> Hi all, > > We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba > 4.3.11. We are planning to upgrade it to a recent version, probably > 4.8.3. > > I think that I have two options: > > a) Package upgrade via 3rd party repositories (Louis Van Belle's repo) > by following wiki. > > b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as > backup DC, then transfer all FSMO roles on new and finally demote > older one. > > Since this a production environment, I have to accomplish this task > transparently. Is there anyone out there who did same task before? > I'll appreciate any advice regarding this. > > Thanks.I would go with option 'b', but it sounds like you only have one DC, I would also create a second DC. I would also ensure they were on different hardware, whether they are in VM's or not. Also, you should get out of calling DC's anything other than just a DC, all DC's are equal except for the FSMO roles and they can be on any DC. Rowland I tried to join 4.8.2 (latest one at Louis Van Belle's repo) but I got this error: ----------------- ldc4# samba-tool domain join testdomain.org.tr DC -U"TESTDOMAIN\administrator" --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'testdomain.org.tr' Found DC ldc1.testdomain.org.tr Password for [TESTDOMAIN\administrator]: workgroup is TESTDOMAIN realm is testdomain.org.tr Adding CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr Join failed - cleaning up ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - <00002071: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706, in run plaintext_secrets=plaintext_secrets) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in join_add_objects /etc/hosts: 10.220.1.19 ldc1.testdomain.org.tr ldc1 10.220.1.20 ldc2.testdomain.org.tr ldc2 10.220.1.22 ldc4.testdomain.org.tr ldc4 /etc/hostname: ldc4 ----------------- I tested with "LDC3" hostname first, then changed hostname to "LDC4" after seeing a deleted DC record with "LDC3" name. # ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs --show-deleted | grep LDC3 But changing hostname to "LDC4" didn't help either as can be seen above. I have same issue with 4.7.6 (Ubuntu official). I googled this "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS" error during join operation. Some people had similar problem but without a solution. --- Taner Tas
On Mon, 16 Jul 2018 08:03:22 +0000 (UTC) Taner Tas <taner76 at gmail.com> wrote:> > Hi all, > > > > We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba > > 4.3.11. We are planning to upgrade it to a recent version, probably > > 4.8.3. > > > > I think that I have two options: > > > > a) Package upgrade via 3rd party repositories (Louis Van Belle's > > repo) by following wiki. > > > > b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as > > backup DC, then transfer all FSMO roles on new and finally demote > > older one. > > > > Since this a production environment, I have to accomplish this task > > transparently. Is there anyone out there who did same task before? > > I'll appreciate any advice regarding this. > > > > Thanks. > > > I would go with option 'b', but it sounds like you only have one DC, I > would also create a second DC. I would also ensure they were on > different hardware, whether they are in VM's or not. > > Also, you should get out of calling DC's anything other than just a > DC, all DC's are equal except for the FSMO roles and they can be on > any DC. > > Rowland > > I tried to join 4.8.2 (latest one at Louis Van Belle's repo) but I > got this error: > > ----------------- > ldc4# samba-tool domain join testdomain.org.tr DC > -U"TESTDOMAIN\administrator" --dns-backend=BIND9_DLZ Finding a > writeable DC for domain 'testdomain.org.tr' Found DC > ldc1.testdomain.org.tr Password for [TESTDOMAIN\administrator]: > workgroup is TESTDOMAIN > realm is testdomain.org.tr > Adding CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr > Join failed - cleaning up > ERROR(ldb): uncaught exception - LDAP error 68 > LDAP_ENTRY_ALREADY_EXISTS - <00002071: ../ldb_tdb/ldb_index.c:1216: > Failed to re-index objectSid in CN=LDC4,OU=Domain > Controllers,DC=testdomain,DC=org,DC=tr - ../ldb_tdb/ldb_index.c:1148: > unique index violation on objectSid in CN=LDC4,OU=Domain > Controllers,DC=testdomain,DC=org,DC=tr> <> File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706, > in run plaintext_secrets=plaintext_secrets) File > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in > join_DC ctx.do_join() File > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in > do_join ctx.join_add_objects() File > "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in > join_add_objects > > /etc/hosts: > 10.220.1.19 ldc1.testdomain.org.tr ldc1 > 10.220.1.20 ldc2.testdomain.org.tr ldc2 > 10.220.1.22 ldc4.testdomain.org.tr ldc4 > > /etc/hostname: > ldc4 > ----------------- > > I tested with "LDC3" hostname first, then changed hostname to "LDC4" > after seeing a deleted DC record with "LDC3" name. > > # ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs > --show-deleted | grep LDC3 > > But changing hostname to "LDC4" didn't help either as can be seen > above. I have same issue with 4.7.6 (Ubuntu official). > > I googled this "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS" error > during join operation. Some people had similar problem but without a > solution. > > --- > Taner TasHave you tried checking the database (samba-tool dbcheck) and compared the databases on the existing DC's ? You should also only have the 'new' DC's info in /etc/hosts, you should rely on dns finding the other DC's i.e. point /etc/resolv.conf at a DC. You googled the wrong thing ;-) if you had used 'unique index violation on objectSid', you might have found this: https://lists.samba.org/archive/samba/2016-June/200737.html The problem isn't the name, it might be a RID. Rowland
>>> Hi all, >>> >>> We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba >>> 4.3.11. We are planning to upgrade it to a recent version, probably >>> 4.8.3. >>> >>> I think that I have two options: >>> >>> a) Package upgrade via 3rd party repositories (Louis Van Belle's >>> repo) by following wiki. >>> >>> b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as >>> backup DC, then transfer all FSMO roles on new and finally demote >>> older one. >>> >>> Since this a production environment, I have to accomplish this task >>> transparently. Is there anyone out there who did same task before? >>> I'll appreciate any advice regarding this. >>> >>> Thanks. >> >> I would go with option 'b', but it sounds like you only have one DC, I >> would also create a second DC. I would also ensure they were on >> different hardware, whether they are in VM's or not. >> >> Also, you should get out of calling DC's anything other than just a >> DC, all DC's are equal except for the FSMO roles and they can be on >> any DC. >> >> Rowland >> >> I tried to join 4.8.2 (latest one at Louis Van Belle's repo) but I >> got this error: >> >> ----------------- >> ldc4# samba-tool domain join testdomain.org.tr DC >> -U"TESTDOMAIN\administrator" --dns-backend=BIND9_DLZ Finding a >> writeable DC for domain 'testdomain.org.tr' Found DC >> ldc1.testdomain.org.tr Password for [TESTDOMAIN\administrator]: >> workgroup is TESTDOMAIN >> realm is testdomain.org.tr >> Adding CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr >> Join failed - cleaning up >> ERROR(ldb): uncaught exception - LDAP error 68 >> LDAP_ENTRY_ALREADY_EXISTS - <00002071: ../ldb_tdb/ldb_index.c:1216: >> Failed to re-index objectSid in CN=LDC4,OU=Domain >> Controllers,DC=testdomain,DC=org,DC=tr - ../ldb_tdb/ldb_index.c:1148: >> unique index violation on objectSid in CN=LDC4,OU=Domain >> Controllers,DC=testdomain,DC=org,DC=tr> <> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 176, in _run return self.run(*args, **kwargs) File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706, >> in run plaintext_secrets=plaintext_secrets) File >> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in >> join_DC ctx.do_join() File >> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in >> do_join ctx.join_add_objects() File >> "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in >> join_add_objects >> >> /etc/hosts: >> 10.220.1.19 ldc1.testdomain.org.tr ldc1 >> 10.220.1.20 ldc2.testdomain.org.tr ldc2 >> 10.220.1.22 ldc4.testdomain.org.tr ldc4 >> >> /etc/hostname: >> ldc4 >> ----------------- >> >> I tested with "LDC3" hostname first, then changed hostname to "LDC4" >> after seeing a deleted DC record with "LDC3" name. >> >> # ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs >> --show-deleted | grep LDC3 >> >> But changing hostname to "LDC4" didn't help either as can be seen >> above. I have same issue with 4.7.6 (Ubuntu official). >> >> I googled this "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS" error >> during join operation. Some people had similar problem but without a >> solution. >> >> --- >> Taner Tas > Have you tried checking the database (samba-tool dbcheck) and compared > the databases on the existing DC's ? > > You should also only have the 'new' DC's info in /etc/hosts, you should > rely on dns finding the other DC's i.e. point /etc/resolv.conf at a DC. > > You googled the wrong thing ;-) > if you had used 'unique index violation on objectSid', you might have > found this: > > https://lists.samba.org/archive/samba/2016-June/200737.html > > The problem isn't the name, it might be a RID. > > RowlandYou are right. The problem was inconsistent VM snapshots that I was using on my test setup which causing unstable behavior. I followed same steps with new VM snapshots then join operation has succeeded. Now I have to do some tests on my test setup before and after demoting old ones. --- Taner Tas