Migration auf Samba 4

german

#1

Hallo,

ich versuche gerade unter UCS 3.2-5 eine Migration auf Samba 4. Auf dem Master gab es anfänglich Probleme, ein manuelles Aufrufen der Join-Scripte lief dann allerdings durch. Windows-Login und Dateizugriff funktionierte auch anschließend.

Beim DC Backup ist es leider problematischer. Der Aufruf der Join-Scripte schlägt fehl:

RUNNING 96univention-samba4.inst
WARNING: It is not possible to install a samba 4 domaincontroller 
         into a samba 3 environment. samba4/ignore/mixsetup is true.
         Continue as requested
Not updating samba4/role
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=top2,dc=top1
WARNING: cannot append cn=backup,cn=dc,cn=computers,dc=top2,dc=top1 to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=top2,dc=top1
Stopping Samba AD DC daemon: samba nmbd.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
extract_rIDNextRID: Attribute rIDSetReferences not found
Create windows/wins-support
Multifile: /etc/samba/smb.conf
ERROR: Invalid IP address 'top2.top1'!
Forest           : top2.top1
Domain           : top2.top1
Netbios domain   : TOP2
DC name          : master.top2.top1
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
workgroup is TOP2
realm is top2.top1
checking sAMAccountName
Adding CN=BACKUP,OU=Domain Controllers,DC=top2,DC=top1
Adding CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Adding CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Adding SPNs to CN=BACKUP,OU=Domain Controllers,DC=top2,DC=top1
Setting account password for BACKUP$
Enabling account
Calling bare provision
No IPv6 address will be assigned
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=top2,DC=top1] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[1614/1614] linked_values[28/0]
Partition[DC=top2,DC=top1] objects[98/98] linked_values[32/0]
Partition[DC=top2,DC=top1] objects[500/502] linked_values[0/0]
Failed to apply records: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectGUID in CN=Authenticated Users\0ACNF:c38a4bb4-0493-4470-a69a-11b75067c8ea,CN=Groups,DC=top2,DC=top1 - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectGUID in CN=Authenticated Users\0ACNF:c38a4bb4-0493-4470-a69a-11b75067c8ea,CN=Groups,DC=top2,DC=top1: Entry already exists
Failed to commit objects: WERR_GENERAL_FAILURE
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1220, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1102, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 842, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.6/dist-packages/samba/drs_utils.py", line 256, in replicate
    schema=schema, req_level=req_level, req=req)
Provision OK for domain DN DC=top2,DC=top1
Starting replication
Replicating critical objects from the base DN of the domain
Join failed - cleaning up
checking sAMAccountName
removing samaccount: CN=BACKUP,OU=Domain Controllers,DC=top2,DC=top1
Deleted CN=BACKUP,OU=Domain Controllers,DC=top2,DC=top1
Deleted CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Deleted CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Failed to join the server master.top2.top1.
EXITCODE=1
RUNNING 97univention-s4-connector.inst
EXITCODE=already_executed
RUNNING 98univention-pkgdb-tools.inst
EXITCODE=already_executed
RUNNING 98univention-samba4-dns.inst
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1

Fr 17. Apr 14:15:51 CEST 2015
univention-run-join-scripts finished

#2

Ein rejoin schlägt leider auch fehl :frowning:

Configure 35univention-management-console-module-appcenter.inst Fri Apr 17 15:01:14 CEST 2015
Object exists: cn=UMC,cn=univention,dc=top2,dc=top1
Object exists: cn=UMC,cn=policies,dc=top2,dc=top1
Object exists: cn=operations,cn=UMC,cn=univention,dc=top2,dc=top1
Object exists: cn=default-umc-all,cn=UMC,cn=policies,dc=top2,dc=top1
WARNING: cannot append cn=default-umc-all,cn=UMC,cn=policies,dc=top2,dc=top1 to univentionPolicyReference, value exists
No modification: cn=Domain Admins,cn=groups,dc=top2,dc=top1
Object exists: cn=default-umc-users,cn=UMC,cn=policies,dc=top2,dc=top1
WARNING: cannot append cn=default-umc-users,cn=UMC,cn=policies,dc=top2,dc=top1 to univentionPolicyReference, value exists
No modification: cn=Domain Users,cn=groups,dc=top2,dc=top1
Object exists: cn=appcenter-all,cn=operations,cn=UMC,cn=univention,dc=top2,dc=top1
WARNING: cannot append cn=appcenter-all,cn=operations,cn=UMC,cn=univention,dc=top2,dc=top1 to allow, value exists
No modification: cn=default-umc-all,cn=UMC,cn=policies,dc=top2,dc=top1
Object exists: cn=apps,cn=univention,dc=top2,dc=top1
Object exists: cn=ldapschema,cn=univention,dc=top2,dc=top1
INFO: No change of core data of object univention-app.
Object exists: cn=ldapacl,cn=univention,dc=top2,dc=top1
INFO: No change of core data of object 66univention-appcenter_app.
Object exists: cn=udm_module,cn=univention,dc=top2,dc=top1
INFO: No change of core data of object appcenter/app.
Object modified: cn=univention-app,cn=ldapschema,cn=univention,dc=top2,dc=top1

Object modified: cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=top2,dc=top1

Object modified: cn=appcenter/app,cn=udm_module,cn=univention,dc=top2,dc=top1

Waiting for activation of the extension object univention-app: OK
Waiting for activation of the extension object 66univention-appcenter_app: OK
Waiting for activation of the extension object appcenter/app: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/appcenter/app.py: OK
Terminating running univention-cli-server processes.
17.04.15 15:01:42.605  MODULE      ( PROCESS ) : Downloading "https://appcenter.software-univention.de/meta-inf/3.2/index.json.gz"...
17.04.15 15:01:43.707  MODULE      ( PROCESS ) : 4 file(s) are new
17.04.15 15:01:43.708  MODULE      ( PROCESS ) : Starting to download 4 file(s) directly
17.04.15 15:01:53.869  MODULE      ( PROCESS ) : Container samba4 for new univentionApp needed. Creating...
17.04.15 15:01:54.125  MODULE      ( PROCESS ) : univentionApp univentionAppID=samba4_4.1,cn=samba4,cn=apps,cn=univention,dc=top2,dc=top1 created
17.04.15 15:01:54.147  MODULE      ( PROCESS ) : Adding udsbackup.top2.top1 to univentionAppID=samba4_4.1,cn=samba4,cn=apps,cn=univention,dc=top2,dc=top1
File: /usr/share/univention-management-console/modules/apps.xml
File: /usr/share/univention-management-console/i18n/de/apps.mo
File: /usr/share/univention-management-console/modules/apps.xml
File: /usr/share/univention-management-console/i18n/de/apps.mo
File: /etc/apt/apt.conf.d/55user_agent
All applications have been registered.
Configure 35univention-management-console-module-ipchange.inst Fri Apr 17 15:02:04 CEST 2015
Object exists: cn=UMC,cn=univention,dc=top2,dc=top1
Object exists: cn=UMC,cn=policies,dc=top2,dc=top1
authentication error: {'desc': 'Connect error'}
Fri Apr 17 15:02:09 CEST 2015: finish /usr/sbin/univention-join

#3

Das AppCenter-Joinscript lief beim nächsten Versuch durch. Leider gibt es weiterhin Probleme mit dem von Samba 4:

Configure 96univention-samba4.inst Fri Apr 17 17:15:14 CEST 2015
WARNING: It is not possible to install a samba 4 domaincontroller 
         into a samba 3 environment. samba4/ignore/mixsetup is true.
         Continue as requested
Not updating samba4/role
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=top2,dc=top1
WARNING: cannot append cn=udsbackup,cn=dc,cn=computers,dc=top2,dc=top1 to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=top2,dc=top1
Stopping Samba AD DC daemon: samba nmbd.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
Not updating windows/wins-support
Forest           : top2.top1
Domain           : top2.top1
Netbios domain   : top1
DC name          : master.top2.top1
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'top2.top1'
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1198, in join_DC
    keep_existing)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 77, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 290, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
Finding a writeable DC for domain 'top2.top1'
Failed to join the domain top2.top1.
Fri Apr 17 17:16:22 CEST 2015: finish /usr/sbin/univention-join

#4

Es scheint wohl möglicherweise an IPv& zu liegen. Wie kann ich denn die Einträge aus dem DNS entfernen?


#5

Entfernen geht wohl mit “samba-tool dns query” und “samba-tool dns delete”, aber der Bind gibt auch nach einem Systemneustart immer auch den AAAA-Eintrag aus, der Eintrag ist gemäß samba-tool aber weg.

EDIT: Join funtioniert immer noch nicht :frowning:


#6

Hallo, das ursprüngliche Problem sieht sehr nach [bug]34428[/bug] aus. Im ersten Kommentar ist ein Workaround vermerkt, evtl. hilft das auch hier?


#7

Danke sehr das hilft mir jetzt weiter. Ich habe die Backups zurückgespielt und habe dann folgende Fehlermeldung erhalten:

RUNNING 90univention-bind-post.inst
EXITCODE=already_executed
RUNNING 96univention-samba4.inst
WARNING: It is not possible to install a samba 4 domaincontroller 
         into a samba 3 environment. samba4/ignore/mixsetup is true.
         Continue as requested
Not updating samba4/role
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=top2,dc=top1
WARNING: cannot append cn=backup,cn=dc,cn=computers,dc=top2,dc=top1 to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=top2,dc=top1
Stopping Samba AD DC daemon: samba nmbd.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
extract_rIDNextRID: Attribute rIDSetReferences not found
Create windows/wins-support
Multifile: /etc/samba/smb.conf
Forest           : top2.top1
Domain           : top2.top1
Netbios domain   : TOP2
DC name          : master.top2.top1
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
Finding a writeable DC for domain 'top2.top1'
Found DC master.top2.top1
workgroup is TOP2
realm is top2.top1
checking sAMAccountName
Adding CN=UDSBACKUP,OU=Domain Controllers,DC=top2,DC=top1
Adding CN=UDSBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Adding CN=NTDS Settings,CN=UDSBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Adding SPNs to CN=UDSBACKUP,OU=Domain Controllers,DC=top2,DC=top1
Setting account password for UDSBACKUP$
Enabling account
Calling bare provision
No IPv6 address will be assigned
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=top2,DC=top1] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=top2,DC=top1] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=top2,DC=top1] objects[1614/1614] linked_values[28/0]
Partition[DC=top2,DC=top1] objects[98/98] linked_values[32/0]
Partition[DC=top2,DC=top1] objects[500/500] linked_values[0/0]
Failed to apply records: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectGUID in CN=Authenticated Users\0ACNF:aba1f34e-30d6-45ab-9e4d-232e20c7b01f,CN=Groups,DC=top2,DC=top1 - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectGUID in CN=Authenticated Users\0ACNF:aba1f34e-30d6-45ab-9e4d-232e20c7b01f,CN=Groups,DC=top2,DC=top1: Entry already exists
Failed to commit objects: WERR_GENERAL_FAILURE
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1220, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1102, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 842, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.6/dist-packages/samba/drs_utils.py", line 256, in replicate
    schema=schema, req_level=req_level, req=req)
Provision OK for domain DN DC=top2,DC=top1
Starting replication
Replicating critical objects from the base DN of the domain
Join failed - cleaning up
checking sAMAccountName
removing samaccount: CN=UDSBACKUP,OU=Domain Controllers,DC=top2,DC=top1
Deleted CN=UDSBACKUP,OU=Domain Controllers,DC=top2,DC=top1
Deleted CN=NTDS Settings,CN=UDSBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Deleted CN=UDSBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=top2,DC=top1
Failed to join the domain top2.top1.
EXITCODE=1
RUNNING 97univention-s4-connector.inst
EXITCODE=already_executed
RUNNING 98univention-pkgdb-tools.inst
EXITCODE=already_executed
RUNNING 98univention-samba4-dns.inst
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1

Sa 18. Apr 13:39:20 CEST 2015
univention-run-join-scripts finished

Dazu habe ich eben auch noch diesen Thread gefunden. Den werde ich mir auch mal anschauen.


#8

ldbdel schlägt wie in dem anderen Thread fehl:

 failed - (No such object) ldb_wait: No such object (32)

Leider enhält er auch keine Lösung.


#9

Vielen Dank noch mal. Der Bugreport war glücklicherweise hilfreicher :slight_smile: Man beachte den kleinen Unterschied von den Tips


#10

Der erste Slave lief nun problemlos durch. Allerdings wird unter Windows das Home nun auf Z gemapt, eingestellt habe ich am Benutzerobjekt eigentlich Y. Woran könnte das liegen?

EDIT: Der muß mit “:” angegeben werden.


#11

Mit welchen Maschinenkonton kann man denn für einen Bind gegenüber Samba 4 benutzen? Anscheinend nicht alle oder? Ich hba momentan “Linux” als Typ genommen.


#12

Lokal auf dem System kann man am einfachsten mit univention-s4search oder mit ldbsearch -H /var/lib/samba/private/sam.ldb suchen. Oder wie war die Frage gemeint?


#13

Es ging konkret um eine Anbindung von PfSense. Wegen des memberOf-Attributs würde ich dafür nun gerne Samba 4 nehmen. Aber da scheint es Probleme zu geben. Über so ein AD-Tool wird der Container Container übrigens als leer angezeigt.

Die Kerberos-Authenfizierung zum externen Slave macht leider auch Probleme. Im selben AD-Tool taucht er auch nicht unter Domain-Controller auf. Beim Join dieses Salves gab es auch auffällige Meldungen:

master.home.dg port 88 is not offering the Service 'Samba 4'
Permission denied.
master.home.dg port 389 is not offering the Service 'Samba 4'
Permission denied.

EDIT: Da finden sich leider noch mehr Auffälligkeiten, die nichts gutes vermuten lassen. Ich hab mal das Log gekürzt und teilweise anonymisiert hochgeladen: upload_7J0DBB.asc


#14

[quote=“SirTux”]Die Kerberos-Authenfizierung zum externen Slave macht leider auch Probleme. Im selben AD-Tool taucht er auch nicht unter Domain-Controller auf. Beim Join dieses Salves gab es auch auffällige Meldungen:

master.home.dg port 88 is not offering the Service 'Samba 4' Permission denied. master.home.dg port 389 is not offering the Service 'Samba 4' Permission denied. [/quote]
An der Stelle wird versucht die SRV Records zu bereinigen und zwar so, dass in den Kerberos und LDAP SRV Records im DNS nur noch die Server mit Samba 4 gelistet werden. Wenn ich es richtig verstanden habe, dann ist der DC Master bereits auf Samba 4, von daher ist die Meldung merkwürdig. Auch das Permission denied.

Ich würde den Slave neu joinen und prüfen, wie danach der Status ist. Sofern alles OK ist, als nächstes die DNS SRV records prüfen und ggf. anpassen.


#15

Danke ein Rejoin hat geholfen :slight_smile:

Dann bleibt nur noch die Frage wie man die pfSense anbinden kann.


#16

Hat sich auch erledigt (CN statt OU).


#17

Hat sich auch erledigt (CN statt OU).[/quote]

Ah, sehr gut. Ich wollte gerade nachfragen. :slight_smile: