This article describes the re-provision of a Samba 4 on a UCS@school DC Master.
For a non-UCS@school environment this article should be used.
Problem:
Several Samba 4 data is either lost or corrupt
The LDB-Data of Samba 4 (z.B. /var/lib/samba/private/sam.ldb) is corrupted/broken/lost and Samba 4 has to be re-provisioned.
Note:
If still possible make sure that all of your groups/users have a sambaSID in open LDAP. No offense: some older apps used non-UCS ways adding groups. Therefore a SID was added to the group in samba but not in OpenLDAP. Reprovisioning uses openLDAP Data only, so that these SIDs got lost and ACL problems e.g with shares access may occur, with immense restoration efforts.
Please also make sure you check and backup self created SPNs and the usernames, where these SPNS or UPNs are attached to. SPNs and UPNs are not replicated to openLDAP and got lost.
Solution:
Samba 4 can be re-provisioned with the help of the existing LDAP data
The following steps will describe the needed procedure:
1. Stop Samba 4 on all replicating partners in the environment
If there are other Samba 4 systems which are part of the drs repliction, samba 4 has to be stopped there - typically the School-DCs (School-Slaves) are not part of the drs replication.
The name of the init scripts has changed in UCS 4. so both variants are explained:
# UCS 4:
/etc/init.d/samba stop
# UCS 3:
/etc/init.d/samba4 stop
2. Sync time on DC Master:
rdate ptbtime1.ptb.de
3. Save RID Pools on DC Master:
ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)" > /root/ridpool.ldif
4. Disable ‘sysvol-cleanup’
ucr unset samba4/sysvol/cleanup/cron
5. Stop Samba 4 and S4-Connector on DC Master:
# UCS 4:
/etc/init.d/samba stop
/etc/init.d/univention-s4-connector stop
# UCS 3:
/etc/init.d/samba4 stop
/etc/init.d/univention-s4-connector stop
6. Move/Delete Samba 4 and S4-Connector data on DC Master:
find /etc/univention/connector/ \( -name "s4*.sqlite" -o -name "lockingdb.sqlite" \) -exec mv "{}" "{}.bak_$(date +%s)" \;
rm -rf /var/lib/univention-connector/s4/*
mv /var/lib/samba/private "/var/lib/samba/private.bak_$(date +%s)"
7. Remove Samba 4 and S4-Connector packages on DC Master:
univention-remove univention-samba4 univention-s4-connector
8. Set UCS variables for re-provision on DC Master:
ucr set connector/s4/allow/secondary='true' \
samba4/provision/primary='true'
9. Install Samba 4 and S4-Connector packkages on DC Master:
univention-install univention-s4-connector univention-samba4
After the installation the Join Scripts will initiate the re-provisioning of the Samba/AD, this will take a while. While the 96univention-samba4.inst is running you can watch the synchronization in the /var/log/univention/connector-s4.log.
10. Correct newly created RID-Pool with the help of the saved data on DC Master:
A new RID-Pool was created by re-provision - it has to be corrected with the help of tha saved data - see Point 3:
ldbedit -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
The following attributes has to be corrected:
rIDAllocationPool
rIDPreviousAllocationPool
rIDNextRID
Please also see Help-Artikel Samba 4 - RID Pool renewal.
11. Re-enable sysvol-cleanup
You will find the previous value in the /var/log/univention/config-registry.replog
ucr set samba4/sysvol/cleanup/cron="$( grep samba4/sysvol/cleanup/cron /var/log/univention/config-registry.replog | tail -n1 | sed -n 's/.*old://p' )"
default is:
4 4 * * * root /usr/share/univention-samba4/scripts/sysvol-cleanup.py --move /var/lib/samba/sysvol_backup >>/var/log/univention/sysvol-sync.log 2>&1
After the steps 1-11 the (test)-system should be rebooted and tested.
If there were other systems using samba 4 in this environment, all of them have to be re-joined! These systems can be found by using the following search:
univention-ldapsearch -b cn=dc,cn=computers,$(ucr get ldap/base) \
'(&(univentionService=Samba 4)(!(cn='$(ucr get hostname)')))' \
cn | sed -ne 's|cn: ||p'