On 23/07/15 03:47, Marcio Demetrio Bacci wrote:> I have installed a secondary DC in my network, following the tutorial:
>
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Kerberos
>
> I have ran the following command:
>
> samba-tool domain join mydomain.com.br DC -Uadministrator --realm >
mydomain.com --dns-backend = BIND_INTERNAL
I do hope that is a typo, there is no dns backend called 'BIND_INTERNAL'
>
> It seems that everything is OK. I have ran the following commands in both
> DC and the result was the same:
>
> ldbsearch -H /opt/samba/private/sam.ldb -b 'DC = mydomain, DC = com, DC
> br' sub -s '(& (objectClass = group) (cn = Domain Users))'
| grep gidNumber
> | sed 's | gidNumber: ||'
>
> ldbsearch -H /opt/samba/private/sam.ldb -b 'DC = mydomain, DC = com, DC
> br' sub -s '(& (objectClass = group) (cn = Domain Users))'
| grep gidNumber
> | sed 's | gidNumber: ||'
>
>
> I did the tests of the following tutorial and everything is correct:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> I also created DNS records in DC and was replicated to the other correctly.
>
> But "wbinfo -i DomainUser" command brings different results.
>
> The Primary DC "smb.conf" file has the attribute "idmap_ldb:
use RFC2307 > yes". In Secondary DC doesn't have that attribute.
Could this generate
> different information between DC?
Possibly, I do not know why the join doesn't add that line, but you can
easily add it yourself and see if it helps.
> Is this related to the correction of BUG 11313: idmap_rfc2307: Fix wbinfo
> '--gid-to-sid' query?
>
> Finally, the following test showed several errors:
>
> samba-tool ldapcmp ldap: // DC1 ldap: // DC2 -Uadministrator domain
> --filter = msDS-NcType, ServerState
>
> Comparing:
> 'CN=Users,CN=Builtin,DC=mydomain,DC=com,DC=br' [ldap://DC1]
> 'CN=Users,CN=Builtin,DC=mydomain,DC=com,DC=br' [ldap://DC2]
> Difference in attribute values:
> whenChanged =>
> ['20150720230414.0Z']
> ['20150722233158.0Z']
> FAILED
> Comparing:
> 'CN=Windows Authorization Access
Group,CN=Builtin,DC=mydomain,DC=com,DC=br'
> [ldap://DC1]
> 'CN=Windows Authorization Access
Group,CN=Builtin,DC=mydomain,DC=com,DC=br'
> [ldap://DC2]
> Difference in attribute values:
> whenChanged =>
> ['20150720230630.0Z']
> ['20150722233158.0Z']
> FAILED
> * Result for [DOMAIN]: FAILURE
> SUMMARY
> ---------
> Attributes with different values:
> whenChanged
> ERROR: Compare failed: -1
>
> Which tests I could do to make sure everything is right?
'whenChanged' is another attribute that is not replicated, just add it
to the filter list.
Rowland
>
>
> Regards,
>
> Márcio