Hai Andrew, I just tested this on 4.10.7 Which resulted in : ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account DC1$ which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdb The wiki does not say we have to remove the old the secrets. Report it as bug? Or add the info on the wiki to remove the secrets files? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > gizmo via samba > Verzonden: maandag 26 augustus 2019 13:15 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgrading samba and OS - can I rejoin ? > > > But for practical, humans scale operations it is fine. We delete all > > the other objects involved (server objects, DC objects etc). If > > something isn't being cleaned up then that's a bug, a > rejoin with the > > same name is normal in Samba. > > > I trust this clarifies things, > > Just to be 100% sure I got it, I can > > 1. stop all services on a DC > 2. install a new OS and new samba version > 3. join the DC with same name and IP again > > right ? > > thank you > > > > > ? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
I ran across this several times during my experimentation and assumed it is safe to remove secrets.*db. Actually I would prefer if the tool would just prompt whether this is a rejoin attempt and then does whatever is needed to clean up. Regards, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von L.P.H. van Belle via samba Gesendet: Monday, 26 August 2019 13:44 An: samba at lists.samba.org Cc: Andrew Bartlett <abartlet at samba.org> Betreff: Re: [Samba] Upgrading samba and OS - can I rejoin ? Hai Andrew, I just tested this on 4.10.7 Which resulted in : ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account DC1$ which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdb The wiki does not say we have to remove the old the secrets. Report it as bug? Or add the info on the wiki to remove the secrets files? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens gizmo via > samba > Verzonden: maandag 26 augustus 2019 13:15 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgrading samba and OS - can I rejoin ? > > > But for practical, humans scale operations it is fine. We delete all > > the other objects involved (server objects, DC objects etc). If > > something isn't being cleaned up then that's a bug, a > rejoin with the > > same name is normal in Samba. > > > I trust this clarifies things, > > Just to be 100% sure I got it, I can > > 1. stop all services on a DC > 2. install a new OS and new samba version 3. join the DC with same > name and IP again > > right ? > > thank you > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hai Joachim, Thank you for the quick reply. :-)> -----Oorspronkelijk bericht----- > Van: Joachim Lindenberg [mailto:samba at lindenberg.one] > Verzonden: maandag 26 augustus 2019 13:52 > Aan: 'L.P.H. van Belle'; 'Andrew Bartlett' > CC: samba at lists.samba.org > Onderwerp: AW: [Samba] Upgrading samba and OS - can I rejoin ? > > I ran across this several times during my experimentation and > assumed it is safe to remove secrets.*db. > > Actually I would prefer if the tool would just prompt whether > this is a rejoin attempt and then does whatever is needed to clean up.And yes, i agree also on this. If a re-join is done, it should prompt us and it could easily detect the secret files and remove them. Or it should detect the currect secret files and then prompt for a re-join Or even better, detect the secrect files, extract the "hostname" name from it, compair it with the current, then ask if its a rejoin or re-name/re-install of the os/samba. If its a rename/re-install, is should remove the older DNS and AD records also. That could save some messages on the samba list i think. Greetz, Louis> > Regards, Joachim > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von > L.P.H. van Belle via samba > Gesendet: Monday, 26 August 2019 13:44 > An: samba at lists.samba.org > Cc: Andrew Bartlett <abartlet at samba.org> > Betreff: Re: [Samba] Upgrading samba and OS - can I rejoin ? > > Hai Andrew, > > I just tested this on 4.10.7 > Which resulted in : > > ERROR(<class 'samba.join.DCJoinException'>): uncaught > exception - Can't join, > error: Not removing account DC1$ which looks like a Samba DC > account matching the password we already have. > To override, remove secrets.ldb and secrets.tdb > > The wiki does not say we have to remove the old the secrets. > > Report it as bug? Or add the info on the wiki to remove the > secrets files? > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens gizmo via > > samba > > Verzonden: maandag 26 augustus 2019 13:15 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Upgrading samba and OS - can I rejoin ? > > > > > But for practical, humans scale operations it is fine. We > delete all > > > the other objects involved (server objects, DC objects etc). If > > > something isn't being cleaned up then that's a bug, a > > rejoin with the > > > same name is normal in Samba. > > > > > I trust this clarifies things, > > > > Just to be 100% sure I got it, I can > > > > 1. stop all services on a DC > > 2. install a new OS and new samba version 3. join the DC with same > > name and IP again > > > > right ? > > > > thank you > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Mon, 2019-08-26 at 13:52 +0200, Joachim Lindenberg via samba wrote:> I ran across this several times during my experimentation and assumed it is safe to remove secrets.*db. > Actually I would prefer if the tool would just prompt whether this is a rejoin attempt and then does whatever is needed to clean up. > Regards, JoachimI understand the desire, but an accidental rejoin is quite disruptive on a large domain (all the other DCs have to check that they have all the objects on the 'new' DC), so I would prefer to improve our exception handling to print this in a nicer way. Also, we generally avoid unexpectedly prompting, it can cause automated scripts to hang forever or otherwise misbehave. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Mon, 2019-08-26 at 13:43 +0200, L.P.H. van Belle wrote:> Hai Andrew, > > I just tested this on 4.10.7 > Which resulted in : > > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, > error: Not removing account DC1$ which looks like a Samba DC account matching the password we already have. > To override, remove secrets.ldb and secrets.tdb > > The wiki does not say we have to remove the old the secrets. > > Report it as bug? Or add the info on the wiki to remove the secrets files?In this case you have a fully operable account in the domain, it isn't a reinstall on a new OS with the same hostname. This is a safety measure. Yes, documenting that in the wiki, explaining what it does, why and how to work around it (eg the instructions in the exception) would be a good idea. In the long term, we would prefer to preserve the accounts and DC state (due to that invocationID issue I mentioned), but this requires finding someone to take up or sponsor that work. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba