Nethserver DC Takeover

NethServer Version: 7.7.1908
Module: Accounts Provider

Hello everyone!

I have some clients running samba4 as DC on Debian servers. After test Nethserver for a long time, I decide to migrate them to NethServer. To avoid rejoin all stations on domain, I tried to make a “domain takeover”

I started here:
https://wiki.nethserver.org/doku.php?id=howto:add_ns7_samba_domain_controller_to_existing_active_directory#discussion

And after that, I transfer the FSMO to nsdc and demote the old DC. All seems to work well. I have access to user and groups from nethserver UI and users can log in normally.

I am thinking about creating a full wiki on how to do this, but first I need information about these erros. Should I worry about that?

[root@mds01fs01 ~]# fg
/etc/e-smith/events/actions/nethserver-dc-firststart ev
Feb 22 13:13:12 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S95nethserver-dc-waitstart SUCCESS [265.553123]
Feb 22 13:13:14 mds01fs01 esmith::event[2059]: Log to /var/spool/createldapservice-aBaudk.log
Feb 22 13:13:14 mds01fs01 /sbin/e-smith/db[3530]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:14 mds01fs01 /sbin/e-smith/db[3530]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN|ldapservice@MEDISOCIAL.LAN|DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:14 mds01fs01 /sbin/e-smith/db[3530]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN|ldapservice@MEDISOCIAL.LAN|DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:14 mds01fs01 /sbin/e-smith/db[3530]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:14 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-createldapservice SUCCESS [2.400734]
Feb 22 13:13:15 mds01fs01 esmith::event[2059]: [NOTICE] The DC host will be set to nsdc-mds01fs01.medisocial.lan
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|dns|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI||Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI|ldaps://nsdc-mds01fs01.medisocial.lan|Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI|ldaps://nsdc-mds01fs01.medisocial.lan|Provider|none|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI|ldaps://nsdc-mds01fs01.medisocial.lan|Provider|ad|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI|ldaps://nsdc-mds01fs01.medisocial.lan|Provider|ad|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|disabled
Feb 22 13:13:15 mds01fs01 /sbin/e-smith/db[3535]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.251|BindDN|ldapservice@MEDISOCIAL.LAN|BindPassword|vgH_bOoboyg0rH4j|DiscoverDcType|ldapuri|LdapURI|ldaps://nsdc-mds01fs01.medisocial.lan|Provider|ad|Realm|MEDISOCIAL.LAN|ShellOverrideStatus|disabled|Workgroup|MEDISOCIAL|status|enabled
Feb 22 13:13:15 mds01fs01 dnsmasq[2822]: exiting on receipt of SIGTERM
Feb 22 13:13:15 mds01fs01 systemd: Stopping DNS caching server....
Feb 22 13:13:15 mds01fs01 systemd: Stopped DNS caching server..
Feb 22 13:13:15 mds01fs01 systemd: Started DNS caching server..
Feb 22 13:13:15 mds01fs01 dnsmasq[3544]: started, version 2.76 cachesize 4000
Feb 22 13:13:15 mds01fs01 dnsmasq[3544]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
Feb 22 13:13:15 mds01fs01 dnsmasq-tftp[3544]: TFTP root is /var/lib/tftpboot
Feb 22 13:13:15 mds01fs01 dnsmasq[3544]: using nameserver 192.168.0.251#53 for domain medisocial.lan
Feb 22 13:13:15 mds01fs01 dnsmasq[3544]: using nameserver 192.168.0.1#53
Feb 22 13:13:15 mds01fs01 dnsmasq[3544]: using nameserver 192.168.0.250#53
Feb 22 13:13:15 mds01fs01 dnsmasq[3544]: read /etc/hosts - 2 addresses
Feb 22 13:13:15 mds01fs01 dbus[734]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Feb 22 13:13:15 mds01fs01 systemd: Starting Realm and Domain Configuration...
Feb 22 13:13:15 mds01fs01 dbus[734]: [system] Successfully activated service 'org.freedesktop.realmd'
Feb 22 13:13:15 mds01fs01 systemd: Started Realm and Domain Configuration.
Feb 22 13:13:15 mds01fs01 realmd: * Resolving: _ldap._tcp.medisocial.lan
Feb 22 13:13:15 mds01fs01 realmd: * Performing LDAP DSE lookup on: 192.168.0.250
Feb 22 13:13:15 mds01fs01 realmd: * Performing LDAP DSE lookup on: 192.168.0.251
Feb 22 13:13:15 mds01fs01 realmd: * Successfully discovered: medisocial.lan
Feb 22 13:13:15 mds01fs01 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Feb 22 13:13:15 mds01fs01 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6YYUG0 -U administrator ads join medisocial.lan
Feb 22 13:13:20 mds01fs01 realmd: Enter administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL
Feb 22 13:13:20 mds01fs01 realmd: 
Feb 22 13:13:20 mds01fs01 realmd: Using short domain name -- MEDISOCIAL
Feb 22 13:13:20 mds01fs01 realmd: Joined 'MDS01FS01' to dns domain 'medisocial.lan'
Feb 22 13:13:20 mds01fs01 realmd: DNS Update for mds01fs01.medisocial.lan failed: ERROR_DNS_UPDATE_FAILED
Feb 22 13:13:20 mds01fs01 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6YYUG0 -U administrator ads keytab create
Feb 22 13:13:23 mds01fs01 realmd: Enter administrator's password:
Feb 22 13:13:23 mds01fs01 realmd: * /usr/bin/systemctl enable sssd.service
Feb 22 13:13:23 mds01fs01 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
Feb 22 13:13:23 mds01fs01 systemd: Reloading.
Feb 22 13:13:23 mds01fs01 realmd: * /usr/bin/systemctl restart sssd.service
Feb 22 13:13:23 mds01fs01 systemd: Starting System Security Services Daemon...
Feb 22 13:13:24 mds01fs01 sssd: Starting up
Feb 22 13:13:25 mds01fs01 sssd[be[medisocial.lan]]: Starting up
Feb 22 13:13:25 mds01fs01 sssd[nss]: Starting up
Feb 22 13:13:25 mds01fs01 sssd[pam]: Starting up
Feb 22 13:13:25 mds01fs01 systemd: Started System Security Services Daemon.
Feb 22 13:13:25 mds01fs01 systemd: Reached target User and Group Name Lookups.
Feb 22 13:13:25 mds01fs01 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Feb 22 13:13:27 mds01fs01 systemd: Reloading.
Feb 22 13:13:27 mds01fs01 systemd: Reloading.
Feb 22 13:13:27 mds01fs01 systemd: Reloading.
Feb 22 13:13:27 mds01fs01 sssd: ; TSIG error with server: tsig verify failure
Feb 22 13:13:27 mds01fs01 systemd: Started privileged operations for unprivileged applications.
Feb 22 13:13:27 mds01fs01 realmd: * Successfully enrolled machine in realm
Feb 22 13:13:27 mds01fs01 esmith::event[2059]: Password for administrator:
Feb 22 13:13:27 mds01fs01 sssd: ; TSIG error with server: tsig verify failure
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: Event: nethserver-sssd-save
Feb 22 13:13:27 mds01fs01 systemd: Stopping System Security Services Daemon...
Feb 22 13:13:27 mds01fs01 sssd: Failing assertion due to probable leaked memory in context 0x2110010 ("") (stats[16].gets == 1).
Feb 22 13:13:27 mds01fs01 sssd[be[medisocial.lan]]: Shutting down
Feb 22 13:13:27 mds01fs01 sssd[pam]: Shutting down
Feb 22 13:13:27 mds01fs01 sssd: ../../../lib/isc/mem.c:1080: INSIST(ctx->stats[i].gets == 0U) failed, back trace
Feb 22 13:13:27 mds01fs01 sssd: #0 0x7f992e2e51f7 in ??
Feb 22 13:13:27 mds01fs01 sssd: #1 0x7f992e2e514a in ??
Feb 22 13:13:27 mds01fs01 sssd: #2 0x7f992e2f7618 in ??
Feb 22 13:13:27 mds01fs01 sssd: #3 0x7f992e2f7a79 in ??
Feb 22 13:13:27 mds01fs01 sssd: #4 0x7f992e2fa7c8 in ??
Feb 22 13:13:27 mds01fs01 sssd: #5 0x405069 in ??
Feb 22 13:13:27 mds01fs01 sssd: #6 0x7f992c079505 in ??
Feb 22 13:13:27 mds01fs01 sssd: #7 0x40518a in ??
Feb 22 13:13:27 mds01fs01 sssd[nss]: Shutting down
Feb 22 13:13:27 mds01fs01 systemd: Stopped System Security Services Daemon.
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: [NOTICE] wipe out sssd databases and configuration
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: Action: /etc/e-smith/events/nethserver-sssd-save/S01nethserver-sssd-cleanup SUCCESS [0.076573]
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/krb5.conf
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/backup-config.d/nethserver-sssd.include
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/openldap/ldap.conf
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/samba/smb.conf
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/sssd/sssd.conf
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/nethserver/ldappasswd.conf
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/nethserver/cockpit.allow
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/pam.d/cockpit
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: expanding /etc/ssh/sshd_config
Feb 22 13:13:27 mds01fs01 esmith::event[3532]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.416333]
Feb 22 13:13:28 mds01fs01 esmith::event[3532]: Action: /etc/e-smith/events/nethserver-sssd-save/S20nethserver-sssd-conf SUCCESS [0.144214]
Feb 22 13:13:28 mds01fs01 esmith::event[3532]: Action: /etc/e-smith/events/nethserver-sssd-save/S30nethserver-sssd-initkeytabs SUCCESS [0.577515]
Feb 22 13:13:31 mds01fs01 esmith::event[3532]: Action: /etc/e-smith/events/nethserver-sssd-save/S80nethserver-sssd-notifyclients SUCCESS [3.146888]
Feb 22 13:13:31 mds01fs01 systemd: Reloading.
Feb 22 13:13:31 mds01fs01 systemd: Starting System Security Services Daemon...
Feb 22 13:13:32 mds01fs01 sssd: Starting up
Feb 22 13:13:32 mds01fs01 sssd[be[medisocial.lan]]: Starting up
Feb 22 13:13:33 mds01fs01 sssd[pam]: Starting up
Feb 22 13:13:33 mds01fs01 sssd[nss]: Starting up
Feb 22 13:13:33 mds01fs01 systemd: Started System Security Services Daemon.
Feb 22 13:13:33 mds01fs01 esmith::event[3532]: [INFO] sssd has been started
Feb 22 13:13:33 mds01fs01 systemd: Reloading.
Feb 22 13:13:33 mds01fs01 esmith::event[3532]: [INFO] service sshd restart
Feb 22 13:13:33 mds01fs01 sshd[1024]: Received signal 15; terminating.
Feb 22 13:13:33 mds01fs01 systemd: Stopping OpenSSH server daemon...
Feb 22 13:13:33 mds01fs01 systemd: Stopped OpenSSH server daemon.
Feb 22 13:13:33 mds01fs01 systemd: Starting OpenSSH server daemon...
Feb 22 13:13:33 mds01fs01 sshd[3774]: Server listening on 0.0.0.0 port 22.
Feb 22 13:13:33 mds01fs01 sshd[3774]: Server listening on :: port 22.
Feb 22 13:13:33 mds01fs01 systemd: Started OpenSSH server daemon.
Feb 22 13:13:33 mds01fs01 esmith::event[3532]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [1.473576]
Feb 22 13:13:33 mds01fs01 esmith::event[3532]: Event: nethserver-sssd-save SUCCESS
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-join SUCCESS [18.275419]
Feb 22 13:13:33 mds01fs01 sssd: ; TSIG error with server: tsig verify failure
Feb 22 13:13:33 mds01fs01 sssd: ; TSIG error with server: tsig verify failure
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: Password complexity activated!
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: Password history length changed!
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: Minimum password age changed!
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: Maximum password age changed!
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: All changes applied successfully!
Feb 22 13:13:33 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-password-policy SUCCESS [0.669622]
Feb 22 13:13:34 mds01fs01 sssd: ; TSIG error with server: tsig verify failure
Feb 22 13:13:34 mds01fs01 sssd: ; TSIG error with server: tsig verify failure
Feb 22 13:13:34 mds01fs01 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 13:13:34 mds01fs01 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 13:13:34 mds01fs01 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 13:13:34 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-set-upn SUCCESS [0.588401]
Feb 22 13:13:35 mds01fs01 esmith::event[2059]: User 'admin' created successfully
Feb 22 13:13:36 mds01fs01 esmith::event[2059]: Added members to group Domain Admins
Feb 22 13:13:37 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-createadmins SUCCESS [2.600975]
Feb 22 13:13:37 mds01fs01 esmith::event[2059]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-machine-grants SUCCESS [0.357251]
Feb 22 13:13:37 mds01fs01 esmith::event[2059]: Event: nethserver-dc-save SUCCESS

Thanks a lot for your time and information.

4 Likes

I don’t know about these two. The first one might be a one-time only error. But lets wait for someone else who knows better.


Those two errors (TSIG, GSSAPI) are harmless:

2 Likes

I tested this some time ago and got similar DNS update errors.

I think, the DNS update error is because of selecting dns-backend=NONE when joining.

dnsmasq is used which is not a supported DNS backend, so the error should be ok.

2 Likes

Yeah, your post was one of my fonts while doing this. Thanks very much.

I used "--dns-backend=SAMBA_INTERNAL" like wiki says.

Thanks @dnutan. I really have these erros on journalctl:

[root@mds01fs01 ~]# journalctl -u sssd | grep 'tkey query'
Feb 26 01:01:23 mds01fs01.medisocial.lan sssd[1105]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 26 01:01:23 mds01fs01.medisocial.lan sssd[1105]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

Like I said, everything seems to work. It was pretty simple at the end, but I had to try it 10 times! This step of tutorial wasn’t working:

Now that nsdc is running with a Samba4 DC instance we can resume the join procedure. In the host machine:

fg

The problem was the time sync between Nethserver and old DC, I think. I was using Proxmox to test this, and when I rollback the snapshot to try again, it differs in time and the join process fails. After set the same time on both VMs, the join was OK and everything works great.

I will try it again on another installation, and will document it well this time.

Thanks for all.

4 Likes