[samba] Join DC failed on Samba-4.7.0rc5

Evgeny Sinelnikov sin на altlinux.org
Ср Сен 13 14:53:48 MSK 2017 

Hello,

I got a problem with DNS A record adding during Join DC on
Samba-4.7.0rc5 with next command:
time samba-tool domain join dp.mosreg.ru DC -d 4 -k yes
-UAdministrator -W DP --realm=DP.MOSREG.RU
--dns-backend=SAMBA_INTERNAL

[...]
Discarding older DRS linked attribute update to member on CN=Windows
Authorization Access Group,CN=Builtin,DC=dp,DC=mosreg,DC=ru from
8b731eb4-dad7-40ae-8db8-412e58dc1d58
Discarding older DRS linked attribute update to member on CN=Group
Policy Creator Owners,CN=Users,DC=dp,DC=mosreg,DC=ru from
8b731eb4-dad7-40ae-8db8-412e58dc1d58
added interface ens192 ip=10.10.51.101 bcast=10.10.51.255 netmask=255.255.255.0
Adding 1 remote DNS records for KR01-DC-ALT-01.dp.mosreg.ru
Using binding ncacn_ip_tcp:kr01-dc08-01.dp.mosreg.ru[,sign]
Mapped to DCERPC endpoint 135
added interface ens192 ip=10.10.51.101 bcast=10.10.51.255 netmask=255.255.255.0
added interface ens192 ip=10.10.51.101 bcast=10.10.51.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
kr01-dc08-01.dp.mosreg.ru<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
Mapped to DCERPC endpoint 55657
added interface ens192 ip=10.10.51.101 bcast=10.10.51.255 netmask=255.255.255.0
added interface ens192 ip=10.10.51.101 bcast=10.10.51.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
kr01-dc08-01.dp.mosreg.ru<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
Adding DNS A record KR01-DC-ALT-01.dp.mosreg.ru for IPv4 IP: 10.10.51.101
ERROR(ldb): uncaught exception - connection to remote LDAP server dropped?
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1394, in do_join
    ctx.cleanup_old_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 270,
in cleanup_old_join
    ctx.cleanup_old_accounts(force=force)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 216,
in cleanup_old_accounts
    attrs=["msDS-krbTgtLink", "objectSID"])
Deleted CN=RID Set,CN=KR01-DC-ALT-01,OU=Domain Controllers,DC=dp,DC=mosreg,DC=ru
Deleted CN=KR01-DC-ALT-01,OU=Domain Controllers,DC=dp,DC=mosreg,DC=ru
Deleted CN=NTDS
Settings,CN=KR01-DC-ALT-01,CN=Servers,CN=KR01,CN=Sites,CN=Configuration,DC=dp,DC=mosreg,DC=ru
Deleted CN=KR01-DC-ALT-01,CN=Servers,CN=KR01,CN=Sites,CN=Configuration,DC=dp,DC=mosreg,DC=ru
Adding CN=KR01-DC-ALT-01,OU=Domain Controllers,DC=dp,DC=mosreg,DC=ru
Adding CN=KR01-DC-ALT-01,CN=Servers,CN=KR01,CN=Sites,CN=Configuration,DC=dp,DC=mosreg,DC=ru
Adding CN=NTDS Settings,CN=KR01-DC-ALT-01,CN=Servers,CN=KR01,CN=Sites,CN=Configuration,DC=dp,DC=mosreg,DC=ru
Adding SPNs to CN=KR01-DC-ALT-01,OU=Domain Controllers,DC=dp,DC=mosreg,DC=ru
Setting account password for KR01-DC-ALT-01$
Enabling account
Calling bare provision
Provision OK for domain DN DC=dp,DC=mosreg,DC=ru
Starting replication
Replicating critical objects from the base DN of the domain
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=dp,DC=mosreg,DC=ru
Replicating DC=ForestDnsZones,DC=dp,DC=mosreg,DC=ru
Committing SAM database
Join failed - cleaning up
Command exited with non-zero status 255
10315.12user 301.34system 2:58:19elapsed 99%CPU (0avgtext+0avgdata
12621200maxresident)k
0inputs+17384912outputs (0major+37456476minor)pagefaults 0swaps


But here are no problem on same environment with Samba-4.6.7:

[...]
Discarding older DRS linked attribute update to member on CN=Group
Policy Creator Owners,CN=Users,DC=dp,DC=mosreg,DC=ru from
8b731eb4-dad7-40ae-8db8-412e58dc1d58
Sending DsReplicaUpdateRefs for all the replicated partitions
[...]
     drsuapi_DsReplicaUpdateRefs: struct drsuapi_DsReplicaUpdateRefs
        out: struct drsuapi_DsReplicaUpdateRefs
            result                   : WERR_OK
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain DP (SID S-1-5-21-698140489-3825754665-3897753990) as a DC
Adding CN=KR01-DC-ALT-01,OU=Domain Controllers,DC=dp,DC=mosreg,DC=ru
Adding CN=KR01-DC-ALT-01,CN=Servers,CN=KR01,CN=Sites,CN=Configuration,DC=dp,DC=mosreg,DC=ru
Adding CN=NTDS Settings,CN=KR01-DC-ALT-01,CN=Servers,CN=KR01,CN=Sites,CN=Configuration,DC=dp,DC=mosreg,DC=ru
Adding SPNs to CN=KR01-DC-ALT-01,OU=Domain Controllers,DC=dp,DC=mosreg,DC=ru
Setting account password for KR01-DC-ALT-01$
Enabling account
Calling bare provision
Provision OK for domain DN DC=dp,DC=mosreg,DC=ru
Starting replication
Replicating critical objects from the base DN of the domain
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=dp,DC=mosreg,DC=ru
Replicating DC=ForestDnsZones,DC=dp,DC=mosreg,DC=ru
Committing SAM database
46166.87user 1874.91system 13:29:22elapsed 98%CPU (0avgtext+0avgdata
12717628maxresident)k
0inputs+23484144outputs (0major+74351715minor)pagefaults 0swaps


I think, that use_ntvfs=use_ntvfs in backtrace looks suspiciously due
there are no --with-ntvfs-fileserver option enabled in our build for
Samba DC. Could anyone help how to fix this quickly?


-- 
Sin (Sinelnikov Evgeny)

Подробная информация о списке рассылки Samba