samba - Jun 2018 - Problem joining a samba DC to a windows domain

Hi Tim Andrew and Rowland,

Thanks for taking the time to look into this.

On Fri, 22 Jun 2018, Tim Beale via samba wrote:
> Hi Tom,
>
> The problem here is due to fundamental implementation differences in the
> way Windows and Samba store linked attributes. Your DB is likely fine
> (no corruptions).
That is great to hear!
> During replication (i.e. the join), Windows can sometimes send linked
> attributes before Samba knows about the source/target objects involved.
> As Andrew said, historically Samba has handled this by silently dropping
> these links, which isn't ideal. So on Samba 4.7, after the join
> succeeds, it's probably worth running 'samba-tool drs replicate
> --full-sync' to make sure the new DC has all the linked attributes.
I ran "samba-tool drs replicate PHT-VDC1 PHT1 dc=example,dc=com
--full-sync"
and it returned "Replicate from PHT1 to PHT-VDC1 was successful".
> In Samba 4.8, instead of dropping the link, we added code that used the
> GET_TGT flag in the DRS message to force the Windows DC to send all the
> link target objects. This meant Samba could successfully process all the
> links. The problem is that the GET_TGT flag is a reasonably new addition
> to the Windows protocol, and the code in this case thinks it's not
> supported. GET_TGT (GETCHGREQ_V10) should be supported in Windows Server
> 2008 R2 onwards - what version of Windows are you running?
Well based on your explanation above this problem makes perfect sense.
The existing DC is sbs2008 which is running 2008 SP2. I guess I need to remember
that anything older then 2008 R2 needs to start with 4.7 until there is a better
solution.
> Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate
> --full-sync'), then joining a 4.8 DC to the 4.7 DC should work.
I'll
> have a think what else we could do to handle this situation better.
Would it make sense to add a warning to the wiki until there is a better
solution?

Is this something that can be done while the 2008 SP2 DC is still on line
or should I wait until after it is retired?

Regards and Thanks again!!

-- 
Tom			me at tdiehl.org
>
> Thanks,
> Tim
>
> On 22/06/18 08:22, Andrew Bartlett via samba wrote:
>> On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote:
>>> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
>>> Tom Diehl via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to join a self compiled samba 4.8.2 DC to an
existing
>>>> Windows domain using
>>>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>>>> as instructions.
>>>>
>>>> The smb.conf looks like the following:
>>>>
>>>> [global]
>>>>      netbios name = PHT-VDC1
>>>>      realm = EXAMPLE.COM
>>>>      server role = active directory domain controller
>>>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE
>>>>
>>>> [netlogon]
>>>>      path =
/usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>      read only = No
>>>>
>>>> [sysvol]
>>>>      path = /usr/local/samba/var/locks/sysvol
>>>>      read only = No
>>>>
>>>> The above was generated by the following samba-tool command
line:
>>>> samba-tool domain join example.com DC
-U"example\admin"
>>>> --dns-backend=BIND9_DLZ
>>>>
>>>> When I run samba-tool I get the following output:
>>>> (pht-vdc1 pts10) # samba-tool domain join example.com DC
>>>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a
writeable DC for
>>>> domain 'example.com' Found DC PHT1.example.com
>>>> Password for [EXAMPLE\admin]:
>> ....
>>
>>>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
>>>> linked_values[0/355] ...
>>>> Partition[CN=Configuration,DC=example,DC=com]
objects[6376/7722]
>>>> linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com]
>>>> objects[6510/7722] linked_values[12/355] Replicating critical
objects
>>>> from the base DN of the domain Partition[DC=example,DC=com]
>>>> objects[105/156] linked_values[42/388]
Partition[DC=example,DC=com]
>>>> objects[296/7902] linked_values[1/388]
Partition[DC=example,DC=com]
>>>> objects[466/7902] linked_values[72/388] Failed to commit
objects: DOS
>>>> code 0x000021bf Join failed - cleaning up
>>> This is where it seems to fail and 0x000021bf is this:
>>>
>>> The replication operation failed because the target object
referenced
>>> by a link value is recycled.
>>>
>>> So it might be an idea to check the DC you are trying to join to.
>> Thanks Rowland,
>>
>> What is happening here is that Samba is trying to find the end of a
>> link that it has been given, so as to be able to set the backlink.
>> This used to just result in the backlink being dropped, and now we have
>> fixed that (never dropping the link).  However it seems that goes a bit
>> wrong here against Windows.
>>
>> The reason this works with 4.7 is that the backlink is just ignored and
>> dropped in this case.
>>
>> I've CC'ed Tim Beale who was the developer of that code, who
may have
>> some insights.
>>
>> Thanks,
>>
>> Andrew Bartlett
>
>
>

On 22/06/18 15:28, Tom Diehl via samba wrote:
> Would it make sense to add a warning to the wiki until there is a better
> solution?
That's a good idea.
> Is this something that can be done while the 2008 SP2 DC is still on line
> or should I wait until after it is retired?
If both the samba 4.8 DC and the Windows 2008 SP2 DC remain in the
network long-term, then there's a chance that the periodic replication
on 4.8 could hit the same problem and fail. Although there's a lower
likelihood of this happening once the DC has joined. (For the problem to
happen, Samba 4.8 needs to receive the new link information before it
receives the new object. During a join, there's a fairly good chance of
this happening. During replication, you'd either need to have a lot of
changes happen to your DB all of a sudden, or have had replication
disabled/broken).

On Thu, 21 Jun 2018 23:28:06 -0400 (EDT)
me at tdiehl.org wrote:
> Hi Tim Andrew and Rowland,
> 
> Thanks for taking the time to look into this.
> 
> On Fri, 22 Jun 2018, Tim Beale via samba wrote:
> 
> > Hi Tom,
> >
> > The problem here is due to fundamental implementation differences
> > in the way Windows and Samba store linked attributes. Your DB is
> > likely fine (no corruptions).
> 
> That is great to hear!
> 
> > During replication (i.e. the join), Windows can sometimes send
> > linked attributes before Samba knows about the source/target
> > objects involved. As Andrew said, historically Samba has handled
> > this by silently dropping these links, which isn't ideal. So on
> > Samba 4.7, after the join succeeds, it's probably worth running
> > 'samba-tool drs replicate --full-sync' to make sure the new DC
has
> > all the linked attributes.
> 
> I ran "samba-tool drs replicate PHT-VDC1 PHT1 dc=example,dc=com
> --full-sync" and it returned "Replicate from PHT1 to PHT-VDC1 was
> successful".
> 
> > In Samba 4.8, instead of dropping the link, we added code that used
> > the GET_TGT flag in the DRS message to force the Windows DC to send
> > all the link target objects. This meant Samba could successfully
> > process all the links. The problem is that the GET_TGT flag is a
> > reasonably new addition to the Windows protocol, and the code in
> > this case thinks it's not supported. GET_TGT (GETCHGREQ_V10)
should
> > be supported in Windows Server 2008 R2 onwards - what version of
> > Windows are you running?
> 
> Well based on your explanation above this problem makes perfect sense.
> The existing DC is sbs2008 which is running 2008 SP2. I guess I need
> to remember that anything older then 2008 R2 needs to start with 4.7
> until there is a better solution.
> 
> > Rowland's idea of joining a 4.7 DC (and then doing a 'drs
replicate
> > --full-sync'), then joining a 4.8 DC to the 4.7 DC should work.
I'll
> > have a think what else we could do to handle this situation better.
> 
> Would it make sense to add a warning to the wiki until there is a
> better solution?
If you can supply me with brief notes once you have everything working,
I will add something to the wiki.

Rowland

Dear Community,

I can confirm this with Samba 4.8.6 to SBS2003.

Is there anything done on this trouble with 4.9?

Here is the situation :

  * SBS2003 : DC with all FSMO roles

  * 2008R2 : another DC with no roles but backup in case of trouble

I want to demote SBS2003 and to keep a backup (why not a samba one). So, 
I mean to migrate all roles to 2008R2 and have a Linux machine as a 
backup. What is your advice?

I've tried a join SBS2003 with Samba 4.7, but it didn't work because of 
this: https://lists.samba.org/archive/samba/2018-February/214089.html

Regards,