Web lists-archives.com

[Samba] report on issue of samba_upgradedns




Hi,

This is just a report I wanted to share. Maybe someone can put it on the wiki. I created a new DC for a new site using the samba internal dns option. Later, I decided to go with bind. So I ran the command, and got this error:

[root@theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-theoden account
Traceback (most recent call last):
  File "/sbin/samba_upgradedns", line 433, in <module>
    "DNSNAME" : dnsname }
File "/usr/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
    self.add(msg, controls)
_ldb.LdbError: (53, '../source4/dsdb/samdb/ldb_modules/ridalloc.c:556: No RID Set DN - Remote RID Set creation needed')

Since it mentions RID creation, I went to the RID master server, looking into the logs, I found:

../source4/rpc_server/drsuapi/getncchanges.c:829: Failed extended allocation RID pool operation - ../source4/dsdb/samdb/ldb_modules/ridalloc.c:727: Failed to find serverReference in CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br - (null)

In this case, THEODEN is the new DC.

Then, doing the following search for:

ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=THEODEN)' --cross-ncs

on both the new DC and the Rid Master, I find out that the entry CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br lacks the attribute serverReference on the Rid Master.

So I created the following ldif file:

[root@aragorn samba]# cat /root/theoden-fix.ldif
dn: CN=THEODEN,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br
changetype: modify
add: serverReference
serverReference: CN=THEODEN,OU=Domain Controllers,DC=e-trust,DC=com,DC=br

And added it to the RID Master's database:

[root@aragorn samba]# ldbmodify -H /var/lib/samba/private/sam.ldb /root/theoden-fix.ldif
Modified 1 records successfully

Then, I restarted the samba services on the rid master. After that, I was able to run the samba_upgradedns script successfully:

[root@theoden ~]# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/E-TRUST.COM.BR.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-theoden account
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.


Regards.

--

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs@xxxxxxxxxxxxxx
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte@xxxxxxxxxxxxxx. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte@xxxxxxxxxxxxxx immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba