Problem: Cannot join a Backup Server

Knowledge Base Community
, ,
#1

Problem:

Cannot join a Backup Server due to

ERROR(ldb): uncaught exception - LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <0000200A: objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' on entry 'CN=UCS02,OU=Domain Controllers,DC=schein,DC=ig' was not found in the schema!> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 700, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1544, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1436, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 650, in join_add_objects
    ctx.samdb.add(rec, controls=controls)
Adding CN=UCS02,OU=Domain Controllers,DC=schein,DC=ig
Join failed - cleaning up
Failed to join against the S4 Connector server ucs01.

in /var/log/univention/join.log

Environment:

UCS Primary and Backup
The primary was created from a takeover. Windows 2003.
After that some times later the domain level was raised to 2008 but the schema data was noch updated automatically.

Investigation:

# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
InfrastructureMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainNamingMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainDnsZonesMasterRole has no current owner
ForestDnsZonesMasterRole has no current owner

# samba-tool fsmo seize --role=domaindns
Seizing domaindns FSMO role...
FSMO seize of 'domaindns' role successful

# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
InfrastructureMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainNamingMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
ForestDnsZonesMasterRole has no current owner

# samba-tool fsmo seize --role=forestdns
Seizing forestdns FSMO role...
FSMO seize of 'forestdns' role successful
# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
InfrastructureMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainNamingMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=UCS01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=schein,DC=ig

Because of the missing schema the UCS02 with its new version is missing a few schemes and therefore does not join.

univention-s4search  -b "CN=Schema,CN=Configuration,$(ucr get samba4/ldap/base)" ldapdisplayname=msDS-SupportedEncryptionTypes
# returned 0 records
# 0 entries
# 0 referrals

You can try to upgrade the schema:
samba-tool domain schemaupgrade` ?

Note: This tool only works from 2008 R2. In order to upgrade from earlier versions, the ldf files must be manually sourced from the Windows adprep tool and run with the -
-ldf-file= option.

But this is very elaborate and has not led to success. The error has changed to:

Solution:

The solution is to reprovision Samba on the master from the openLDAP so that the backup can then join a fresh samba.

#2
Mastodon