Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] samba 4.1.17 upgrade 4.2.x ( sernet) upgrades.. fail...
73 views
Skip to first unread message
L.P.H. van Belle
Apr 24, 2015, 11:20:03 AM4/24/15
to
Hai..
Â
Just tested an upgrade of 4.1.17 to 4.2.1Â
result... Fail..
Â
setup,
Debian wheezy, sernet samba packages.
2 clean installed DC's and 1 windows 7 pc joined.
resolv.conf setupÂ
DC1 : namserver DC2 then DC1.
DC2:Â namserver DC1 then DC2.
Â
stopped samba on both servers.
upgraded the packages on both servers.
Â
started samba on DC1 ( the one with fsmo roles )
waited 5 min.
started samba on DC2
Â
from error free logs to
Â
[2015/04/24 17:06:29.274803, 0] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
 Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.0.2[1024,seal,krb5,
 target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.internal.domain.tld,
 target_principal=GC/dc2.internal.domain.tld/internal.domain.tld,
 abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,
 localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER
i didnt change anything in smb.conf ( wanted to keep the OLD winbind behaivor )
Â
anyone else who did this already with 100% success?
tried not about 4 times, all fail.. ( imo samba 4.2.1 is not production ready ! )
....
Â
this is the smb.conf used.
Â
# Global parameters
[global]
       workgroup = INTERNAL
       realm = INTERNAL.DOMAIN.TLD
       netbios name = DC1
       server role = active directory domain controller
       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
Â
       ## Dont forget to set the idmap_ldb on ALL DC's if you use it
       idmap_ldb:use rfc2307 = yes
Â
       interfaces = 127.0.0.1 192.168.0.1
       bind interfaces only = yes
       time server = yes
       wins support = yes
Â
## KEEP THIS OFF !! Only used for modify-ing the AD Schema
## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
       sdb:schema update allowed = no
Â
       ## map id's outside to domain to tdb files.
       idmap config * : backend = tdb
       idmap config * : range = 2000-9999
       ## map ids from the domain and (*) the range may not overlap !
       idmap config INTERNAL: backend = ad
       idmap config INTERNAL: schema_mode = rfc2307
       idmap config INTERNAL: range = 10000-3999999
Â
       winbind nss info = rfc2307
       winbind trusted domains only = no
       winbind use default domain = yes
       winbind expand groups = 3
Â
       #template shell = /bin/bash
       #template homedir = /home/users/%ACCOUNTNAME%
Â
       ## Disable printing completely
       load printers = no
       printing = bsd
       printcap name = /dev/null
       disable spoolss = yes
Â
[netlogon]
       path = /home/samba/sysvol/internal.domain.tld/scripts
       read only = No
Â
[sysvol]
       path = /home/samba/sysvol
       read only = No
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Â
Just tested an upgrade of 4.1.17 to 4.2.1Â
result... Fail..
Â
setup,
Debian wheezy, sernet samba packages.
2 clean installed DC's and 1 windows 7 pc joined.
resolv.conf setupÂ
DC1 : namserver DC2 then DC1.
DC2:Â namserver DC1 then DC2.
Â
stopped samba on both servers.
upgraded the packages on both servers.
Â
started samba on DC1 ( the one with fsmo roles )
waited 5 min.
started samba on DC2
Â
from error free logs to
Â
[2015/04/24 17:06:29.274803, 0] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
 Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.0.2[1024,seal,krb5,
 target_hostname=2835d359-ff8e-4146-acaa-e2b5f8c82be9._msdcs.internal.domain.tld,
 target_principal=GC/dc2.internal.domain.tld/internal.domain.tld,
 abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,
 localaddress=192.168.0.1] NT_STATUS_INVALID_PARAMETER
i didnt change anything in smb.conf ( wanted to keep the OLD winbind behaivor )
Â
anyone else who did this already with 100% success?
tried not about 4 times, all fail.. ( imo samba 4.2.1 is not production ready ! )
....
Â
this is the smb.conf used.
Â
# Global parameters
[global]
       workgroup = INTERNAL
       realm = INTERNAL.DOMAIN.TLD
       netbios name = DC1
       server role = active directory domain controller
       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
Â
       ## Dont forget to set the idmap_ldb on ALL DC's if you use it
       idmap_ldb:use rfc2307 = yes
Â
       interfaces = 127.0.0.1 192.168.0.1
       bind interfaces only = yes
       time server = yes
       wins support = yes
Â
## KEEP THIS OFF !! Only used for modify-ing the AD Schema
## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
       sdb:schema update allowed = no
Â
       ## map id's outside to domain to tdb files.
       idmap config * : backend = tdb
       idmap config * : range = 2000-9999
       ## map ids from the domain and (*) the range may not overlap !
       idmap config INTERNAL: backend = ad
       idmap config INTERNAL: schema_mode = rfc2307
       idmap config INTERNAL: range = 10000-3999999
Â
       winbind nss info = rfc2307
       winbind trusted domains only = no
       winbind use default domain = yes
       winbind expand groups = 3
Â
       #template shell = /bin/bash
       #template homedir = /home/users/%ACCOUNTNAME%
Â
       ## Disable printing completely
       load printers = no
       printing = bsd
       printcap name = /dev/null
       disable spoolss = yes
Â
[netlogon]
       path = /home/samba/sysvol/internal.domain.tld/scripts
       read only = No
Â
[sysvol]
       path = /home/samba/sysvol
       read only = No
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
Apr 24, 2015, 12:10:02 PM4/24/15
to
Hello Louis,
Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle:
> Hai..
>
> Just tested an upgrade of 4.1.17 to 4.2.1
> result... Fail..
>
> setup,
> Debian wheezy, sernet samba packages.
> 2 clean installed DC's and 1 windows 7 pc joined.
> resolv.conf setup
> DC1 : namserver DC2 then DC1.
> DC2: namserver DC1 then DC2.
>
> stopped samba on both servers.
> upgraded the packages on both servers.
>
> started samba on DC1 ( the one with fsmo roles )
> waited 5 min.
> started samba on DC2
Have you tried it with DC2 running while upgrading DC1?
Am 24.04.2015 um 17:16 schrieb L.P.H. van Belle:
> Hai..
>
> Just tested an upgrade of 4.1.17 to 4.2.1
> result... Fail..
>
> setup,
> Debian wheezy, sernet samba packages.
> 2 clean installed DC's and 1 windows 7 pc joined.
> resolv.conf setup
> DC1 : namserver DC2 then DC1.
> DC2: namserver DC1 then DC2.
>
> stopped samba on both servers.
> upgraded the packages on both servers.
>
> started samba on DC1 ( the one with fsmo roles )
> waited 5 min.
> started samba on DC2
L.P.H. van Belle
Apr 28, 2015, 9:40:08 AM4/28/15
to
Hai,
Ok, i found the problem of first post below.
I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's.
The sernet package 4.1.17 for debian wheezy has a bug.. maybe others also, beware.
When joining as an extra DC, we are (still) missing the rights on
/var/lib/samba/private/dns.keytab
after joining the domain.
/var/lib/samba/private/dns.keytab is set to
root:root 600
and not, as it should be.
user:group root:bind and rights 640
so now i upgraded 4.1.17 to 4.2.1
first DC1, upgraded the packages, restarted bind, restarted samba.
No errors seen.
next DC2, upgraded the packages, restarted bind, restarted samba.
no errors in the logs seen, so sofar good.
after about 3-5 min i did the follow,
running :
/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2
result 0 errors.
samba-tool drs showrepl , in the first check error, all other after this one, are success..
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519
DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=internal,DC=domain,DC=tld
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e
Last attempt @ Tue Apr 28 14:26:18 2015 CEST failed, result 64 (WERR_NETNAME_DELETED)
1 consecutive failure(s).
Last success @ Tue Apr 28 14:24:54 2015 CEST
got phone.. so 5 min later again i did run : samba-tool drs showrepl
and now 0 errors.. ..
So i can confirm the previous errors with upgrading was because of the incorrect
rights on : /var/lib/samba/private/dns.keytab
Now i did a complete install just by sernet samba 4.2.1 and same here.
DC1, all ok, no errors at all, i used the same script as the 4.1.17 version..
But when joining a domain as DC, incorrect rights on :
/var/lib/samba/private/dns.keytab
at the point of joining the domain for dc2, i saw the following in daemon.log :
Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel command 'reload'
Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration from '/etc/bind/named.conf'
Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 port range: [1024, 65535]
Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 port range: [1024, 65535]
Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found
Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool based on 5 zones
Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' using driver dlopen
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone 'internal.domain.tld' from
'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=domain,DC=tld'
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone '_msdcs.internal.domain.tld' from 'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=domain,DC=tld'
Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key for view _default
Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down
Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded
again a scripted install, which installed successfully on 4.1.17..
i saw also :
testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED
trying to fix it now: Record added successfully
after a restart of samba on DC2. (log.samba)
Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 15:11:05.691758, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
Apr 28 15:11:05 rtd-dc2 samba[10159]: /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
26x this message.
from DC1:
ping dc2 .. host not found.
on DC2:
samba_dnsupdate --verbose --all-names
update failed: NOTAUTH
Failed nsupdate: 2
Failed update of 26 entries
so im totaly lost what is wrong is samba 4.2.1 compaired to samba 4.1.17
the config used on the servers: (this one is DC2's config, they are the same. )
netbios name = DC2
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
interfaces = 127.0.0.1 192.168.0.2
read only = No
acl_xattr:ignore system acl = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acl = yes
so beware of upgrading to 4.2.1..
I'll keep these VM's if anyone of samba/sernet wants to debug with me.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: ac...@ag-web.biz [mailto:samba-...@lists.samba.org]
>Namens Achim Gottinger
>Verzonden: vrijdag 24 april 2015 18:03
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet)
>upgrades.. fail...
Ok, i found the problem of first post below.
I did a clean install of 4.1.17 (sernet samba) and installed 2 DC's.
The sernet package 4.1.17 for debian wheezy has a bug.. maybe others also, beware.
When joining as an extra DC, we are (still) missing the rights on
/var/lib/samba/private/dns.keytab
after joining the domain.
/var/lib/samba/private/dns.keytab is set to
root:root 600
and not, as it should be.
user:group root:bind and rights 640
so now i upgraded 4.1.17 to 4.2.1
first DC1, upgraded the packages, restarted bind, restarted samba.
No errors seen.
next DC2, upgraded the packages, restarted bind, restarted samba.
no errors in the logs seen, so sofar good.
after about 3-5 min i did the follow,
running :
/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2
result 0 errors.
samba-tool drs showrepl , in the first check error, all other after this one, are success..
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 1d67e5e5-905e-46af-9dcf-56c7bd316519
DSA invocationId: cfbce936-e94c-480e-9ead-89c2ea43a9ba
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=internal,DC=domain,DC=tld
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 6da7e695-5a96-4e32-b1c7-d2457963b96e
Last attempt @ Tue Apr 28 14:26:18 2015 CEST failed, result 64 (WERR_NETNAME_DELETED)
1 consecutive failure(s).
Last success @ Tue Apr 28 14:24:54 2015 CEST
got phone.. so 5 min later again i did run : samba-tool drs showrepl
and now 0 errors.. ..
So i can confirm the previous errors with upgrading was because of the incorrect
rights on : /var/lib/samba/private/dns.keytab
Now i did a complete install just by sernet samba 4.2.1 and same here.
DC1, all ok, no errors at all, i used the same script as the 4.1.17 version..
But when joining a domain as DC, incorrect rights on :
/var/lib/samba/private/dns.keytab
at the point of joining the domain for dc2, i saw the following in daemon.log :
Apr 28 15:01:36 rtd-dc1 named[8751]: received control channel command 'reload'
Apr 28 15:01:36 rtd-dc1 named[8751]: loading configuration from '/etc/bind/named.conf'
Apr 28 15:01:36 rtd-dc1 named[8751]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv4 port range: [1024, 65535]
Apr 28 15:01:36 rtd-dc1 named[8751]: using default UDP/IPv6 port range: [1024, 65535]
Apr 28 15:01:36 rtd-dc1 named[8751]: no IPv6 interfaces found
Apr 28 15:01:36 rtd-dc1 named[8751]: sizing zone task pool based on 5 zones
Apr 28 15:01:36 rtd-dc1 named[8751]: Loading 'AD DNS Zone' using driver dlopen
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: starting configure
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone 'internal.domain.tld' from
'DC=@,DC=internal.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=domain,DC=tld'
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: Ignoring duplicate zone '_msdcs.internal.domain.tld' from 'DC=@,DC=_msdcs.internal.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=domain,DC=tld'
Apr 28 15:01:36 rtd-dc1 named[8751]: using built-in root key for view _default
Apr 28 15:01:36 rtd-dc1 named[8751]: reloading configuration succeeded
Apr 28 15:01:36 rtd-dc1 named[8751]: samba_dlz: shutting down
Apr 28 15:01:36 rtd-dc1 named[8751]: reloading zones succeeded
again a scripted install, which installed successfully on 4.1.17..
i saw also :
testing of : host -t A rtd-dc2.rotterdam.bazuin.nl. : FAILED
trying to fix it now: Record added successfully
after a restart of samba on DC2. (log.samba)
Apr 28 15:11:05 rtd-dc2 samba[10159]: [2015/04/28 15:11:05.691758, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
Apr 28 15:11:05 rtd-dc2 samba[10159]: /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
26x this message.
from DC1:
ping dc2 .. host not found.
on DC2:
samba_dnsupdate --verbose --all-names
update failed: NOTAUTH
Failed nsupdate: 2
Failed update of 26 entries
so im totaly lost what is wrong is samba 4.2.1 compaired to samba 4.1.17
the config used on the servers: (this one is DC2's config, they are the same. )
# Global parameters
[global]
workgroup = INTERNAL
realm = internal.domain.tld <==== by default lowercased on DC2 at domain join.. ONLY DC2 !
[global]
workgroup = INTERNAL
netbios name = DC2
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config * : range = 2000-9999
idmap config INTERNAL : backend = ad
idmap config INTERNAL : range = 10000-3999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
bind interfaces only = yes
time server = yes
wins support = yes
time server = yes
wins support = yes
## Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /var/lib/samba/sysvol/internal.domain.tld/scripts
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
read only = No
acl_xattr:ignore system acl = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acl = yes
so beware of upgrading to 4.2.1..
I'll keep these VM's if anyone of samba/sernet wants to debug with me.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: ac...@ag-web.biz [mailto:samba-...@lists.samba.org]
>Namens Achim Gottinger
>Verzonden: vrijdag 24 april 2015 18:03
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet)
>upgrades.. fail...
L.P.H. van Belle
Apr 28, 2015, 9:50:04 AM4/28/15
to
in addition..
i rebooted the servers now, checked logs, and...
Apr 28 15:36:57 dc1 named[2029]: samba_dlz: allowing update of signer=RTD-DC2..... etc..
which didnt work before the reboot..
i did run :
samba-tool drs showrepl
0 errors on both servers
check all my logs, 0 errors now..
running :
samba_dnsupdate --verbose --all-names
again no errors..
so now it all looks ok..
but the big question now is, it is?
so what happend here and whats going wrong when upgrading from 4.1.17 to 4.2.1
and not counted for the few bug i saw..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: dinsdag 28 april 2015 15:37
>Aan: sa...@lists.samba.org
>CC: sup...@sernet.de
i rebooted the servers now, checked logs, and...
Apr 28 15:36:57 dc1 named[2029]: samba_dlz: allowing update of signer=RTD-DC2..... etc..
which didnt work before the reboot..
i did run :
/usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://dc1 ldap://dc2
0 errors on both servers
samba-tool drs showrepl
0 errors on both servers
check all my logs, 0 errors now..
running :
samba_dnsupdate --verbose --all-names
again no errors..
so now it all looks ok..
but the big question now is, it is?
so what happend here and whats going wrong when upgrading from 4.1.17 to 4.2.1
and not counted for the few bug i saw..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: dinsdag 28 april 2015 15:37
>Aan: sa...@lists.samba.org
>CC: sup...@sernet.de
>Onderwerp: Re: [Samba] samba 4.1.17 upgrade 4.2.x ( sernet)
>upgrades.. fail...( bug(s) found )
L.P.H. van Belle
Apr 28, 2015, 10:00:05 AM4/28/15
to
.. forgot to mention..
I did change the lowercaps realm in smb.conf to UPPER CAPS..
on DC2 before the reboot, and tested that also, but did not work.
so very strange imo..
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: dinsdag 28 april 2015 15:45
I did change the lowercaps realm in smb.conf to UPPER CAPS..
on DC2 before the reboot, and tested that also, but did not work.
so very strange imo..
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
0 new messages