samba - Oct 2017 - Make Samba 4 as Additional DC to Windows Server 2003R2

Hello Andrew,

A gentle reminder for the patch.

Can you share the patch as you mentioned?

-- 

Thanks & Regards,


Anantha Raghava



Do not print this e-mail unless required. Save Paper & trees.

On 29/10/17 11:57 AM, Andrew Bartlett wrote:
> On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote:
>> Hi,
>>
>> I did upgrade the server to Windows Server 2008 R2 along with AD.
>> However, when I attempt to add Samba-4 as additional domain controller,
it is able to provision the Domain and starts to replicate the data. However,
while replicating, it throws up an error as shown below and stops. Samba-4 will
remove itself being additional domain controller.
>> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns
backend.
>> Error message:
>>
-------------------------------------------------------------------------------------------
>> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid
in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS
MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted
Objects,DC=corp,DC=dtdc,DC=com in
@INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA=>>
>> Is this error something to do with Windows Domain Controller?
> I have a patch for this, developed for a customer who hit the same
> thing, remind me if you don't get it from me tomorrow, and given the
> additional interest I'll figure a way to get it upstream.
>
> Samba is just stricter than windows in this area, not allowing a SID to
> be deleted or be a conflict object and also exist normally.
>
> Until your mail, I didn't think this could happen other than as a
> foreignSecurityPrincipal however, and I don't think the source domain
> is entirely healthy if an objectSid can be allocated to two different
> users, even if they are now deleted.
>
> I hope this helps,
>
> Andrew Bartlett
>

On Mon, 2017-10-30 at 13:11 +0530, Anantha Raghava
wrote:
> Hello Andrew,
> 
> A gentle reminder for the patch.
> 
> Can you share the patch as you mentioned?
> --
Sorry about that.  This is the patch.

To get this into master however we need to add some configuration
around it, and docs for that configuration, so that it can be set at
runtime.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: objectsid-not-unique.patch
Type: text/x-patch
Size: 569 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20171031/f81f422e/objectsid-not-unique.bin>

Hello Andrew,

Thank you very much.

I will apply the patch, and reinstall samba. Will revert back to you 
with results.

-- 

Thanks & Regards,


Anantha Raghava

eXzaTech Consulting And Services Pvt. Ltd.

Ph: +91-9538849179, E-mail: raghav at exzatechconsulting.com 
<mailto:raghav at exzatechconsulting.com>

URL: http://www.exzatechconsulting.com
<http://www.exzatechconsulting.com/>



Dell Technology Partner, 3CX - Open Software IP PBX Partner, RedHat 
Solutions Partner
Open Source Software Solutions - oVirt, SMARTDesktop, Apache Metron, 
OpenVPN, OPNSense......

DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to eXza Technology Consulting & Services, and are intended 
only for the use of the recipients named above If you are not the 
addressee you may not copy, forward, disclose or use any part of it. If 
you have received this message in error, please delete it and all copies 
from your system and notify the sender immediately by return e-mail. 
Internet communications cannot be guaranteed to be timely, secure, error 
or virus-free. The sender does not accept liability for any errors or 
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On 31/10/17 1:41 AM, Andrew Bartlett wrote:
> On Mon, 2017-10-30 at 13:11 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>>
>> A gentle reminder for the patch.
>>
>> Can you share the patch as you mentioned?
>> --
> Sorry about that.  This is the patch.
>
> To get this into master however we need to add some configuration
> around it, and docs for that configuration, so that it can be set at
> runtime.
>
> Andrew Bartlett

Hello Andrew,

Thank you very much for the patch.

Now Samba-4 is an additional domain controller along with Windows 
Server. Initial replication completed without any error.

However, while testing, I noticed that, when a new object is created in 
Windows, it is immediately getting replicated to Samba but not vice 
versa. Connection to Windows Server is getting refused.

Barring this all other functions are working fine.

-- 

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.
On 31/10/17 1:41 AM, Andrew Bartlett wrote:
> On Mon, 2017-10-30 at 13:11 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>>
>> A gentle reminder for the patch.
>>
>> Can you share the patch as you mentioned?
>> --
> Sorry about that.  This is the patch.
>
> To get this into master however we need to add some configuration
> around it, and docs for that configuration, so that it can be set at
> runtime.
>
> Andrew Bartlett