----- On Mar 1, 2019, at 3:35 AM, samba samba at lists.samba.org wrote:> > I wonder if this has anything to do with the 'you cannot upgrade > directly from 4.7.x to 4.9.x' bug ?I was not aware of this bug. Do you think I should scrap this upgrade and try again jumping like so? 4.0.6-12 -> 4.7 -> 4.8 -> 4.9> I know this might seem strange, but try running ldbedit on your new DC."ldbedit -H ldap://dc3 -UAdministrator" seemed to run without issue and let me modify an entry.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaAfter running the ldbedit command, I checked the state of the DCs. "samba-tool dbcheck --cross-ncs" returned nothing on dc0; on dc3 it returned: Checking 6916 objects NOTE: old (due to rename or delete) DN string component for fromServer in object CN=6a8bca7c-3069-4ada-be59-100c970d59fd,CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=ee835988-3702-420f-a935-d12d8f977f47\0ADEL:adc1836d-adba-4785-8cd7-73065c3e6d53,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=ab5dcd50-9fd9-4db7-bc59-e4f9b55fcbd7\0ADEL:0f50abd8-b289-412e-9ae6-4299bbe06d66,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=9ea6a27c-ae95-4fac-a00f-33ea2c2a9dab\0ADEL:bff63288-ef7b-4b1a-8cad-74f4c88db301,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=5d421d22-2216-4475-beb2-8cc46a514cb9\0ADEL:323679f7-d893-451e-ab10-3d8e08e05843,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=2d38127c-7f95-42f7-aaf2-a42f86d54aab\0ADEL:27e13ab1-9930-4363-9d56-2704f275eed3,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=53c549bb-6964-4bbe-bd24-33f40c9ef5f3\0ADEL:1bc38396-2162-47d9-8780-29177548e208,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com Not fixing old string component Checked 6916 objects (0 errors) Running "samba-tool dbcheck --cross-ncs --fix" removed these notes without issue and they did not show up on a subsequent run. The "fromServer" object note is interesting as that was the attribute (and CN) listed as a difference in the ldapcmp. However, running "samba-tool ldapcmp dc0 dc3 configuration --filter=msDS-NcType,serverState,subrefs" still errors on the fromServer attribute. Running "samba-tool drs kcc dc0" on dc3 still breaks with the DRS connection failure.
----- On Mar 1, 2019, at 9:20 AM, Mike Ray mray at xes-inc.com wrote:> ----- On Mar 1, 2019, at 3:35 AM, samba samba at lists.samba.org wrote: >> >> I wonder if this has anything to do with the 'you cannot upgrade >> directly from 4.7.x to 4.9.x' bug ? > > > I was not aware of this bug. Do you think I should scrap this upgrade and try > again jumping like so? 4.0.6-12 -> 4.7 -> 4.8 -> 4.9 >Upgrading 4.0.6-12 -> 4.7 -> 4.8 -> 4.9 got me to 4.9 without any replication/ldapcmp errors. However, since 4.8, domain members using winbind are unable to ID users. wbinfo -u and wbinfo -g return just fine, but id does not. It seems that it cannot resolve SIDs though: wbinfo -S <sid> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid <sid> to uid My setup ran on 4.7 without issue. [global] netbios name = mray5 realm = TEST.REALM workgroup = TEST preferred master = no security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%I max log size = 50 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind offline logon = Yes idmap config * : range = 3000 - 4000 idmap config * : backend = tdb idmap config TEST : schema_mode = rfc2307 idmap config TEST : backend = ad idmap config TEST : range = 9000 - 12000 idmap config TEST : readonly = yes idmap config TEST : default = yes idmap cache time = 604800 idmap negative cache time = 604800 winbind cache time = 604800 template shell = /bin/bash template homedir = /home/%U winbind nss info = rfc2307 usershare path =
On Thu, 14 Mar 2019 16:56:17 -0500 (CDT) Mike Ray <mray at xes-inc.com> wrote:> ----- On Mar 1, 2019, at 9:20 AM, Mike Ray mray at xes-inc.com wrote: > > > ----- On Mar 1, 2019, at 3:35 AM, samba samba at lists.samba.org > > wrote: > >> > >> I wonder if this has anything to do with the 'you cannot upgrade > >> directly from 4.7.x to 4.9.x' bug ? > > > > > > I was not aware of this bug. Do you think I should scrap this > > upgrade and try again jumping like so? 4.0.6-12 -> 4.7 -> 4.8 -> 4.9 > > > > Upgrading 4.0.6-12 -> 4.7 -> 4.8 -> 4.9 got me to 4.9 without any > replication/ldapcmp errors. > > However, since 4.8, domain members using winbind are unable to ID > users. > > wbinfo -u and wbinfo -g return just fine, but id does not. It seems > that it cannot resolve SIDs though: > > wbinfo -S <sid> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid <sid> to uid > > > > My setup ran on 4.7 without issue.Well it might have, but it isn't correct ;-)> > [global] > netbios name = mray5 > realm = TEST.REALM > workgroup = TEST > preferred master = no > security = ADS > encrypt passwords = yes > log level = 3 > log file = /var/log/samba/%I > max log size = 50 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nested groups = Yes > winbind offline logon = Yes > idmap config * : range = 3000 - 4000 > idmap config * : backend = tdb > idmap config TEST : schema_mode = rfc2307 > idmap config TEST : backend = ad > idmap config TEST : range = 9000 - 12000Okay to here> idmap config TEST : readonly = yes > idmap config TEST : default = yesI don't recognise those two lines and they are not in 'man idmap_ad'> idmap cache time = 604800 > idmap negative cache time = 604800 > winbind cache time = 604800 > template shell = /bin/bash > template homedir = /home/%U > winbind nss info = rfc2307The line above has been replaced by: idmap config TEST : unix_nss_info = yes> usershare pathRowland
Reasonably Related Threads
- Replication and KCC problems on upgrade
- Replication and KCC problems on upgrade
- Replication Error Between Differing Samba Versions During Upgrade
- dsdb_access Access check failed on CN=Configuration
- Replication Error Between Differing Samba Versions During Upgrade