Univention Bugzilla – Bug 42079
"samba-tool fsmo show" fails if DomainDnsZones or ForestDnsZones does not exist
Last modified: 2020-04-24 11:25:56 CEST
Created attachment 7917 [details] https://git.samba.org/?p=samba.git;a=blob;f=python/samba/netcmd/fsmo.py A customer reports, that the output of "samba-tool fsmo show" throws an exception. Ticket#2016081821000197 root@ucs1:~# samba-tool fsmo show ERROR(ldb): uncaught exception - No such Base DN: CN=Infrastructure,DC=DomainDnsZones,DC=univention,DC=local File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 396, in run domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 40, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) The issue could be caused by a system provisioned with a domain role 2000. According to the samba mailing list (https://lists.samba.org/archive/samba/2016-March/198456.html) it is no problem if DomainDnsZones and ForestDnsZones are missing, because DNS is done via MicrosoftDns container, in that case. This issue is already fixed by Andrew Bartlett. The new version of fsmo.py (--> see attachement) shows the following output root@ucs1:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=UCSDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=local InfrastructureMasterRole owner: CN=NTDS Settings,CN=UCSDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=local RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCSDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=local PdcEmulationMasterRole owner: CN=NTDS Settings,CN=UCSDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=local DomainNamingMasterRole owner: CN=NTDS Settings,CN=UCSDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=local DomainDnsZonesMasterRole: * The 'domaindns' role is not present in this domain ForestDnsZonesMasterRole: * The 'forestdns' role is not present in this domain We should use this new version of fsmo.py in ucs. (https://git.samba.org/?p=samba.git;a=blob;f=python/samba/netcmd/fsmo.py)
I guess this will be part of Samba 4.5. I'd prefer to actually add the missing container like you did for Ticket #2016081821000197 IIRC.
The traceback was fixed by the Andrew Bartlett and this fix is implemented in the customer environment but the missing container were not added.
untested: I guess the containers may be created by running samba_upgradedns --dns-backend=BIND9_DLZ on the S4-Connector host and if additional Samba/AD DCs are present the following commands may be necessary to run on each of them: ====================================================================== eval "$(ucr shell)" s4connectorservicedcs=$(univention-ldapsearch \ univentionService="S4 Connector" cn | sed -n 's/^cn: //p') for part in ForestDnsZones, DomainDnsZones; do samba-tool drs replicate --full-sync \ "$s4connectorservicedcs" "$hostname" \ "DC=$part,$samba4_ldap_base" done ======================================================================
Actually samba_upgradedns should have done this during update to UCS 3.1 (Bug 27457), but the parameter --dns-backend=BIND9_DLZ was missing (in the univention-samba4 joinscript), so that might be the cause.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.