samba - Aug 2020 - Network rebuild advice needed

Yeah, I already tried that, to no avail.

I finally had some modicum of success.

Switched everything off except one server, then restored that from June and
was able to then build a new server and join it to the domain. And
everything was peachy.

Except the original server has some stupid zentyal issues which no one on
the zentyal boards can help me fix and when I then demoted the original
(zentyal) server and rebuilt it then tried to rejoin, it couldn't see the
other server I'd built.

4 hours later, bind configured, forward and reverse zones created, and the
windows clients can't see it.

So... back to the restore I went and now I'm going to sleep on it and see
if I can work out some way tomorrow to get things working so I can wipe
these stupid zentyal boxes and build them myself.

Thank you guys for your help... but a small nuke detonated between the
servers followed by me disappearing off to that desert island seems more
and more likely.

On Sat, Aug 29, 2020, 10:18 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> You have a duplicate RID pool, so the RIDs that it thinks it can
> allocate are already allocated.  dbcheck on Samba 4.5 and later (so
> should work for your 4.7) can fix that.
>
> Run that on the source server locally.
>
> Andrew Bartlett
>
> On Sat, 2020-08-29 at 17:42 -0700, Peter Pollock wrote:
> > Tried the join. Failed to find a writeable DC
> > Tried with --server and gave it the name of one of the servers. No
luck
> >
> > Tried a different server and....
> >
> > itadmin at dc2020:/run/samba$ samba-tool domain join kcs.local DC
> -U"KCS\domainadmin" --dns-backend=SAMBA_INTE
> RNAL --server "luke.kcs.local"
> > Password for [KCS\domainadmin]:
> > INFO 2020-08-30 00:37:08,420 pid:175166
> /usr/lib/python3/dist-packages/samba/join.py #1542: workgroup is KCS
> > INFO 2020-08-30 00:37:08,420 pid:175166
> /usr/lib/python3/dist-packages/samba/join.py #1545: realm is kcs.local
> > Adding CN=DC2020,OU=Domain Controllers,DC=kcs,DC=local
> > Join failed - cleaning up
> > ERROR(ldb): uncaught exception - LDAP error 68
LDAP_ENTRY_ALREADY_EXISTS
> -  <00002071: ../ldb_tdb/ldb_index                            .c:1339:
> Failed to re-index objectSid in CN=DC2020,OU=Domain
> Controllers,DC=kcs,DC=local - ../ldb_tdb/ldb_i
> ndex.c:1259: unique index violation on objectSid in CN=DC2020,OU=Domain
> Controllers,DC=kcs,DC=local> <>
> >   File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 186, in _run
> >     return self.run(*args, **kwargs)
> >   File
"/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> 701, in run
> >     join_DC(logger=logger, server=server, creds=creds, lp=lp,
> domain=domain,
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
1558, in
> join_DC
> >     ctx.do_join()
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
1446, in
> do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
654, in
> join_add_objects
> >     ctx.samdb.add(rec, controls=controls)
> >
> > Does the world just hate me?
> >
> > On Sat, Aug 29, 2020 at 5:35 PM Andrew Bartlett <abartlet at
samba.org>
> wrote:
> > > A join might be all your need, but given the source version you
can't
> > > do an offline backup, so I would then see if you can use our
online
> > > backup tool, then restore from there.
> > >
> > > Andrew Bartlett
> > >
> > > On Sat, 2020-08-29 at 17:02 -0700, Peter Pollock wrote:
> > > > Of course, it seems we are running Samba 4.7.6-Ubuntu.
> > > >
> > > > Great.
> > > >
> > > > The biggest regret of my last few years is that we are also
running
> Zentyal, which I am desperate to get rid of.
> > > >
> > > > I'm trying to build a new server with the latest Samba
and join that
> to the domain to see if I can get a good copy of the database, then wipe
> the other servers and rebuild them from scratch
> > > >
> > > > On Sat, Aug 29, 2020 at 3:04 PM Andrew Bartlett <abartlet
at samba.org>
> wrote:
> > > > > Given the situation in the world today, I would agree a
desert
> island
> > > > > sounds ideal.
> > > > >
> > > > > However I think there is hope for your network, so you
can run
> away in
> > > > > peace.
> > > > >
> > > > > First, you have not said which Samba versions you are
using, so the
> > > > > advise below is a bit generic.
> > > > >
> > > > > If my network was behaving like this I would use
Samba's backup
> tools
> > > > > to make a backup, and start again with the restored
domain, again
> using
> > > > > our restore tools.  The restore will manage the FSMO
roles and
> clean up
> > > > > pile of stuff as part of removing the other domain
controllers.
> > > > >
> > > > > samba-tool domain backup
> > > > > samba-tool domain restore
> > > > >
> > > > > There are offline and online backup options, I would
try both and
> see
> > > > > which works given the situations you are in.
> > > > >
> > > > > Also, the schema should be fixable.  We have tools to
load a new
> schema
> > > > > into Samba - you might be missing the schema file
> > > > >
> > > > >
source4/setup/adprep/samba-4.7-missing-for-schema45.ldif
> > > > >
> > > > > This is in the tarball (but not installed, a bug) and
consists of
> the
> > > > > difference between the schema we had and the schema we
claimed to
> have
> > > > > as schema version 45.
> > > > >
> > > > > In terms of the permissions, you may have lost
idmap.ldb, so the
> > > > > mapping between unix uids and Samba SIDs would be
scrambled.  Do
> note
> > > > > that this is not replicated either.
> > > > >
> > > > > I hope these suggestions help.
> > > > >
> > > > > Andrew Bartlett
> > > > >
> > > > > On Sat, 2020-08-29 at 14:44 -0700, Peter Pollock via
samba wrote:
> > > > > > Thank you for your assistance.
> > > > > >
> > > > > > Turns out everything is really really screwed up
and I can't
> even add
> > > > > > a DC
> > > > > > right now. I thought I had added a third and it
seemed to be
> > > > > > replicating
> > > > > > but now the other two won't recognize it as a
DC.
> > > > > >
> > > > > > I'm so deep in this hole right now I'm
considering nuking the
> whole
> > > > > > thing,
> > > > > > quitting my job and moving to a desert island. It
seriously
> couldn't
> > > > > > make
> > > > > > it any worse.
> > > > > >
> > > > > > On Sun, Aug 16, 2020 at 11:39 PM Rowland penny via
samba <
> > > > > > samba at lists.samba.org> wrote:
> > > > > >
> > > > > > > On 17/08/2020 04:21, Peter Pollock via samba
wrote:
> > > > > > > > So I screwed up my AD.
> > > > > > > >
> > > > > > > > At some point a Windows 2019 server was
attempted to be
> added and
> > > > > > > > it
> > > > > > >
> > > > > > > messed
> > > > > > > > the schema up.
> > > > > > > >
> > > > > > > > That server was removed and ceremonially
burned in the fire
> pit
> > > > > > > > but I
> > > > > > > > couldn't fix the issues that had
arisen, so I restored both
> of
> > > > > > > > the
> > > > > > >
> > > > > > > original
> > > > > > > > Samba DC's from backups
> > > > > > >
> > > > > > > That is probably where your main problems
start, you should
> never
> > > > > > > restore an individual DC, you only restore a
domain. You
> restored
> > > > > > > two
> > > > > > > DC's from backups, were the backups taken
at exactly the same
> time
> > > > > > > ?
> > > > > > >
> > > > > > > What you should have done was, restore one
DC, seize all FSMO
> roles
> > > > > > > to
> > > > > > > this DC, forcibly demote any other DC's
and then clean up the
> other
> > > > > > > DC's
> > > > > > > and rejoined them to the domain as new
DC's
> > > > > > >
> > > > > > > > and everything LOOKS OK on the surface,
but they're
> > > > > > > > not replicating and for some reason some
of the permissions
> on
> > > > > > > > the drive
> > > > > > > > containing the home folders got changed
even though the
> restore
> > > > > > > > had
> > > > > > >
> > > > > > > nothing
> > > > > > > > to do with that drive... and there are
other weird issues,
> like
> > > > > > > > the
> > > > > > >
> > > > > > > windows
> > > > > > > > computers trying to log on randomly say
there is no trust
> > > > > > > > relationship
> > > > > > > > between them and the domain.
> > > > > > > >
> > > > > > > > It's all weird and I can't work
out how to fix any of it.
> > > > > > > >
> > > > > > > > I built a new DC (DC3) and that
initially got a copy of
> > > > > > > > everything from
> > > > > > >
> > > > > > > one
> > > > > > > > of the original DC's but after that
they won't replicate to
> it.
> > > > > > > > It can
> > > > > > > > replicate outbound with both of the
other DC's but not
> inbound
> > > > > > > > and DC1
> > > > > > >
> > > > > > > and
> > > > > > > > DC2 won't replicate with each other
at all.
> > > > > > > >
> > > > > > > > We are a small school and have virtually
zero budget (latest
> DC
> > > > > > > > is built
> > > > > > >
> > > > > > > on
> > > > > > > > an old desktop, so it can't stay
around forever) but I've
> managed
> > > > > > > > to get
> > > > > > > > funding for a new server, which might
help.
> > > > > > > >
> > > > > > > > One of my big problems is that we only
have (or had) 2
> servers. I
> > > > > > >
> > > > > > > couldn't
> > > > > > > > risk not having a backup DC so I built
them both as samba
> DC's -
> > > > > > > > but one
> > > > > > >
> > > > > > > is
> > > > > > > > also the fileserver. (I know, fileserves
shouldn't be DC's
> but I
> > > > > > > > didn't
> > > > > > > > have much choice).
> > > > > > > >
> > > > > > > > I don't know how to fix the problems
and have decided I
> probably
> > > > > > > > need to
> > > > > > > > rebuild both of the problem servers from
scratch, but my
> > > > > > > > understanding is
> > > > > > > > that if I do that, I have to demote them
then rebuild them
> with
> > > > > > > > different
> > > > > > > > names so the AD doesn't get
confused. Is that right?
> > > > > > >
> > > > > > > You can re-use the names, but you must ensure
the DC is fully
> > > > > > > demoted
> > > > > > > and cleaned up before the join.
> > > > > > > >
> > > > > > > > My issue there is the shares on the
fileserver. All the
> windows
> > > > > > > > drive
> > > > > > > > mappings on the client machines are to
\\dc02\sharename  -
> and
> > > > > > > > they won't
> > > > > > > > work any more if I rebuild with a
different server name. Is
> there
> > > > > > > > a way
> > > > > > >
> > > > > > > to
> > > > > > > > migrate them across?
> > > > > > > >
> > > > > > > > My fear is also that there is something
screwy with the
> schema
> > > > > > > > even now
> > > > > > >
> > > > > > > and
> > > > > > > > just rebuilding won't fix that so
I'm wondering if I should
> start
> > > > > > > > again
> > > > > > > > from scratch with a completely new
domain, somehow import
> all the
> > > > > > > > user
> > > > > > > > details and go around manually rejoining
all the
> workstations.
> > > > > > >
> > > > > > > If you have a backup from before the Windows
2019 DC was
> joined,
> > > > > > > you
> > > > > > > should be able to fix this, but you will lose
any changes made
> to
> > > > > > > AD
> > > > > > > after the backup was made.
> > > > > > > >
> > > > > > > > I'm looking for advice here. I know
I've messed up bad but I
> have
> > > > > > > > to try
> > > > > > >
> > > > > > > to
> > > > > > > > fix it, although that's hard because
now school is back in
> > > > > > > > session I
> > > > > > >
> > > > > > > can't
> > > > > > > > do anything during the day, partly
because I'm teaching and
> > > > > > > > partly
> > > > > > >
> > > > > > > because
> > > > > > > > the teachers rely on the network for
their teaching. I'm
> going to
> > > > > > > > take
> > > > > > >
> > > > > > > the
> > > > > > > > school offline in a couple of weeks for
an entire weekend to
> fix
> > > > > > > > this
> > > > > > > > nonsense... I just don't know what
the best way to go about
> > > > > > > > fixing it is?
> > > > > > >
> > > > > > > It sounds like you now have three machines to
use, perhaps use
> one
> > > > > > > as a
> > > > > > > Unix domain member running as a fileserver
and the other two as
> > > > > > > DC's.
> > > > > > >
> > > > > > > Rowland
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > To unsubscribe from this list go to the
following URL and read
> the
> > > > > > > instructions: 
https://lists.samba.org/mailman/options/samba
> > > > > > >
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>

On 30/08/2020 10:57, Peter Pollock wrote:
> Yeah, I already tried that, to no avail.
>
> I finally had some modicum of success.
>
> Switched everything off except one server, then restored that from 
> June and was able to then build a new server and join it to the 
> domain. And everything was peachy.
>
> Except the original server has some stupid zentyal issues which no one 
> on the zentyal boards can help me fix and when I then demoted the 
> original (zentyal) server and rebuilt it then tried to rejoin, it 
> couldn't see the other server I'd built.
>
> 4 hours later, bind configured, forward and reverse zones created, and 
> the windows clients can't see it.
>
> So... back to the restore I went and now I'm going to sleep on it and 
> see if I can work out some way tomorrow to get things working so I can 
> wipe these stupid zentyal boxes and build them myself.
>
> Thank you guys for your help... but a small nuke detonated between the 
> servers followed by me disappearing off to that desert island seems 
> more and more likely.
What version of zentyal ? and what version of Samba was it sat on top of ?

Rowland

I upgraded zentyal as far as 6.1 before it stopped upgrading (it won't save
changes any more either, so I can't change almost anything) sitting on
Samba 4.7

On Sun, Aug 30, 2020, 3:14 AM Rowland penny via samba <samba at
lists.samba.org>
wrote:
> On 30/08/2020 10:57, Peter Pollock wrote:
> > Yeah, I already tried that, to no avail.
> >
> > I finally had some modicum of success.
> >
> > Switched everything off except one server, then restored that from
> > June and was able to then build a new server and join it to the
> > domain. And everything was peachy.
> >
> > Except the original server has some stupid zentyal issues which no one
> > on the zentyal boards can help me fix and when I then demoted the
> > original (zentyal) server and rebuilt it then tried to rejoin, it
> > couldn't see the other server I'd built.
> >
> > 4 hours later, bind configured, forward and reverse zones created, and
> > the windows clients can't see it.
> >
> > So... back to the restore I went and now I'm going to sleep on it
and
> > see if I can work out some way tomorrow to get things working so I can
> > wipe these stupid zentyal boxes and build them myself.
> >
> > Thank you guys for your help... but a small nuke detonated between the
> > servers followed by me disappearing off to that desert island seems
> > more and more likely.
>
> What version of zentyal ? and what version of Samba was it sat on top of ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sun, 2020-08-30 at 02:57 -0700, Peter Pollock wrote:
> Yeah, I already tried that, to no avail.
What exactly was the error or symptom?

Did you try the backup and restore I suggested?

If the only issue is the RID, there are ways to get past that - changing the
nextRid for example, but you might wish to engage professional Samba support.

I get the impression you are pretty stressed.  One of the things I've seen
with stressed administrators over the years is big jumps without careful notes. 
Take each step slowly, get good advise (here or professionally) and note down
each time what works, what doesn't etc.  Do this before you move to the next
step.

If you can do a trail run in a (truly) disconnected LAB while leaving production
untouched then it can be less stressful.  The backup/restore tools change the
major keys, which can avoid the networks talking to each other, so please
don't ignore them!

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Thank  you Andrew for your patient and calming advice.

We're a small private school and I'm basically a volunteer here. When I
set
this all up 4 years ago everything was peachy but problems started
appearing and now seem to be cascading. I've considered getting
professional help, but I'll pretty much have to ask my wife to do overtime
and give me the money as an early Christmas present to pay for it. We just
don't have the budget, especially right now in the middle of COVID.

The DBcheck came up with a couple of errors relating to an old (removed) DC
so I ran the fix and fixed them, but it still gave that same RID issue when
I tried the join.

My solution was to switch the second server (Luke) off and reload server 1
(Genesis) from a backup. That came up fine and I could join the new DC with
no problems.

Due to Zentyal collapsing if I make any changes whatsoever (you have to
save changes in Zentyal and it hangs saving the DNS or Samba module EVERY
time and I've not been able to find a way around it, running updates hangs
on updating the Zentyal modules too and dpkg --configure -a doesn't help) I
want to wipe and reinstall the two zentyal servers.

My thought was,

1) build a new server (I personally bought the parts to fix an old server
we were keeping for spares so I have another one to use).
2) Join the new server to the domain and ensure it replicates.
3) Wipe the two old servers and rebuild them, rejoining them to the new
server to replicate everything back across
4) Be happy for a few minutes

Genesis is our primary DNS and holds all the FSMO roles, it is also our
gateway and DCHP server and holds the windows roaming profiles..

My plan for this weekend was to use an old PC to build a seperate DHCP
server/gateway so that every time Genesis went down we didn't lose all
internet access. That server worked, which meant I thought my weekend had
been a success at first, but of course Genesis failed when I tried to
switch off its DHCP module so things came crashing to a halt. I was
planning on rebuilding the servers NEXT weekend but when Genesis wouldn't
let me switch off its DHCP server, I figured I needed to bring my other
plan forward.

That's why I was building a new server yesterday and once I got past the
RID issue, it seemed to be OK.... except I could never make it actually
operate as a DNS server and even though I switched Genesis and Luke off,
turned on my new DHCP server, pointed everything at the new DC and
successfully started serving DHCP addresses with all the right details to
the clients, they refused to use the new DC to authenticate logons (can't
find a logon server) and the routing went up and down like a yo-yo even
when I made no changes whatsoever. It was awful, one second I'm browsing
the net, reading every article I can find on configuring bind correctly and
the next second, poof, no internet and the new server is suddenly saying it
has a temporary failure in name resolution - yet I couldn't find a single
setting that had changed.

I've now switched the new DC back off, switched Genesis back on, reloaded
from a backup from June, before all the database problems started, removed
all references to dead DC's from it, run DBCHECK and everything is good...
except random PC's occasionally suddenly decide that they have no trust
relationship with the server any more... and I can't run any updates (last
update was in February, I think).

Now I need to switch Luke back on, because he's a DC and also our
fileserver, but when I do, I know that he and Genesis are going to try to
replicate and he has a newer version of everything so they're going to talk
for a minute then have another falling out and things will be fairly
screwed again.

I wanted today to at least wipe Luke so he doesn't cause problems, but I
don't know that that is even possible. Genesis may not be kind enough to
allow him to rejoin when I rebuild him.

Teachers will be back on site in 12 hours so I have some decisions to make.
It looks like the best choice right now is to switch Luke back on so
everything is back how it was (broken but limping along) on Friday
afternoon when I kicked the teachers off the network and call it a wasted
weekend.

Oh, and I've been trying the backup. It looks like the directories private
and sysvol are in the /var/lib/samba directory but I cannot find anywhere
where there is a /samba/etc directory and I don't know exactly what is
supposed to be in it so it's hard to search for it.

Peter

On Sun, Aug 30, 2020 at 2:06 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Sun, 2020-08-30 at 02:57 -0700, Peter Pollock wrote:
> > Yeah, I already tried that, to no avail.
>
> What exactly was the error or symptom?
>
> Did you try the backup and restore I suggested?
>
> If the only issue is the RID, there are ways to get past that - changing
> the nextRid for example, but you might wish to engage professional Samba
> support.
>
> I get the impression you are pretty stressed.  One of the things I've
seen
> with stressed administrators over the years is big jumps without careful
> notes.  Take each step slowly, get good advise (here or professionally) and
> note down each time what works, what doesn't etc.  Do this before you
move
> to the next step.
>
> If you can do a trail run in a (truly) disconnected LAB while leaving
> production untouched then it can be less stressful.  The backup/restore
> tools change the major keys, which can avoid the networks talking to each
> other, so please don't ignore them!
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>