gentle reminder for the patch. Can you share the patch as you mentioned? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 29/10/17 11:57 AM, Andrew Bartlett wrote:> On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote: >> Hi, >> >> I did upgrade the server to Windows Server 2008 R2 along with AD. >> However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller. >> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend. >> Error message: >> ------------------------------------------------------------------------------------------- >> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA=>> >> Is this error something to do with Windows Domain Controller? > I have a patch for this, developed for a customer who hit the same > thing, remind me if you don't get it from me tomorrow, and given the > additional interest I'll figure a way to get it upstream. > > Samba is just stricter than windows in this area, not allowing a SID to > be deleted or be a conflict object and also exist normally. > > Until your mail, I didn't think this could happen other than as a > foreignSecurityPrincipal however, and I don't think the source domain > is entirely healthy if an objectSid can be allocated to two different > users, even if they are now deleted. > > I hope this helps, > > Andrew Bartlett >