Bug 9091 - When replicating DNS for bind9_dlz we need to create the server-DNS account remotely
Summary: When replicating DNS for bind9_dlz we need to create the server-DNS account r...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0 beta4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 10077
  Show dependency treegraph
 
Reported: 2012-08-12 11:42 UTC by Andrew Bartlett
Modified: 2013-11-12 10:34 UTC (History)
4 users (show)

See Also:


Attachments
Proposed patch (10.23 KB, patch)
2012-12-25 23:16 UTC, Andrew Bartlett
no flags Details
patch for master to finally merge the fix for this. (25.25 KB, patch)
2013-09-03 20:32 UTC, Andrew Bartlett
no flags Details
4.1 patch cherry-picked from master (25.86 KB, patch)
2013-09-05 00:16 UTC, Andrew Bartlett
metze: review+
Details
4.0 patch cherry-picked from master (29.30 KB, patch)
2013-09-05 00:17 UTC, Andrew Bartlett
metze: review+
Details
Create dns account disabled (2.35 KB, patch)
2013-09-12 20:28 UTC, Samuel Cabrero
abartlet: review-
Details
patches cherry-picked from master for 4.1 (2.86 KB, patch)
2013-11-04 08:54 UTC, Andrew Bartlett
metze: review+
Details
patches cherry-picked from master (for 4-0-test) (2.86 KB, patch)
2013-11-04 09:05 UTC, Andrew Bartlett
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2012-08-12 11:42:23 UTC
Currently we make up a password, but fail to actually create an AD account with this password during a samba-tool domain join.
Comment 1 Michael Adam 2012-11-01 10:46:19 UTC
This is related to replication, multi-dc-setups. Hence this should not block
the 4.0.0 release. What is more, the internal dns is the default for the 4.0.0 release. Moving this to the 4.1 tracking bug....
Comment 2 Andrew Bartlett 2012-11-01 11:53:29 UTC
Additionally running samba_dnsupgrade fixes it.  That said, I still plan to try and get this fixed up.
Comment 3 Andrew Bartlett 2012-12-25 23:16:45 UTC
Created attachment 8371 [details]
Proposed patch

This finishes the work to replicate the DNS partitions, by re-using the provision time logic to operate remotely.
Comment 4 Andrew Bartlett 2013-04-25 11:16:22 UTC
The main issue here is that due to he delicate nature of our replication tests (ie, they pass mostly due to good luck, due in part to the concurrent and automated nature of the test environment) fixing this breaks other tests.  That's why it isn't in master.

https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/fix-drs-testing-10

has my current patches, but sadly I've not found a combination yet that passes autobuild (even just the dns patches, but further testing welcome).
Comment 5 Andrew Bartlett 2013-06-27 08:47:23 UTC
This is in my fix-drs-testing-23 branch.
Comment 6 Stefan Metzmacher 2013-08-29 07:05:28 UTC
No 4.1 blocker => 4.2
Comment 7 Andrew Bartlett 2013-09-03 20:32:39 UTC
Created attachment 9185 [details]
patch for master to finally merge the fix for this.

This patch is tested - passed 7 autobuilds and failed one due to a file server issue (unrelated, I would suggest). 

The difference between this and all the previous patches that never made is is that I don't test against the promoted_dc.  It would be great if we could, but it changes that server startup order, and causes other tests to be flaky.

A future patch could move the DNS tests to be last, to avoid this side-effect, but in the meantime I just want to get this code in.
Comment 8 Andrew Bartlett 2013-09-04 23:56:20 UTC
Comment on attachment 9185 [details]
patch for master to finally merge the fix for this.

Patch is in master.
Comment 9 Andrew Bartlett 2013-09-05 00:16:38 UTC
Created attachment 9188 [details]
4.1 patch cherry-picked from master
Comment 10 Andrew Bartlett 2013-09-05 00:17:11 UTC
Created attachment 9189 [details]
4.0 patch cherry-picked from master
Comment 11 Karolin Seeger 2013-09-06 08:42:54 UTC
Pushed to autobuild-v4-1-test and autobuild-v4-0-test.
Comment 12 Karolin Seeger 2013-09-09 08:01:05 UTC
Pushed to v4-1-test and v4-0-test.
Closing out bug report.

Thanks!
Comment 13 Samuel Cabrero 2013-09-12 20:28:29 UTC
Created attachment 9210 [details]
Create dns account disabled
Comment 14 Samuel Cabrero 2013-09-12 20:28:56 UTC
Hi,

after these changes I got ERR_UNWILLING_TO_PERFORM joining to a 2003 R2 while creating the user account for bind dlz. 

I solved it creating the account disabled, and it is enabled after setting the password. The patch is attached.

Thanks.
Comment 15 Karolin Seeger 2013-09-13 10:02:59 UTC
Re-assigning to Andrew for further investigations.
Comment 16 Andrew Bartlett 2013-11-04 08:53:38 UTC
Comment on attachment 9210 [details]
Create dns account disabled

I'll upload a new patch with cherry-pick markers
Comment 17 Andrew Bartlett 2013-11-04 08:54:39 UTC
Created attachment 9361 [details]
patches cherry-picked from master for 4.1
Comment 18 Stefan Metzmacher 2013-11-04 09:05:14 UTC
Comment on attachment 9361 [details]
patches cherry-picked from master for 4.1

Do we also need this change for 4.0?
Comment 19 Andrew Bartlett 2013-11-04 09:05:26 UTC
Created attachment 9362 [details]
patches cherry-picked from master (for 4-0-test)

And here is the patch for 4.0, with cherry-pick markers.
Comment 20 Karolin Seeger 2013-11-06 11:41:21 UTC
Pushed second patchset to autobuild-v4-1-test and autobuild-v4-0-test.
Comment 21 Karolin Seeger 2013-11-12 10:34:58 UTC
(In reply to comment #20)
> Pushed second patchset to autobuild-v4-1-test and autobuild-v4-0-test.

Pushed to v4-1-test and v4-0-test.
CLosing out bug report.

Thanks!