Web lists-archives.com

Re: [Samba] Samba Migration and AD integration

Hi Praveen,

The realm infact has no dots, is this going be an issue? It is different to workgroup. The details did get "Lost in Redaction"

About single labeled domain (SLD) name, from Microsoft documentation[1] : "SLDs are not a recommended configuration for future deployments and may not work with some products or versions"

Actually I thought it was not possible to make a samba classic upgrade with a SLD... Perhaps upgrade scripts doesn't block it.

Anyway, if you are still testing your upgrade, you should do again the classic upgrade using a realm containing a dot. If you are already gone in production with that problematic SLD and all desktops have switched to AD domain attachment, then you are mostly screwed. It can be salvaged by recreating a new domain with a proper name and same SID, piping in all the accounts and groups with their respective SID and ntlm hash, and then rejoin all the computers to the domain.



[1] https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains

Coming back to the DNS. When we did the domain migration , we used --dns-backend=BIND9_DLZ. My assumption was it will stick to the BIND_DLZ. Anyhow, when we use the default settings post migration, we are not able to DCPROMO the Server 2008R2 server. It comes up with DNS record error,  more specifically the SRV records for _ldap_tcp_dc_msdsc_(realmname).  Then if we change the DNS to BIND9 using the dns_upgrade-backend=BIND9_DLZ, stick a zone file with manually added SRV records, we are able to DCPROMO but then DNS( and it turns out AD replication) issues. The AD replication issues is due to DNS not replication and not copying the _msdsc_ zone file.

So what is the best option in  our case? Domain Prep/Migrate using BIND9_DLZ and the stick to the SAMBA_DNS? One question is would  it help if we add the SRV records to the /var/cache/bind/zone file pre migration? Will the migration read that file and convert it to the DNS DB?

  Thank you.



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@xxxxxxxxx]
Sent: Tuesday, 6 February 2018 6:22 PM
To: Praveen Ghimire <PGhimire@xxxxxxxxxxxxxx>; samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba wrote:

We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
Server 2008R2 as a Domain Controller. We've come across the following
issues and request some suggestions to resolve them

-          The migration didn't generate DNS entries for the new
realm. We had to manually create a new zone file (/var/cache/bind) for
the new realm. Only then we were able to promote the Server2008
R2 as the DC. Is this an expected outcome post migration?

I think you have not understood how AD DNS works.  It won't create a zone file, it will create entries in the replicated DB that you can see over LDAP.  By default the internal DNS server is used, but a DLZ plugin for bind9 can also be used.

Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if you wish to used bind, rather than create a zone file.

-          Similarly, the dhcpd.conf file exhibited the same outcome
as above.

Samba doesn't control dhcpd, but instructions for that are on the wiki.

-          When we added a new machine to the domain, it didn't
update the DNS record in the Samba box.  The machine joins to the
domain but there is no DNS record for it.

If Samba's DNS isn't used then dynamic updates wont work.

-          We added the DNS role in the Server2008 R2 DC, what we
found that any record created in Bind9 gets replicated to the Windows
server but no vice-versa.

While I wouldn't exactly expect this if you were not using Samba for DNS on the Samba server, I think that is at the heart of your trouble.

The AD user bit seems to sync ok between the servers.

The samba-tool dbcheck -cross-ncs gives the following

samba-tool dbcheck --cross-ncs
Checking 3835 objects
ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to
parse dn string
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
line 157, in run
    controls=controls, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
198, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
1839, in check_object
    expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))


        netbios name = TEST
        realm = TESTDC
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TESTDC
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

The fact that your realm has no dots in it and is the same as the workgroup isn't a good start.  This may be a redaction, but I smell trouble here.

        path = /var/lib/samba/sysvol/testdc/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

I hope the above helps,

Andrew Bartlett

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba