samba - May 2020 - Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)

On 25/05/2020 23:08, Andrew Bartlett via samba wrote:
> On Mon, 2020-05-25 at 17:45 -0400, Rich Webb via samba wrote:
>> ----- On May 25, 2020, at 5:22 PM, Andrew Bartlett abartlet at
samba.org
>>   wrote:
>>
>>> On Mon, 2020-05-25 at 10:26 -0400, Rich Webb via samba wrote:
>>>> ----- On May 24, 2020, at 11:30 PM, samba samba at
lists.samba.org
>>>> wrote:
>>>>
>>>>> On Sun, 2020-05-24 at 23:01 -0400, Rich Webb via samba
wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I'm attempting to join a new samba 4 server version
4.12.3 to
>>>>>> an
>>>>>> existing samba 4 domain running on Zentyal 3.2 (samba
version
>>>>>> 4.1.7).
>>>>>>
>>>>>> I'm getting the error in the subject line: Failed
to commit
>>>>>> objects:
>>>>>> DOS code 0x000021bf
>>>>> If you turn up the log level is there more information? 
(eg
>>>>> -d4)?
>>>>>
>>>>> But yes, Samba 4.1.7 is before we fixed a number of issues
in
>>>>> the
>>>>> replication protocol, and I'm not surprised you have
issues.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>>> --
>>>> Also I am currently using 4.10.15 as I tried to backrev to a
>>>> version
>>>> that would join properly. The -d4 produced a ton of output...
Let
>>>> me
>>>> know if you need more but here is the final pieces that would
>>>> likely
>>>> give a clue.  I have no idea what mail-fs1 is.. that may have
>>>> been an
>>>> old host name possibly left hanging around in DNS?  The
DC's name
>>>> is
>>>> fs1:
>>>>
>>>> Missing parent while attempting to apply records: No parent
with
>>>> GUID
>>>> fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely
>>>> known
>>>> as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local
>>>>
>>>> ERROR(runtime): uncaught exception - (8460, "Failed to
process
>>>> 'chunk' of DRS replicated objects:
WERR_DS_DRA_MISSING_PARENT")
>>> Thanks, this gives us the information we need.
>>>
>>> What has happened here is that Samba 4.1, indeed all Samba versions
>>> sort the returned results by the order of last change.  However,
>>> before
>>> 4.4 did not know about the GET_ANC flag, to sort the results tree-
>>> wise,
>>> which we need in this situation, so we can find the parent objects
>>> before we replicate the children.
>>>
>>> This means that, to replicate from Samba 4.1, you need to carefully
>>> change a unimportant attribute in all the child objects of
>>> OU=Kerberos
>>> 'later' than the last change of OU=Kerberos itself.
>>>
>>> The only other alternative is an in-place upgrade, so the sending
>>> Samba
>>> version gains this capability.
>>>
>>> If this makes sense, then have a go.  Otherwise (or if this is a
>>> large
>>> or critical network) this might be a job for a commercial support
>>> provider who will probably write a script to assist.
>>>
>>> How big is your domain?
>>>
>>> (Dreaming, with unlimited development time I would love to have
>>> Samba
>>> cope with this natively, by sorting the results on the new DC and
>>> using
>>> REPL_SINGLE_OBJECT to fill in the gaps, but this is a much bigger
>>> task).
>>>
>>> I hope this gives you a way forward.
>>>
>>> Andrew Bartlett
>> Not a huge domain - maybe 8 users or so.  When you say in place
>> upgrade are you talking about upgrading Zentyal so that Samba gets
>> upgraded to at least 4.5 or above?
> Yes, or Samba on the Zentyal appliance - even if built manually and
> just pointed at the right directories (after forcefully disabling the
> installed Samba).  I'm not sure how well a modern Samba would build
> there, you might have to build 4.5.
>
> But if just 8 users, the simplest approach might be to just make your
> domain as 'flat' as possible then try replication again, and fix it
up
> later.
>
> All the best,
>
> Andrew Bartlett
>
Sorry Andrew, but I do not agree, in my opinion the best option would be 
to start again. With only 8 users (and presumably a similar number of 
computers), it will be quicker and easier to create a new domain.

Zentyal 3.2 is based on Ubuntu 12.04, so I am unsure whether 4.5 will 
build on it, even if it does, there is is still the problem of the early 
dns schema.

The amount of work involved in getting the Zentyal domain upgraded will 
be far more than setting up a new domain.

Rowland

----- On May 26, 2020, at 4:27 AM, Rowland Penny rpenny at samba.org
wrote:
>>> Not a huge domain - maybe 8 users or so.  When you say in place
>>> upgrade are you talking about upgrading Zentyal so that Samba gets
>>> upgraded to at least 4.5 or above?
>> Yes, or Samba on the Zentyal appliance - even if built manually and
>> just pointed at the right directories (after forcefully disabling the
>> installed Samba).  I'm not sure how well a modern Samba would build
>> there, you might have to build 4.5.
>>
>> But if just 8 users, the simplest approach might be to just make your
>> domain as 'flat' as possible then try replication again, and
fix it up
>> later.
>>
>> All the best,
>>
>> Andrew Bartlett
>>
> Sorry Andrew, but I do not agree, in my opinion the best option would be
> to start again. With only 8 users (and presumably a similar number of
> computers), it will be quicker and easier to create a new domain.
> 
> Zentyal 3.2 is based on Ubuntu 12.04, so I am unsure whether 4.5 will
> build on it, even if it does, there is is still the problem of the early
> dns schema.
> 
> The amount of work involved in getting the Zentyal domain upgraded will
> be far more than setting up a new domain.
> 
> Rowland
There are other factors outside of the domain migration to take into
consideration as well.  If I rebuild the domain I have to physically go there
because to remotely disjoin/rejoin the windows stations, although it can be
done, it would be better to be onsite if issues arise.  Next, they have a
windows server running some complicated software that is joined to this domain
so not keen on disjoining/rejoining that server as I don't know what havoc
it would create with some very touchy apps.

I have a post into the zentyal forums to find out if there is a clean migration
path to their 6.x version.. so far nobody has responded.  I will give it a while
and see if someone answers.  I don't know what Samba version their 6.x
product uses but it is very likely higher than 4.5.

Doing this remotely in off-hours is appealing because I can do it from my home
so I can afford to spend some extra "free" time as long as I am
careful with VMWare snapshots so I can undo disaster if it occurs :)

Andrew, what did you mean "as flat as possible"?  I have very little
as far as objects in the AD database.. mainly users and if DNS is integrated,
DNS entries.  Also not a lot of structure as far as OUs and whatnot.

On 26/05/2020 13:16, Rich Webb via samba wrote:
> ----- On May 26, 2020, at 4:27 AM, Rowland Penny rpenny at samba.org wrote:
>>>> Not a huge domain - maybe 8 users or so.  When you say in place
>>>> upgrade are you talking about upgrading Zentyal so that Samba
gets
>>>> upgraded to at least 4.5 or above?
>>> Yes, or Samba on the Zentyal appliance - even if built manually and
>>> just pointed at the right directories (after forcefully disabling
the
>>> installed Samba).  I'm not sure how well a modern Samba would
build
>>> there, you might have to build 4.5.
>>>
>>> But if just 8 users, the simplest approach might be to just make
your
>>> domain as 'flat' as possible then try replication again,
and fix it up
>>> later.
>>>
>>> All the best,
>>>
>>> Andrew Bartlett
>>>
>> Sorry Andrew, but I do not agree, in my opinion the best option would
be
>> to start again. With only 8 users (and presumably a similar number of
>> computers), it will be quicker and easier to create a new domain.
>>
>> Zentyal 3.2 is based on Ubuntu 12.04, so I am unsure whether 4.5 will
>> build on it, even if it does, there is is still the problem of the
early
>> dns schema.
>>
>> The amount of work involved in getting the Zentyal domain upgraded will
>> be far more than setting up a new domain.
>>
>> Rowland
> There are other factors outside of the domain migration to take into
consideration as well.  If I rebuild the domain I have to physically go there
because to remotely disjoin/rejoin the windows stations, although it can be
done, it would be better to be onsite if issues arise.  Next, they have a
windows server running some complicated software that is joined to this domain
so not keen on disjoining/rejoining that server as I don't know what havoc
it would create with some very touchy apps.
Ahh, what with my crystal ball being on the fritz, I didn't know that
:D
>
> I have a post into the zentyal forums to find out if there is a clean
migration path to their 6.x version.. so far nobody has responded.  I will give
it a while and see if someone answers.  I don't know what Samba version
their 6.x product uses but it is very likely higher than 4.5.
If Zentyal do have an upgrade path, then this will be the way to go, but 
I think it might entail upgrading to the next major Zentyal version, 
version by version.
>
> Doing this remotely in off-hours is appealing because I can do it from my
home so I can afford to spend some extra "free" time as long as I am
careful with VMWare snapshots so I can undo disaster if it occurs :)
>
> Andrew, what did you mean "as flat as possible"?  I have very
little as far as objects in the AD database.. mainly users and if DNS is
integrated, DNS entries.  Also not a lot of structure as far as OUs and whatnot.
I think he means fixing any problems in the AD db, remove any 
unnecessary objects, that sort of thing, but you do have at least two 
extra OU's,? OU=Kerberos and OU=Groups, both off the base.

The DNS is integrated, but it isn't the version used now, see here for 
more info:

https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application

Rowland