Univention Bugzilla – Bug 32595
Re-join of DC backup not successful
Last modified: 2014-05-06 18:19:43 CEST
The S4 join is not successful with UCS 3.2 MS2: Configure 96univention-samba4.inst Fri Sep 13 14:54:11 EDT 2013 Multifile: /etc/samba/smb.conf Setting samba/quota/command Multifile: /etc/samba/smb.conf Stopping Samba daemons: nmbd smbd. Stopping the Winbind daemon: winbind. Stopping Heimdal KDC: heimdal-kdc. Create samba/autostart Create winbind/autostart Setting kerberos/autostart Multifile: /etc/samba/smb.conf Setting samba4/autostart Multifile: /etc/samba/smb.conf Create samba4/role File: /etc/samba/base.conf Multifile: /etc/samba/smb.conf Create samba4/ldap/base Multifile: /etc/samba/smb.conf Create samba/share/netlogon File: /etc/samba/base.conf Multifile: /etc/samba/smb.conf Stopping Samba AD DC daemon: samba nmbd. Create kerberos/kdc Setting kerberos/kpasswdserver File: /etc/krb5.conf Setting slapd/port File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Setting slapd/port/ldaps File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Check database: ...done. Starting ldap server(s): slapd ...done. ERROR(<type 'exceptions.TypeError'>): uncaught exception - join_DC() got an unexpected keyword argument 'keep_existing' File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) ERROR(<type 'exceptions.TypeError'>): uncaught exception - join_DC() got an unexpected keyword argument 'keep_existing' File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) Create windows/wins-support Multifile: /etc/samba/smb.conf Failed to join the domain. Fri Sep 13 14:54:28 EDT 2013: finish /usr/share/univention-join/univention-join
The patch 92_bug27027_keep_existing_option_for_domain_join_dc.patch has been adjusted. After that, another issue occurred: ------------------------------------------------------------------- Finding a writeable DC for domain 'deadlock15.local' Found DC master151.deadlock15.local workgroup is DEADLOCK15 realm is deadlock15.local checking sAMAccountName keeping existing samaccount: CN=BACKUP152,OU=Domain Controllers,DC=deadlock15,DC=local cleanup_old_join: rIDAllocationPool: 9015136355904 cleanup_old_join: preserving rIDNextRID: 1601 cleanup_old_join: preserving rIDPreviousAllocationPool: 9015136355904 Deleted CN=dns-backup152,CN=Users,DC=deadlock15,DC=local Deleted CN=1a47f2ac-e2b2-426a-828b-4670ca16b416,CN=NTDS Settings,CN=BACKUP152,CN=Servers,CN=Default-First-Site -Name,CN=Sites,CN=Configuration,DC=deadlock15,DC=local Deleted CN=fc8045c8-ec11-41a7-a743-37d3e45272e9,CN=NTDS Settings,CN=BACKUP152,CN=Servers,CN=Default-First-Site -Name,CN=Sites,CN=Configuration,DC=deadlock15,DC=local Deleted CN=NTDS Settings,CN=BACKUP152,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=deadl ock15,DC=local Deleted CN=BACKUP152,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=deadlock15,DC=local Adding CN=BACKUP152,OU=Domain Controllers,DC=deadlock15,DC=local Adding CN=BACKUP152,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=deadlock15,DC=local Adding CN=NTDS Settings,CN=BACKUP152,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=deadlo ck15,DC=local Adding SPNs to CN=BACKUP152,OU=Domain Controllers,DC=deadlock15,DC=local Setting account password for BACKUP152$ Enabling account Calling bare provision No IPv6 address will be assigned WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. module partition initialization failed : Operations error module show_deleted initialization failed : Operations error module extended_dn_out_ldb initialization failed : Operations error module linked_attributes initialization failed : Operations error module repl_meta_data initialization failed : Operations error module subtree_delete initialization failed : Operations error module operational initialization failed : Operations error module aclread initialization failed : Operations error module acl initialization failed : Operations error module descriptor initialization failed : Operations error module objectclass initialization failed : Operations error module asq initialization failed : Operations error module server_sort initialization failed : Operations error module paged_results initialization failed : Operations error module dirsync initialization failed : Operations error module schema_load initialization failed : Operations error module rootdse initialization failed : Operations error module samba_dsdb initialization failed : Operations error Unable to load modules for /var/lib/samba/private/sam.ldb: Record exists at ../source4/dsdb/samdb/ldb_modules/partition_metadata.c:134 module partition initialization failed : Operations error module show_deleted initialization failed : Operations error .... ------------------------------------------------------------------- The problem seems to be, that the /var/lib/samba directory is not cleaned up during the re-join. This has been fixed. Code: r12134 + r44049 Changelog: r44048 + r44050
(In reply to Stefan Gohmann from comment #1) > The problem seems to be, that the /var/lib/samba directory is not cleaned up > during the re-join. This has been fixed. The cleanup is now done at a later point the keytab must be saved first: r44099
Original problem resolved, changelog ok, bug verified. Some details for the record: * Rejoining leaves the previous key in /etc/keytab, so other DCs still can connect to the rejoined DC without the need of restarting samba-ad-dc on them, which is fine. * After rejoining the other DCs temporarily show a replication problem, which is resolved automatically after a couple of minutes (or running samba-tool drs kcc). For reference, the transient failure looks like this in the output of samba-tool drs showrepl: ================================================================================ NTDS DN: CN=NTDS Settings\0ADEL:f0c4fc47-7b7b-4591-bc65-cd76f2d0252a,CN=DCB91\0ADEL:c34e8787-4f55-4864-9fbe-86a2d208c076,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar32i2d1,DC=qa DSA object GUID: f0c4fc47-7b7b-4591-bc65-cd76f2d0252a Last attempt @ Tue Sep 17 14:47:08 2013 CEST failed, result 1225 (WERR_CONNECTION_REFUSED) 1 consecutive failure(s). Last success @ Tue Sep 17 14:42:11 2013 CEST ================================================================================ * Notice: rejoining twice kicks out the keynumber-2 key from the local keytab, which is still in use by the other DCs and thus causes replication with the rejoined DC to fail until the other DCs restart their samba-ad-dc (They might recover a day later when the kerberos service ticket they hold has lost it's validity, untestet).
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".