Trenta sis
2019-Sep-17 10:52 UTC
[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
Hi, About duplicate issues warning during join, What I can do to find and solve this errors? I like to investigate source of this issue and solve this errors before join Thanks Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 10 de set. 2019 a les 11:14:> > Hi, > > About duplicate issues warning during join, What I can do to find and > solve this errors? > > Thanks > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de set. > 2019 a les 15:53: > > > > Hi Andrew, > > > > thanks for you information, but I have some question, I'm not a samba > > expert... Sorry! > > > > Not that issue, but a very well known one. > > > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > > > > X > > | | > > Y Z > > > > in an order like this: > > > > Step 1 > > > > Y > > > > Step 2 > > > > Y Z > > > > Step 3 > > X > > | | > > Y Z > > > > As long as everything worked out in the end, it was fine. But this had > > issues, so we patched it to instead demand the objects in tree order > > (GET_ANC), but of course the server needs to know what that means. > > > > Samba 4.5 was, from memory, the first release we did that, but the > > server, even with 4.4, didn't really know what that flag meant. > > > > It wasn't until much later, Samba 4.6 or so, when we finally got the > > flag right, which of course gives problems upgrading from Samba 4.4. > > (We would sort the current 'page' of replication entries, but not the > > whole partition). > > > > We have continued to improve this code since, but that is the core. > > The next issue is a flag called GET_TGT but that hurts much less often, > > as we have a client-side workaround detecting that the server didn't > > understand us. > > > > The workaround for you is to carefully touch each object such that the > > children are modified after the parents. Or upgrade in-place that DC > > and replicate from there. Both suck, I know. > > > > --> Not really sure where is the issue, but moved domain users to > > CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!! > > Thanks!!! > > During join some errors "duplciate value attribute CN=.." but I can > > find what is duplicated, and some values that appears as duplciated > > are not showed on RSAT tools, any suggestion how to solve this > > issues? > > > > > > RFC2307, It seems that join has not added, I'll try to add manually > > and also add some other config that are not added cert config > > > > > > Thanks > > > > Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de > > set. 2019 a les 11:14: > > > > > > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote: > > > > Hi, > > > > > > > > After reading wiki documentation about join I have tested to join a > > > > second dc, but with problems. > > > > > > > > I need to add a second controller to our AD, and then upgrade existing > > > > server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5 > > > > server but I receive join errors, attached output wit and without > > > > debug: > > > > I have executed samba-tool dbcheck --cross-ncs all seems OK > > > > > > > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join > > > > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a > > > > second controller to ensure no downtime. > > > > > > > > some questions: > > > > 1) Why I receive this error? > > > > Replicating critical objects from the base DN of the domain > > > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > > > > Missing parent while attempting to apply records: No parent with GUID > > > > cdee5b31-365 > > > > > > > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain > > > > Users,OU=Gru > > > > > > > > ps,DC=DOMAIN-TEST,DC=com > > > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > > > > > > > > --> not sure if can be related with this issue: > > > > https://bugzilla.samba.org/show_bug.cgi?id=13274 > > > > > > Not that issue, but a very well known one. > > > > > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > > > > > > > X > > > | | > > > Y Z > > > > > > in an order like this: > > > > > > Step 1 > > > > > > Y > > > > > > Step 2 > > > > > > Y Z > > > > > > Step 3 > > > X > > > | | > > > Y Z > > > > > > As long as everything worked out in the end, it was fine. But this had > > > issues, so we patched it to instead demand the objects in tree order > > > (GET_ANC), but of course the server needs to know what that means. > > > > > > Samba 4.5 was, from memory, the first release we did that, but the > > > server, even with 4.4, didn't really know what that flag meant. > > > > > > It wasn't until much later, Samba 4.6 or so, when we finally got the > > > flag right, which of course gives problems upgrading from Samba 4.4. > > > (We would sort the current 'page' of replication entries, but not the > > > whole partition). > > > > > > We have continued to improve this code since, but that is the core. > > > The next issue is a flag called GET_TGT but that hurts much less often, > > > as we have a client-side workaround detecting that the server didn't > > > understand us. > > > > > > The workaround for you is to carefully touch each object such that the > > > children are modified after the parents. Or upgrade in-place that DC > > > and replicate from there. Both suck, I know. > > > > > > > 2) About join in wiki appears > > > > " > > > > If the other DCs are Samba DCs and were provisioned with > > > > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' > > > > to the join command > > > > " > > > > > > > > But checking my command userv to migrate from samba nt doamin to our > > > > actual ADDC domain this command was not used, but checking smb.conf > > > > appears this: > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 > > > > yes' on join command > > > > > > Probably. But that isn't the big deal at this point. > > > > > > I hope this helps a little. We need to extend our wiki to explain this > > > more I'm sure. > > > > > > I've CC'ed samba-technical for those there who might want to learn the > > > history a bit more. > > > > > > Andrew Bartlett > > > > > > -- > > > Andrew Bartlett http://samba.org/~abartlet/ > > > Authentication Developer, Samba Team http://samba.org > > > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > > >
Rowland penny
2019-Sep-17 12:12 UTC
[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining
On 17/09/2019 11:52, Trenta sis via samba wrote:> Hi, > > About duplicate issues warning during join, What I can do to find and > solve this errors? > I like to investigate source of this issue and solve this errors before joinIt might help if you can tell us what the 'duplicates' are, instead of giving us an offhand reference to them. Rowland
Trenta sis
2019-Sep-19 07:49 UTC
[Samba] Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
hi Sorry, error is ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=server,OU=servers,DC=DOMIAN,DC=COM for index on servicePrincipalNAme, duplicate og objectGUID 931a3f57-1062-423e-9488-695700b197b0 in @INDEX:SERVICEPRINCIPALNAME:WSMAN/OLD-SERVER multiple errors liek this during join. Not sure where is the issue and how to solve? With this error join is correct and both samba are usable? thanks Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 17 de set. 2019 a les 12:52:> > Hi, > > About duplicate issues warning during join, What I can do to find and > solve this errors? > I like to investigate source of this issue and solve this errors before join > > Thanks > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 10 de set. > 2019 a les 11:14: > > > > Hi, > > > > About duplicate issues warning during join, What I can do to find and > > solve this errors? > > > > Thanks > > > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de set. > > 2019 a les 15:53: > > > > > > Hi Andrew, > > > > > > thanks for you information, but I have some question, I'm not a samba > > > expert... Sorry! > > > > > > Not that issue, but a very well known one. > > > > > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > > > > > > > X > > > | | > > > Y Z > > > > > > in an order like this: > > > > > > Step 1 > > > > > > Y > > > > > > Step 2 > > > > > > Y Z > > > > > > Step 3 > > > X > > > | | > > > Y Z > > > > > > As long as everything worked out in the end, it was fine. But this had > > > issues, so we patched it to instead demand the objects in tree order > > > (GET_ANC), but of course the server needs to know what that means. > > > > > > Samba 4.5 was, from memory, the first release we did that, but the > > > server, even with 4.4, didn't really know what that flag meant. > > > > > > It wasn't until much later, Samba 4.6 or so, when we finally got the > > > flag right, which of course gives problems upgrading from Samba 4.4. > > > (We would sort the current 'page' of replication entries, but not the > > > whole partition). > > > > > > We have continued to improve this code since, but that is the core. > > > The next issue is a flag called GET_TGT but that hurts much less often, > > > as we have a client-side workaround detecting that the server didn't > > > understand us. > > > > > > The workaround for you is to carefully touch each object such that the > > > children are modified after the parents. Or upgrade in-place that DC > > > and replicate from there. Both suck, I know. > > > > > > --> Not really sure where is the issue, but moved domain users to > > > CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! Great!! > > > Thanks!!! > > > During join some errors "duplciate value attribute CN=.." but I can > > > find what is duplicated, and some values that appears as duplciated > > > are not showed on RSAT tools, any suggestion how to solve this > > > issues? > > > > > > > > > RFC2307, It seems that join has not added, I'll try to add manually > > > and also add some other config that are not added cert config > > > > > > > > > Thanks > > > > > > Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 de > > > set. 2019 a les 11:14: > > > > > > > > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba wrote: > > > > > Hi, > > > > > > > > > > After reading wiki documentation about join I have tested to join a > > > > > second dc, but with problems. > > > > > > > > > > I need to add a second controller to our AD, and then upgrade existing > > > > > server (4.4.5) and I have tried to join a new DC 4.10.7 to 4.4.5 > > > > > server but I receive join errors, attached output wit and without > > > > > debug: > > > > > I have executed samba-tool dbcheck --cross-ncs all seems OK > > > > > > > > > > I have made a test upgrading actual 4.4.5 to 4.10.7 and then join > > > > > 4.10.7 to update DC to 4.10.7 and then works, bu first I need to add a > > > > > second controller to ensure no downtime. > > > > > > > > > > some questions: > > > > > 1) Why I receive this error? > > > > > Replicating critical objects from the base DN of the domain > > > > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] linked_values[762/0] > > > > > Missing parent while attempting to apply records: No parent with GUID > > > > > cdee5b31-365 > > > > > > > > > > d-4c8f-9368-4115b6307a19 found for object remotely known as CN=Domain > > > > > Users,OU=Gru > > > > > > > > > > ps,DC=DOMAIN-TEST,DC=com > > > > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > > > > > > > > > > --> not sure if can be related with this issue: > > > > > https://bugzilla.samba.org/show_bug.cgi?id=13274 > > > > > > > > Not that issue, but a very well known one. > > > > > > > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > > > > > > > > > > X > > > > | | > > > > Y Z > > > > > > > > in an order like this: > > > > > > > > Step 1 > > > > > > > > Y > > > > > > > > Step 2 > > > > > > > > Y Z > > > > > > > > Step 3 > > > > X > > > > | | > > > > Y Z > > > > > > > > As long as everything worked out in the end, it was fine. But this had > > > > issues, so we patched it to instead demand the objects in tree order > > > > (GET_ANC), but of course the server needs to know what that means. > > > > > > > > Samba 4.5 was, from memory, the first release we did that, but the > > > > server, even with 4.4, didn't really know what that flag meant. > > > > > > > > It wasn't until much later, Samba 4.6 or so, when we finally got the > > > > flag right, which of course gives problems upgrading from Samba 4.4. > > > > (We would sort the current 'page' of replication entries, but not the > > > > whole partition). > > > > > > > > We have continued to improve this code since, but that is the core. > > > > The next issue is a flag called GET_TGT but that hurts much less often, > > > > as we have a client-side workaround detecting that the server didn't > > > > understand us. > > > > > > > > The workaround for you is to carefully touch each object such that the > > > > children are modified after the parents. Or upgrade in-place that DC > > > > and replicate from there. Both suck, I know. > > > > > > > > > 2) About join in wiki appears > > > > > " > > > > > If the other DCs are Samba DCs and were provisioned with > > > > > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' > > > > > to the join command > > > > > " > > > > > > > > > > But checking my command userv to migrate from samba nt doamin to our > > > > > actual ADDC domain this command was not used, but checking smb.conf > > > > > appears this: > > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > > > But I'm not sure if I have to use --option='idmap_ldb:use rfc2307 > > > > > yes' on join command > > > > > > > > Probably. But that isn't the big deal at this point. > > > > > > > > I hope this helps a little. We need to extend our wiki to explain this > > > > more I'm sure. > > > > > > > > I've CC'ed samba-technical for those there who might want to learn the > > > > history a bit more. > > > > > > > > Andrew Bartlett > > > > > > > > -- > > > > Andrew Bartlett http://samba.org/~abartlet/ > > > > Authentication Developer, Samba Team http://samba.org > > > > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > > > > >
On Thu, 2019-09-19 at 09:49 +0200, Trenta sis via samba wrote:> hi > Sorry, error is > > ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in > CN=server,OU=servers,DC=DOMIAN,DC=COM for index on > servicePrincipalNAme, duplicate og objectGUID > 931a3f57-1062-423e-9488-695700b197b0 in > @INDEX:SERVICEPRINCIPALNAME:WSMAN/OLD-SERVER > > multiple errors liek this during join. > > Not sure where is the issue and how to solve? > With this error join is correct and both samba are usable? > > thanksThis is actually just a warning, not a fatal error. We are working to prevent this, see: https://gitlab.com/samba-team/samba/merge_requests/698 Just edit the record and ensure that they are case-wise unique when you hare finished. Andrew Bartlett> Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 17 de set. > 2019 a les 12:52: > > > > Hi, > > > > About duplicate issues warning during join, What I can do to find > > and > > solve this errors? > > I like to investigate source of this issue and solve this errors > > before join > > > > Thanks > > > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dt., 10 de > > set. > > 2019 a les 11:14: > > > > > > Hi, > > > > > > About duplicate issues warning during join, What I can do to find > > > and > > > solve this errors? > > > > > > Thanks > > > > > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 9 de > > > set. > > > 2019 a les 15:53: > > > > > > > > Hi Andrew, > > > > > > > > thanks for you information, but I have some question, I'm not a > > > > samba > > > > expert... Sorry! > > > > > > > > Not that issue, but a very well known one. > > > > > > > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > > > > > > > > > > X > > > > > > > > > > > > > > Y Z > > > > > > > > in an order like this: > > > > > > > > Step 1 > > > > > > > > Y > > > > > > > > Step 2 > > > > > > > > Y Z > > > > > > > > Step 3 > > > > X > > > > > > > > > > > > > > Y Z > > > > > > > > As long as everything worked out in the end, it was fine. But > > > > this had > > > > issues, so we patched it to instead demand the objects in tree > > > > order > > > > (GET_ANC), but of course the server needs to know what that > > > > means. > > > > > > > > Samba 4.5 was, from memory, the first release we did that, but > > > > the > > > > server, even with 4.4, didn't really know what that flag meant. > > > > > > > > It wasn't until much later, Samba 4.6 or so, when we finally > > > > got the > > > > flag right, which of course gives problems upgrading from Samba > > > > 4.4. > > > > (We would sort the current 'page' of replication entries, but > > > > not the > > > > whole partition). > > > > > > > > We have continued to improve this code since, but that is the > > > > core. > > > > The next issue is a flag called GET_TGT but that hurts much > > > > less often, > > > > as we have a client-side workaround detecting that the server > > > > didn't > > > > understand us. > > > > > > > > The workaround for you is to carefully touch each object such > > > > that the > > > > children are modified after the parents. Or upgrade in-place > > > > that DC > > > > and replicate from there. Both suck, I know. > > > > > > > > --> Not really sure where is the issue, but moved domain users > > > > to > > > > CN=Users and now join from 4.10.7 to 4.4.5 and seems to work!! > > > > Great!! > > > > Thanks!!! > > > > During join some errors "duplciate value attribute CN=.." but I > > > > can > > > > find what is duplicated, and some values that appears as > > > > duplciated > > > > are not showed on RSAT tools, any suggestion how to solve this > > > > issues? > > > > > > > > > > > > RFC2307, It seems that join has not added, I'll try to add > > > > manually > > > > and also add some other config that are not added cert config > > > > > > > > > > > > Thanks > > > > > > > > Missatge de Andrew Bartlett <abartlet at samba.org> del dia dl., 9 > > > > de > > > > set. 2019 a les 11:14: > > > > > > > > > > On Mon, 2019-09-09 at 10:33 +0200, Trenta sis via samba > > > > > wrote: > > > > > > Hi, > > > > > > > > > > > > After reading wiki documentation about join I have tested > > > > > > to join a > > > > > > second dc, but with problems. > > > > > > > > > > > > I need to add a second controller to our AD, and then > > > > > > upgrade existing > > > > > > server (4.4.5) and I have tried to join a new DC 4.10.7 to > > > > > > 4.4.5 > > > > > > server but I receive join errors, attached output wit and > > > > > > without > > > > > > debug: > > > > > > I have executed samba-tool dbcheck --cross-ncs all seems OK > > > > > > > > > > > > I have made a test upgrading actual 4.4.5 to 4.10.7 and > > > > > > then join > > > > > > 4.10.7 to update DC to 4.10.7 and then works, bu first I > > > > > > need to add a > > > > > > second controller to ensure no downtime. > > > > > > > > > > > > some questions: > > > > > > 1) Why I receive this error? > > > > > > Replicating critical objects from the base DN of the domain > > > > > > Partition[DC=DOMAIN-TEST,DC=com] objects[98/98] > > > > > > linked_values[762/0] > > > > > > Missing parent while attempting to apply records: No parent > > > > > > with GUID > > > > > > cdee5b31-365 > > > > > > > > > > > > d-4c8f-9368-4115b6307a19 found for object remotely known as > > > > > > CN=Domain > > > > > > Users,OU=Gru > > > > > > > > > > > > ps,DC=DOMAIN-TEST,DC=com > > > > > > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT > > > > > > > > > > > > --> not sure if can be related with this issue: > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=13274 > > > > > > > > > > Not that issue, but a very well known one. > > > > > > > > > > The trouble is, Samba 4.4 was happy to get a tree like this: > > > > > > > > > > > > > > > X > > > > > > > > > > > > > > > > > Y Z > > > > > > > > > > in an order like this: > > > > > > > > > > Step 1 > > > > > > > > > > Y > > > > > > > > > > Step 2 > > > > > > > > > > Y Z > > > > > > > > > > Step 3 > > > > > X > > > > > > > > > > > > > > > > > Y Z > > > > > > > > > > As long as everything worked out in the end, it was > > > > > fine. But this had > > > > > issues, so we patched it to instead demand the objects in > > > > > tree order > > > > > (GET_ANC), but of course the server needs to know what that > > > > > means. > > > > > > > > > > Samba 4.5 was, from memory, the first release we did that, > > > > > but the > > > > > server, even with 4.4, didn't really know what that flag > > > > > meant. > > > > > > > > > > It wasn't until much later, Samba 4.6 or so, when we finally > > > > > got the > > > > > flag right, which of course gives problems upgrading from > > > > > Samba 4.4. > > > > > (We would sort the current 'page' of replication entries, but > > > > > not the > > > > > whole partition). > > > > > > > > > > We have continued to improve this code since, but that is the > > > > > core. > > > > > The next issue is a flag called GET_TGT but that hurts much > > > > > less often, > > > > > as we have a client-side workaround detecting that the server > > > > > didn't > > > > > understand us. > > > > > > > > > > The workaround for you is to carefully touch each object such > > > > > that the > > > > > children are modified after the parents. Or upgrade in-place > > > > > that DC > > > > > and replicate from there. Both suck, I know. > > > > > > > > > > > 2) About join in wiki appears > > > > > > " > > > > > > If the other DCs are Samba DCs and were provisioned with > > > > > > --use-rfc2307, you Should add --option='idmap_ldb:use > > > > > > rfc2307 = yes' > > > > > > to the join command > > > > > > " > > > > > > > > > > > > But checking my command userv to migrate from samba nt > > > > > > doamin to our > > > > > > actual ADDC domain this command was not used, but checking > > > > > > smb.conf > > > > > > appears this: > > > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > > > > > But I'm not sure if I have to use --option='idmap_ldb:use > > > > > > rfc2307 > > > > > > yes' on join command > > > > > > > > > > Probably. But that isn't the big deal at this point. > > > > > > > > > > I hope this helps a little. We need to extend our wiki to > > > > > explain this > > > > > more I'm sure. > > > > > > > > > > I've CC'ed samba-technical for those there who might want to > > > > > learn the > > > > > history a bit more. > > > > > > > > > > Andrew Bartlett > > > > > > > > > > -- > > > > > Andrew Bartlett > > > > > http://samba.org/~abartlet/ > > > > > Authentication Developer, Samba Team http://samba.org > > > > > Samba Developer, Catalyst IT > > > > > http://catalyst.net.nz/services/samba > > > > > > > > > > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Seemingly Similar Threads
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Duplicate attribute value warnings from ldb
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)