Web lists-archives.com

Re: [Samba] join samba 4.5.12 to samba 4.1.13 failed(resolved)




On 7/26/2017 4:30 AM, Andrew Bartlett wrote:
On Tue, 2017-07-25 at 14:04 -0400, Allen Chen via samba wrote:
Hi there,

I have 2 DC servers(samba 4.1.13) working for more than 1 year.
When I join samba 4.5.12 to the domain, it fails on this error:
....
Replicating critical objects from the base DN of the domain
Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
Join failed - cleaning up
Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
...
Can you share a bit more of the error you see here?

I suspect the issue is a well known issue with the join command
interacting with the older DC.  With Samba 4.5 we started to require
that we get the parent of every object before the object itself, and we
correctly implemented that in 4.6 as a server.

The issue is that when joining the older domain, we set the flags for
'give me the parent as well', GET_ANC, but the server doesn't know to
honour it.

We really should detect that and remove the DOMAIN_CRITICAL_ONLY flag,
which is what causes the trouble here (if we do a full replication we
generally get all the objects in the right order).

One fix is to upgrade the 4.1.13 servers to 4.6 or above.  I understand
you would prefer to do that on the new DCs you join, but that may not
be possible in this case.

I hope this helps,

Andrew Bartlett

Thanks to all of you: Andrew, Louis and Rowland.
Your suggestions are very helpful.

I think the problem is the speed between DCs:
DC1 and the new DC3 are on the same subnet, no speed issue,
DC2 is on another subnet which has a very slow connection(20-50KB/s) to DC1 and the new DC3.

The join command found DC2:
# /usr/local/samba/bin/samba-tool domain join mydomain.htft DC -U"MYDOMAIN.HTFT\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'mydomain.htft'
Found DC dc2.mydomain.htft
Password for [MYDOMAIN.HTFT\administrator]:
.....
I don't know why it found DC2. maybe DC1 has all FSMO!
So I join DC3 to the domain like this:
1. upgrade to samba 4.6.6 on DC2 and DC1 one by one, no problem
2. join DC3(samba 4.6.6) to the domain, "Join failed....."(the same err message, but one step further)
3. stop samba on DC2(it has a slow connection)
4. join DC3(samba 4.6.6) to the domain, successfully, finished very fast. (no speed issue between DC3 and DC1)
5. start samba on DC2
6. manually add the missing A record and  the objectGUID CNAME Record
7. copy idmap and sysvol over to the new DC3, and reset permissions
8. all the following commands on 3 DCs return normal results:
# samba-tool drs showrepl
# samba-tool fsmo show       (now show me 7 FSMO)
# samba-tool dbcheck --cross-nc
   samba-tool dbcheck --cross-nc --fix --yes
9. the good thing I noticed is when a PC moved to another subnet(ip changed), the DNS A record gets updated once the computer started.

Allen




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba