samba - Dec 2024 - Error when joining new DC

On Mon, 16 Dec 2024 13:01:53 +0000
Peter Mittermayer via samba <samba at lists.samba.org> wrote:
> While resuming my testing for adding a new DC with higher Samba
> version I have some questions:
> 
> 1. do I have to expunge tombstones on each DC or just one (and
> replication will remove it from others). - I think it should be run
> on all DCs.
> 
> 2. same question for dbcheck
> 
All DCs should hold the same database (apart from a few non replicated
attributes), so making changes on one DC should lead to those changes
being replicated to all other DCs.
So, doing a change on one DC, should lead to changes on all others.
> 3. Rowland mentioned that the error message I get when trying the DC
> is just a result of the real issue. In which section of the join
> procedure would I have to look for the real issue if it is really
> related to the newly introduced security constraints in 4.14.10?
> Running with debuglevel 10 provides a lot of details and I'm not sure
> where exactly to look for any additional hints or how they might look
> like.
> 
In your initial post, you posted the output from the join command, the
relevant parts were these:

Your error started here:

An operation failed during a batch mode transaction, the transaction was rolled
back
DSDB Transaction [commit] at [Thu, 05 Dec 2024 19:29:47.054187 EET] duration
[24679161] status [1] reason [end_trans error on DC=SUB,DC=DOM,DC=TLD: An
operation failed during a batch mode transaction, the transaction was rolled
back]
{"timestamp": "2024-12-05T19:29:47.054240+0200",
"type": "dsdbTransaction", "dsdbTransaction":
{"version": {"major": 1, "minor": 0},
"action": "commit", "transactionId":
"6c245342-5ecc-4c4e-8e13-1196825d7116", "duration":
24679161, "statusCode": 1, "status": "Operations
error", "reason": "end_trans error on DC=SUB,DC=DOM,DC=TLD:
An operation failed during a batch mode transaction, the transaction was rolled
back"}}
Join failed - cleaning up

The next few lines were these:

ldb_wrap open of secrets.ldb
dsdb_search: SUB SEARCH_ONE_ONLY flags=0x00000200 cn=Primary Domains
(&(flatname=SUB)(objectclass=primaryDomain)) -> 0 results
Could not find machine account in secrets database: Failed to fetch
machine account password for SUB from both secrets.ldb (Could not find
entry to match filter:
'(&(flatname=SUB)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:5731) and from
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

You can ignore those, the file that cannot be found isn't created until
the join is successful, that is why it cannot be found.

Your actual error is a bit lower down:

ERROR(ldb): uncaught exception - end_trans error on DC=SUB,DC=DOM,DC=TLD: An
operation failed during a batch mode transaction, the transaction was rolled
back
  File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 353, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py",
line 1621, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py",
line 1511, in do_join
    ctx.join_replicate()
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py",
line 1101, in join_replicate
    ctx.local_samdb.transaction_commit()

Rowland

I see. Thanks for clarification.

Checking the detailed of using debuglevel 10 I see this message:

../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5583: Resolving conflict
record via existing-record rename 'CN=Vikas
Rajan,CN=Users,DC=SUB,DC=DOM,DC=TLDbg' -> 'CN=Vikas
Rajan\0ACNF:de5b7fa1-e3ec-4631-a8d7-cdfc137ac3b7,CN=Users,DC=SUB,DC=DOM,DC=TLD'

Although it was renamed and re-replicated:
../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5605: With conflicting
record renamed, re-apply replicated creation of 'CN=Vikas
Rajan,CN=Users,DC=SUB,DC=DOM,DC=TLD'

The whole transaction seems to fail. Maybe because it is still using the old dn
instead of the renamed one.

I renamed the dn manually using ldbrename and after that the join succeeds.

br

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Sent: Monday, December 16, 2024 3:30 PM
To: samba at lists.samba.org
Cc: Rowland Penny
Subject: Re: [Samba] Error when joining new DC

On Mon, 16 Dec 2024 13:01:53 +0000
Peter Mittermayer via samba <samba at lists.samba.org> wrote:
> While resuming my testing for adding a new DC with higher Samba
> version I have some questions:
>
> 1. do I have to expunge tombstones on each DC or just one (and
> replication will remove it from others). - I think it should be run
> on all DCs.
>
> 2. same question for dbcheck
>
All DCs should hold the same database (apart from a few non replicated
attributes), so making changes on one DC should lead to those changes
being replicated to all other DCs.
So, doing a change on one DC, should lead to changes on all others.
> 3. Rowland mentioned that the error message I get when trying the DC
> is just a result of the real issue. In which section of the join
> procedure would I have to look for the real issue if it is really
> related to the newly introduced security constraints in 4.14.10?
> Running with debuglevel 10 provides a lot of details and I'm not sure
> where exactly to look for any additional hints or how they might look
> like.
>
In your initial post, you posted the output from the join command, the
relevant parts were these:

Your error started here:

An operation failed during a batch mode transaction, the transaction was rolled
back
DSDB Transaction [commit] at [Thu, 05 Dec 2024 19:29:47.054187 EET] duration
[24679161] status [1] reason [end_trans error on DC=SUB,DC=DOM,DC=TLD: An
operation failed during a batch mode transaction, the transaction was rolled
back]
{"timestamp": "2024-12-05T19:29:47.054240+0200",
"type": "dsdbTransaction", "dsdbTransaction":
{"version": {"major": 1, "minor": 0},
"action": "commit", "transactionId":
"6c245342-5ecc-4c4e-8e13-1196825d7116", "duration":
24679161, "statusCode": 1, "status": "Operations
error", "reason": "end_trans error on DC=SUB,DC=DOM,DC=TLD:
An operation failed during a batch mode transaction, the transaction was rolled
back"}}
Join failed - cleaning up

The next few lines were these:

ldb_wrap open of secrets.ldb
dsdb_search: SUB SEARCH_ONE_ONLY flags=0x00000200 cn=Primary Domains
(&(flatname=SUB)(objectclass=primaryDomain)) -> 0 results
Could not find machine account in secrets database: Failed to fetch
machine account password for SUB from both secrets.ldb (Could not find
entry to match filter:
'(&(flatname=SUB)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:5731) and from
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

You can ignore those, the file that cannot be found isn't created until
the join is successful, that is why it cannot be found.

Your actual error is a bit lower down:

ERROR(ldb): uncaught exception - end_trans error on DC=SUB,DC=DOM,DC=TLD: An
operation failed during a batch mode transaction, the transaction was rolled
back
  File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 353, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py",
line 1621, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py",
line 1511, in do_join
    ctx.join_replicate()
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py",
line 1101, in join_replicate
    ctx.local_samdb.transaction_commit()

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba