Web lists-archives.com

Re: [Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3




Hi there,

I had some off list conversation with Aleksey and wanted
to give an update on our findings (s. below).

I'm currently preparing a test stack with
     ldb 1.4.0 (without lmdb support)
and
     samba 4.8.3
build on top of it, to check whether lmdb support causes
the mentioned trouble.

An on a site note:

When compiling ldb 1.4.0 with "--without-ldb-lmdb" a general
error occurs during "make test":

"make test called, but ldb was built --without-ldb-lmdb"

Is this behavior intended?

Bye,
  Marcel



July 11, 2018 9:39 AM, marcel@xxxxxxxxxxx wrote:

> Hi Aleksey,
> 
> according to the PKGBUILD lmdb was a build requirement, so I guess
> your version of ldb was build with mldb support.
> 
> I'll try to re-compile my whole samba stack without mldb support
> in ldb 1.4.0 and give it a try.
> Maybe that's the reason for all the troubles.
> 
> I'll keep you informed about my findings.
> 
> Should we post the conversation to the samba mailing list, so Andrew
> is up to date on our discussion?
> 
> Bye,
> Marcel
> 
> July 11, 2018 9:32 AM, "Aleksey Vladimirov" <A.Vladimirov@xxxxxxxxxxxxxx> wrote:
> 
>> Hi!
>> ./configure --prefix=/usr \
>> --disable-rpath \
>> --disable-rpath-install \
>> --bundled-libraries=NONE \
>> --builtin-libraries=replace \
>> --with-modulesdir=/usr/lib/ldb/modules \
>> --with-privatelibdir=/usr/lib/ldb
>> 
>> So, I use a default package and rebuild it on-place with original PKGBUILD
>> https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/ldb
>> I has troubles with sync because services can't authorize in PDC...
>> 
>> smbd[9579]: [2018/07/11 10:18:32.365265, 0]
>> ../source4/auth/unix_token.c:78(security_token_to_unix_token)
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Unable to convert first SID
>> (S-1-5-21-3696438273-4232299451-4172622461-1886) in user token to a UID. Conversion was returned as
>> type 0, full token:
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: [2018/07/11 10:18:32.365396, 0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Security token SIDs (30):
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 0]:
>> S-1-5-21-3696438273-4232299451-4172622461-1886
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 1]:
>> S-1-5-21-3696438273-4232299451-4172622461-513
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 2]:
>> S-1-5-21-3696438273-4232299451-4172622461-1924
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 3]:
>> S-1-5-21-3696438273-4232299451-4172622461-1916
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 4]:
>> S-1-5-21-3696438273-4232299451-4172622461-2016
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 5]:
>> S-1-5-21-3696438273-4232299451-4172622461-1998
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 6]:
>> S-1-5-21-3696438273-4232299451-4172622461-1977
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 7]:
>> S-1-5-21-3696438273-4232299451-4172622461-1971
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 8]:
>> S-1-5-21-3696438273-4232299451-4172622461-2065
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 9]:
>> S-1-5-21-3696438273-4232299451-4172622461-2059
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 10]:
>> S-1-5-21-3696438273-4232299451-4172622461-1910
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 11]:
>> S-1-5-21-3696438273-4232299451-4172622461-1763
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 12]:
>> S-1-5-21-3696438273-4232299451-4172622461-1950
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 13]:
>> S-1-5-21-3696438273-4232299451-4172622461-1928
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 14]:
>> S-1-5-21-3696438273-4232299451-4172622461-1887
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 15]:
>> S-1-5-21-3696438273-4232299451-4172622461-2077
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 16]:
>> S-1-5-21-3696438273-4232299451-4172622461-2017
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 17]:
>> S-1-5-21-3696438273-4232299451-4172622461-512
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 18]:
>> S-1-5-21-3696438273-4232299451-4172622461-1602
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 19]:
>> S-1-5-21-3696438273-4232299451-4172622461-1605
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 20]: S-1-18-1
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 21]:
>> S-1-5-21-3696438273-4232299451-4172622461-572
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 22]:
>> S-1-5-21-3696438273-4232299451-4172622461-1796
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 23]: S-1-1-0
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 24]: S-1-5-2
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 25]: S-1-5-11
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 26]: S-1-5-32-545
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 27]: S-1-5-32-544
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 28]: S-1-5-32-554
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: SID[ 29]: S-1-5-32-574
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privileges (0x 1FFFFFA0):
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 0]: SeTakeOwnershipPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 1]: SeBackupPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 2]: SeRestorePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 3]: SeRemoteShutdownPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 4]: SePrintOperatorPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 5]: SeDiskOperatorPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 6]: SeSecurityPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 7]: SeSystemtimePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 8]: SeShutdownPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 9]: SeDebugPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 10]: SeSystemEnvironmentPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 11]: SeSystemProfilePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 12]: SeProfileSingleProcessPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 13]: SeIncreaseBasePriorityPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 14]: SeLoadDriverPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 15]: SeCreatePagefilePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 16]: SeIncreaseQuotaPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 17]: SeChangeNotifyPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 18]: SeUndockPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 19]: SeManageVolumePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 20]: SeImpersonatePrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 21]: SeCreateGlobalPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Privilege[ 22]: SeEnableDelegationPrivilege
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Rights (0x 403):
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Right[ 0]: SeInteractiveLogonRight
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Right[ 1]: SeNetworkLogonRight
>> Jul 11 10:18:32 sec-dc.domain.local smbd[9579]: Right[ 2]: SeRemoteInteractiveLogonRight
>> 
>> I can't find a cause of this troubles and stil waiting maybe someone can do it :)
>> 
>> Best regards/
>> 
>> -----Original Message-----
>> From: marcel@xxxxxxxxxxx [mailto:marcel@xxxxxxxxxxx]
>> Sent: Wednesday, July 11, 2018 10:18 AM
>> To: Aleksey Vladimirov <A.Vladimirov@xxxxxxxxxxxxxx>
>> Subject: Re: [Samba] DRS and DNS sync are not working after update from 4.8.2 to 4.8.3
>> 
>> Hi Aleksey,
>> 
>> ok - so looks like these are just hints/warnings in the log, not the real cause of my trouble. So
>> I'll keep looking ...
>> 
>> BTW:
>> There was a commit just yesterday to samba git, mentioning that the mldb backend (that seems to be
>> used by default with ldb 1.4.0) is
>> experimental:
>> 
>> WHATSNEW.txt:
>> 
>> 101 New Experimental LMDB LDB backend
>> 102 ---------------------------------
>> 103
>> 104 A new experimental LDB backend using LMBD is now available. This allows
>> 105 databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
>> 106 increased in a future release). To enable lmdb, provision or join a domain using
>> 107 the --backend-store=mdb option.
>> 108
>> 109 This requires that a version of lmdb greater than 0.9.16 is installed and that
>> 110 samba has not been built with the --without-ldb-lmdb option.
>> 111
>> 112 Please note this is an experimental feature and is not recommended for
>> 113 production deployments.
>> 
>> Can you tell whether your version of ldb was build with or without lmdb support?
>> 
>> Bye,
>> Marcel
>> 
>> July 11, 2018 8:52 AM, "Aleksey Vladimirov" <A.Vladimirov@xxxxxxxxxxxxxx> wrote:
>> 
>>> Hi Marcel
>>> 
>>> Yes, I have messages about lock database.
>>> task[cldapd][1122]: / Protocol error for
>>> DC=ForestDnsZones,DC=domain,DC=local
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]:
>>> [2018/07/11 09:50:19.349794, 0]
>>> ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]: ldb: Failed to lock db:
>>> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process
>>> 1122 Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
>>> task[cldapd][1122]: / Protocol error for DC=domain,DC=local Jul 11
>>> 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]:
>>> [2018/07/11 09:50:19.349950, 0]
>>> ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]: ldb: Failed to unlock db:
>>> ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 1110 in process
>>> 1122 Jul 11 09:50:19 sec-dc.domain.local samba[1122]:
>>> task[cldapd][1122]: / Protocol error for metadata partition Jul 11
>>> 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]:
>>> [2018/07/11 09:50:19.350105, 0]
>>> ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
>>> Jul 11 09:50:19 sec-dc.domain.local samba[1122]: task[cldapd][1122]: ldb: Failed to unlock db:
>>> Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by
>>> pid 1110 in process 1122 Jul 11 09:50:19 sec-dc.domain.local
>>> samba[1122]: task[cldapd][1122]: / Protocol error for metadata
>>> partition / Protocol error
>>> 
>>> -----Original Message-----
>>> From: marcel@xxxxxxxxxxx [mailto:marcel@xxxxxxxxxxx]
>>> Sent: Wednesday, July 11, 2018 9:48 AM
>>> To: Aleksey Vladimirov <A.Vladimirov@xxxxxxxxxxxxxx>
>>> Subject: Re: [Samba] DRS and DNS sync are not working after update
>>> from 4.8.2 to 4.8.3
>>> 
>>> Hi Aleksey,
>>> 
>>> I already had a [realms] section in my krb5.conf.
>>> 
>>> And my problem is not limited to using DRS and DNS:
>>> Several services connecting to samba LDAP (using plain text auth) failed after the upgrade.
>>> 
>>> Did the error messages concerning database locks disappear with your
>>> changes to krb5.conf or are they still there?
>>> 
>>> Bye,
>>> Marcel
>>> 
>>> July 11, 2018 8:22 AM, "Aleksey Vladimirov" <A.Vladimirov@xxxxxxxxxxxxxx> wrote:
>> 
>> I had this problem too.
>> After update secondary DC from 4.8.2 to 4.8.3 DRS and DNS sync are not working.
>> Archlinux, ldb 1.4.0-1, samba 4.3.8-1, krb5 1.16.1-1, AD Win 1012R2.
>> user@domain.local is resolved, but domain\user is not.
>> 
>> /etc/krb5.conf
>> [libdefaults]
>> default_realm = DOMAIN.LOCAL
>> dns_lookup_kdc = true
>> forwardable = true
>> dns_lookup_realm = false
>> 
>> [domain_realm]
>> .domain.local = DOMAIN.LOCAL
>> domain.local = DOMAIN.LOCAL
>> 
>> [realms]
>> domain={
>> kdc = sec-dc.domain.local
>> kdc = dcsrv.domain.local
>> admin_server = sklad-domain.local
>> default_domain=domain.local
>> }
>> 
>> The section realms was added after upgrade. 4.8.2 was fine without it
>> 
>> -----Original Message-----
>> From: marcel@xxxxxxxxxxx [mailto:marcel@xxxxxxxxxxx]
>> Sent: Wednesday, July 11, 2018 8:56 AM
>> To: Andrew Bartlett <abartlet@xxxxxxxxx>; Aleksey Vladimirov
>> <A.Vladimirov@xxxxxxxxxxxxxx>; samba@xxxxxxxxxxxxxxx
>> Subject: Re: [Samba] DRS and DNS sync are not working after update
>> from 4.8.2 to 4.8.3
>> 
>> Hi Andrew,
>> 
>> yes, I was compiling/running samba 4.8.3 against ldb 1.4.0.
>> 
>> Just a site note:
>> I had trouble running some tests with ldb 1.3.4, that's why I switched to 1.4.0.
>> (Those tests however failed only within our build environment, which made it hard to debug).
>> 
>> Bye,
>> Marcel
>> 
>> July 10, 2018 8:58 PM, "Andrew Bartlett" <abartlet@xxxxxxxxx> wrote:
>>> On Tue, 2018-07-10 at 14:48 +0000, Marcel via samba wrote:
>> 
>> Hi Aleksey,
>> 
>> did you find any solution for this?
>> 
>> I just updated from 4.8.2 to 4.8.3 and had very similar
>> effects:
>> 
>> Login was no longer possible with 4.8.3 - log file was full of
>> "ldb: Failed to unlock db"
>> messages.
>> 
>> I had to downgrade to 4.8.2 in order to make samba work again.
>>> Very interesting. Did you somehow install ldb 1.4.0 and build
>>> against that?
>>> 
>>> Andrew Bartlett
>>> --
>>> Andrew Bartlett http://samba.org/~abartlet Authentication Developer,
>>> Samba Team http://samba.org Samba Developer, Catalyst IT
>>> http://catalyst.net.nz/services/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba