Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] joined DC but replication fails

106 views
Skip to first unread message

steve

unread,
Jun 17, 2014, 1:10:03 PM6/17/14
to
ubuntu 14.04 DCs

DC1 with fsmo
resolve_lmhosts: Attempting lmhosts lookup for name
51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site<0x20>
dns child failed to find name
'51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site' of type A

DC2
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
resolve_lmhosts: Attempting lmhosts lookup for name
37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site<0x20>

What's missing?
Thanks,
Steve


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

steve

unread,
Jun 17, 2014, 1:40:02 PM6/17/14
to
On Tue, 2014-06-17 at 19:01 +0200, steve wrote:
> ubuntu 14.04 DCs
>
> DC1 with fsmo
> resolve_lmhosts: Attempting lmhosts lookup for name
> 51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site<0x20>
> dns child failed to find name
> '51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site' of type A
>
> DC2
> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> resolve_lmhosts: Attempting lmhosts lookup for name
> 37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site<0x20>
>
> What's missing?
> Thanks,
> Steve
>
>

Left it for a bit and now that's working. However, still no replication.
I add a user on DC2 and nothing appears on DC1

DC1
./samba-tool drs showrepl
Default-First-Site-Name\PALMERA
DSA Options: 0x00000001
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
DSA invocationId: 93fa0553-a972-4107-ab83-4b60790660f9

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====


DC2
sudo samba-tool drs showrepl
Default-First-Site-Name\GERANIO
DSA Options: 0x00000001
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
DSA invocationId: 0b9244b1-2821-4f78-8643-0ad08d4ddced

==== INBOUND NEIGHBORS ====

DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Tue Jun 17 19:19:24 2014 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jun 17 19:19:24 2014 CEST

CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Tue Jun 17 19:19:26 2014 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jun 17 19:19:26 2014 CEST

CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Tue Jun 17 19:19:27 2014 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jun 17 19:19:27 2014 CEST

DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Tue Jun 17 19:19:23 2014 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jun 17 19:19:23 2014 CEST

DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Tue Jun 17 19:19:23 2014 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jun 17 19:19:23 2014 CEST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Nothing created on the new dc is replicated.
Anything to check?
Thanks.

Günter Kukkukk

unread,
Jun 17, 2014, 8:40:02 PM6/17/14
to
which samba version(s) are you running on your DCs - and are you
using a released version or did you build yourself (e.g. from git ...)?

Btw - what do you get with:
samba-tool testparm -v --suppress-prompt | grep kccsrv:samba_kcc
on your DCs?

Cheers, Günter

--

L.P.H. van Belle

unread,
Jun 18, 2014, 3:30:01 AM6/18/14
to
The second server is Ubuntu server 14.04?

check the following and/post them here. ( best is for both servers )

cat /etc/hosts

cat /etc/resolv.conf
cat /etc/avahi/avahi-daemon.conf
cat /etc/sysctl.conf

cat /etc/hostname

cat /etc/krb5.conf



Louis




>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: dinsdag 17 juni 2014 19:35
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] joined DC but replication fails

steve

unread,
Jun 18, 2014, 4:20:01 AM6/18/14
to

We are investigating a move to Ubuntu when sysvol is working:
samba --version
Version 4.2.0pre1-GIT-7f36828
on Ubuntu 14.04


>
> Btw - what do you get with:
> samba-tool testparm -v --suppress-prompt | grep kccsrv:samba_kcc
> on your DCs?
>
> Cheers, Günter
>

On both DCs:
sudo samba-tool testparm -v --suppress-prompt | grep kccsrv:samba_kcc
kccsrv:samba_kcc = true


Hi
Question: If I create a user on DC1 it replicates. If I create a user on
DC2 it does not. Is the replication one way only with this version?
Thanks,
Steve

steve

unread,
Jun 18, 2014, 4:30:02 AM6/18/14
to
On Wed, 2014-06-18 at 09:20 +0200, L.P.H. van Belle wrote:
> The second server is Ubuntu server 14.04?
>
Yes.
> check the following and/post them here. ( best is for both servers )
>
> cat /etc/hosts
/etc/hosts
127.0.0.1 localhost
192.168.1.134 geranio.altea.site geranio
192.168.1.132 palmera.altea.site palmera

>
> cat /etc/resolv.conf
1
nameserver 192.168.1.132
search altea.site

2
nameserver 192.168.1.134
search altea.site


> cat /etc/avahi/avahi-daemon.conf
avahi is apt-get purge(d)

> cat /etc/sysctl.conf
everyl line is commented
>
> cat /etc/hostname
1
palmera.altea.site
2
geranio.altea.site
>
> cat /etc/krb5.conf
1
[libdefaults]
default_realm = ALTEA.SITE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ALTEA.SITE = {
kdc = palmera.altea.site
}

2
[libdefaults]
default_realm = ALTEA.SITE
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
ALTEA.SITE = {
kdc = geranio.altea.site
}

The replication is one way only, DC1 --> DC2
This is with the git. On our real domain with 4.1.6, it works both ways.
Is this correct?
Thanks,

steve

unread,
Jun 18, 2014, 5:10:02 AM6/18/14
to
OK, it looks as though you have force it the first time:
samba-tool drs replicate geranio palmera dc=altea,dc=site

whereupon it sticks.

Must we do this for each partition? The behaviour has changed between
4.1.6 and the latest git. Is this documented or expected?

steve

unread,
Jun 18, 2014, 11:30:03 AM6/18/14
to
Fail-over doesn't work either. There are bits and pieces missing in the
wiki. Not sure if our findings are Ubuntu specific. Anyway here are our
workarounds:
http://linuxcostablanca.blogspot.com.es/2014/06/samba4-dc-replication-on-ubuntu.html
HTH
Cheers,

Günter Kukkukk

unread,
Jun 18, 2014, 11:50:02 AM6/18/14
to

In the *release* versions the internal samba default is
kccsrv:samba_kcc = false
*but* in current git master this setting defaults to *true*!

The external python KCC "samba_kcc" is atm *not* fully implemented and to
my knowledge has never been really tested.
KCC related info. e.g.: http://technet.microsoft.com/en-us/library/cc961781.aspx

So i strongly recommend to add the following to the [global] section of smb.conf:
kccsrv:samba_kcc = false
to all your DCs which you built from git.

The current python samba_kcc is buggy, so it should not be used until it is fixed.

Btw - you can also force an initial replication between DCs in both directions with
samba-tool drs replicate ......
Once a first replication has been done successfully, it usually sticks.
Take care to use the right syntax, but there should already be samples on the net.

Cheers, Günter

steve

unread,
Jun 19, 2014, 5:40:01 AM6/19/14
to
OK, we'll do that. What does kccsrv:samba_kcc do? Is this a security
issue?

>
> The current python samba_kcc is buggy, so it should not be used until it is fixed.
>
> Btw - you can also force an initial replication between DCs in both directions with
> samba-tool drs replicate ......
> Once a first replication has been done successfully, it usually sticks.
> Take care to use the right syntax, but there should already be samples on the net.
>

Hi Günter
We had to kick-start it like this:
samba-tool drs replicate palmera geranio dc=altea,dc=site
repeated for the remaining partitions:
Configuration
Schema
ForestDnsZones
DomainDnsZones
We did this on the DC we joined. Is this correct? Is this what you are
referring to? The replication now works both ways and has survived a
restart.
Cheers and thanks for your time,
Steve

0 new messages