Error no rIDSetReferences replicated for

ucs-4-1
samba-ad
german

#1

Ich denke, dass hier ein kleines Problem / Bug besteht, der irgendwie bei mir Auswirkungen hat.

Ich versuche seit Tagen einen BackupDC aufzusetzen und habe einen Abbruch bei

Running 98univention-samba4-dns.inst failed (exitcode: 1)

Habe mir daher heute mal den script /usr/share/univention-samba4/lib/replication.sh angesehen und folgendes versucht:

Ich habe mir die Zeile rauskopiert, die in der 1. Schleife die RIDReference ermitteln soll und die Variabel $hostname mit dem Namen des BackupDC ersetzt

ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=ucs100092\$)" rIDSetReferences | ldapsearch-wrapper

Das Ergebnis ist ein

root@ucs100092:~# ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=ucs100092\$)" rIDSetReferences | ldapsearch-wrapper
# record 1
dn: CN=UCS100092,OU=Domain Controllers,DC=laprinta,DC=lan

# Referral
ref: ldap://laprinta.lan/CN=Configuration,DC=laprinta,DC=lan

# Referral
ref: ldap://laprinta.lan/DC=DomainDnsZones,DC=laprinta,DC=lan

# Referral
ref: ldap://laprinta.lan/DC=ForestDnsZones,DC=laprinta,DC=lan

# returned 4 records
# 1 entries
# 3 referrals

Es fehlt also der Eintrag “rIDSetReferences:” Nur wenn die Variabel den Wert “ucs100091” hat (MasterDC), dann bekomme ich da auch eine zusätzliche Zeile


#2

Dear @MyKey0815,

all involved Samba-DC’s should have a RID-Pool, you might check this via:

root@ucs-master:~# univention-s4search --cross-ncs "CN=RID Set" dn rIDAllocationPool

The Master (in the very most scenarios) is the host that handles RID-Pool Allocation

samba-tool fsmo show | grep RidAllocationMasterRole

To find the problem you might post the relevant part from the ‘/var/log/univention/join.log’ (please include +20 lines above and below).

Did you already tried to perform a second join?


#3

Thank you for the fast reply. Here are the results

First: The complete join.log
http://www.wepaste.com/ucs_join/ <= I have marked some parts as bold. I dont know if that is “OK” or that is a hint to a error configuration

Now the result of the search on MasterDC

root@ucs100091:~# univention-s4search --cross-ncs "CN=RID Set" dn rIDAllocationPool
# record 1
dn: CN=RID Set,CN=UCS100091,OU=Domain Controllers,DC=laprinta,DC=lan
rIDAllocationPool: 2100-2599

# returned 1 records
# 1 entries
# 0 referrals
root@ucs100091:~#

And on the BackupDC

root@ucs100092:~# univention-s4search --cross-ncs "CN=RID Set" dn rIDAllocationPool
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS
# record 1
dn: CN=RID Set,CN=UCS100091,OU=Domain Controllers,DC=laprinta,DC=lan
rIDAllocationPool: 2100-2599

# returned 1 records
# 1 entries
# 0 referrals
root@ucs100092:~#

The Role-Show on MasterDC first

root@ucs100091:~# samba-tool fsmo show | grep RidAllocationMasterRole
RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCS100091,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=laprinta,DC=lan

On the BackupDC the same result:

root@ucs100092:~# samba-tool fsmo show | grep RidAllocationMasterRole
RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCS100091,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=laprinta,DC=lan

And the last question was, if i do the rejoin again? Yes. I try it with full “unition-join” and with the missing steps “univention-run-join-scripts”. All ways are the same result


#4

Dear @MyKey0815,

what happens when you start the join-scripts again?

root@ucs-backup:~$ univention-run-join-scripts

Did you ever tried to perform a second join?

root@ucs-backup:~$ univention-join

What does the backup computer object currently looks like?

root@ucs-backup:~$ univention-s4search --cross-ncs cn=$(hostname)

#5

Wow, here my reply. I begin with the last

# record 1
dn: CN=UCS100092,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=laprinta,DC=lan
objectClass: top
objectClass: server
CN: UCS100092
instanceType: 4
whenCreated: 20170505125023.0Z
uSNCreated: 3186
showInAdvancedViewOnly: TRUE
name: UCS100092
objectGUID: 6c023489-34eb-423c-9a63-132e5a849ae4
systemFlags: 1375731712
dNSHostName: ucs100092.laprinta.lan
objectCategory: CN=Server,CN=Schema,CN=Configuration,DC=laprinta,DC=lan
serverReference: CN=UCS100092,OU=Domain Controllers,DC=laprinta,DC=lan
whenChanged: 20170505125044.0Z
uSNChanged: 3728
distinguishedName: CN=UCS100092,CN=Servers,CN=Default-First-Site-Name,CN=Sites
 ,CN=Configuration,DC=laprinta,DC=lan

# record 2
dn: CN=UCS100092,OU=Domain Controllers,DC=laprinta,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
CN: UCS100092
instanceType: 4
whenCreated: 20170505125023.0Z
displayName: UCS100092$
uSNCreated: 3256
name: UCS100092
objectGUID: fb0d06ce-a76c-4c8c-a00f-37f1dee93a22
userAccountControl: 532480
codePage: 0
countryCode: 0
pwdLastSet: 131384622301048690
primaryGroupID: 516
objectSid: S-1-5-21-2248548878-546129118-1889213156-2129
accountExpires: 9223372036854775807
sAMAccountName: UCS100092$
sAMAccountType: 805306369
dNSHostName: ucs100092.laprinta.lan
servicePrincipalName: HOST/UCS100092
servicePrincipalName: HOST/ucs100092.laprinta.lan
servicePrincipalName: GC/ucs100092.laprinta.lan/laprinta.lan
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f96a1b4-4d65-461a-
 8caa-3720cb295203/laprinta.lan
servicePrincipalName: HOST/ucs100092.laprinta.lan/LAPRINTA
servicePrincipalName: ldap/ucs100092.laprinta.lan/LAPRINTA
servicePrincipalName: ldap/ucs100092.laprinta.lan
servicePrincipalName: HOST/ucs100092.laprinta.lan/laprinta.lan
servicePrincipalName: ldap/ucs100092.laprinta.lan/laprinta.lan
servicePrincipalName: ldap/6f96a1b4-4d65-461a-8caa-3720cb295203._msdcs.laprint
 a.lan
servicePrincipalName: ldap/UCS100092
servicePrincipalName: RestrictedKrbHost/UCS100092
servicePrincipalName: RestrictedKrbHost/ucs100092.laprinta.lan
servicePrincipalName: ldap/ucs100092.laprinta.lan/DomainDnsZones.laprinta.lan
servicePrincipalName: ldap/ucs100092.laprinta.lan/ForestDnsZones.laprinta.lan
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=laprinta,DC=lan
isCriticalSystemObject: TRUE
msDS-SupportedEncryptionTypes: 31
serverReferenceBL: CN=UCS100092,CN=Servers,CN=Default-First-Site-Name,CN=Sites
 ,CN=Configuration,DC=laprinta,DC=lan
operatingSystem: Univention Corporate Server
operatingSystemVersion: 4.1-4
whenChanged: 20170505125122.0Z
lastLogonTimestamp: 131384622829444060
uSNChanged: 3828
distinguishedName: CN=UCS100092,OU=Domain Controllers,DC=laprinta,DC=lan

# returned 2 records
# 2 entries
# 0 referrals

If I start it again with univention-run-join-scripts then following will be added to the join.log

EXITCODE=already_executed
RUNNING 98univention-pkgdb-tools.inst
EXITCODE=already_executed
RUNNING 98univention-samba4-dns.inst
2017-05-05 15:47:13.098483925+02:00 (in joinscript_init)
Waiting for RID Pool replication: ..............................
Error no rIDSetReferences replicated for ucs100092
EXITCODE=1

Fr 5. Mai 15:50:46 CEST 2017
univention-run-join-scripts finished

Former I tried to execute “univentioin-join” again, but it hangs on script 96… while the computer account is exists. Should I do it again now?


#6

Server neuaufgesetzte und dann mit der Domäne verbunden

https://help.univention.com/t/kinit-unable-to-reach-any-kdc-in-realm/2757/2

Ursache war schließlich: Weil die Variabel samba/interfaces/bindonly = yes und die Variabel samba/interfaces = “eth0” gesetzt wird (durch die Installation von Agorum oder KVM, hört samba nicht mehr auf das Interface lo. Deshalb schlägt die Kommunikation mit Keberos fehl.

ucr set samba/interfaces="$(ucr get samba/interfaces) lo" 

Danach einen Neustart und es kommt zu keiner erkennbaren Fehlermeldung mehr


96univention-samba4.inst fail