El 10/10/19 a les 20:41, Rowland penny via samba ha escrit:>> It turns out that dc2 chokes on "\0ADEL" dns records, supposedly >> deleted objects. > > What you have there is known as a tombstone record and Samba has a tool > to remove them: > > samba-tool domain tombstones expunge NC > --tombstone-lifetime=TOMBSTONE_LIFETIME > > Where 'NC' is the naming context and 'TOMBSTONE_LIFETIME' is the days to > keep deleted records for.Good to know, but why do they trigger the replication problem?> >> >> I found a "solution" here: >> >> https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/ >> >> The procedure to solve it is not exactly the same but it put me on >> the, hopefully, right track. I scripted it since it got tiresome and >> it solved the replication problem, for a while, but now it reappeared >> (that's the message above). >> >> This started on September 25, when I upgraded dc2 from stretch to >> buster. A few days later I also upgraded dc1 (it was still running >> jessie). >> >> I'm using internal dns and the dhcp server talks to dc1 to update the >> dns records, that would explain why there are records to replicate but >> doesn't explain why samba fails (when it didn't before). > > How is the dhcp server updating the dns records ?Using this method: https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller#DHCP_with_dynamic_DNS_updates TLDR: it does a "samba-tool dns add" when a host get a lease and "samba-tool dns delete" when it releases it or expires. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 10/10/2019 19:56, Luca Olivetti via samba wrote:> El 10/10/19 a les 20:41, Rowland penny via samba ha escrit: > >>> It turns out that dc2 chokes on "\0ADEL" dns records, supposedly >>> deleted objects. >> >> What you have there is known as a tombstone record and Samba has a >> tool to remove them: >> >> samba-tool domain tombstones expunge NC >> --tombstone-lifetime=TOMBSTONE_LIFETIME >> >> Where 'NC' is the naming context and 'TOMBSTONE_LIFETIME' is the days >> to keep deleted records for. > > > Good to know, but why do they trigger the replication problem?Not sure they are, they could just be an artefact of the replication problem.> >> >>> >>> I found a "solution" here: >>> >>> https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/ >>> >>> The procedure to solve it is not exactly the same but it put me on >>> the, hopefully, right track. I scripted it since it got tiresome and >>> it solved the replication problem, for a while, but now it >>> reappeared (that's the message above). >>> >>> This started on September 25, when I upgraded dc2 from stretch to >>> buster. A few days later I also upgraded dc1 (it was still running >>> jessie). >>> >>> I'm using internal dns and the dhcp server talks to dc1 to update >>> the dns records, that would explain why there are records to >>> replicate but doesn't explain why samba fails (when it didn't before). >> >> How is the dhcp server updating the dns records ? > > Using this method: > > https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller#DHCP_with_dynamic_DNS_updates > > > TLDR: it does a "samba-tool dns add" when a host get a lease and > "samba-tool dns delete" when it releases it or expires. >It works in a similar way to how I update dns records and I have similar records in AD and they replicate. Can you post your dhcpd.conf and smb.conf Rowland
El 10/10/19 a les 21:07, Rowland penny via samba ha escrit:>> > It works in a similar way to how I update dns records and I have similar > records in AD and they replicate.Oh, but they do. Until the replication chokes on those deleted records. Never happened until September 25 (though I realized only today when a manually added host resolved erratically).> > Can you post your dhcpd.conf and smb.confSure ========== dhcpd.conf ddns-update-style none; option domain-name "samba.wetron.es"; option domain-name-servers 192.168.90.2, 192.168.90.5; option netbios-name-servers 192.168.90.2, 192.168.90.5; option netbios-dd-server 192.168.90.2, 192.168.90.5; option time-servers 192.168.90.2, 192.168.90.5; option routers 192.168.1.1; option wpad code 252 = text; option wpad "http://wpad/proxy.pac\n"; option subnet-mask 255.255.255.0; default-lease-time 86400; #un d?a max-lease-time 86400; #un d?a authoritative; log-facility local7; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.101 192.168.1.250; on commit { set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address)); set ClientIP = binary-to-ascii(10, 8, ".", leased-address); set ClientName = pick-first-value(option host-name, host-decl-name, config-option host-name, noname); execute("/etc/dhcp/update.sh", "add", ClientIP, ClientName); } on release { #ClientIP y ClientName estan asociado al lease execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); } on expiry { #ClientIP y ClientName estan asociado al lease execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); } } ===== smb.conf (the other dc is the same, apart from the name) # Global parameters [global] workgroup = WETRON realm = SAMBA.WETRON.ES netbios name = DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes tls enabled = yes tls keyfile = /var/lib/samba/private/tls/dc1.samba.wetron.es.key tls certfile = /var/lib/samba/private/tls/dc1.samba.wetron.es.crt tls cafile = /var/lib/samba/private/tls/wetron.crt dns forwarder = 192.168.90.29 # todos estos parametros no sirven en el DC, que solo mira # idmap_ldp:use rfc2307 #dedicated keytab file = /etc/krb5.keytab #kerberos method = secrets and keytab #idmap config *:backend = tdb #idmap config *:range = 60001-69999 #idmap config WETRON:backend = ad #idmap config WETRON:schema_mode = rfc2307 #idmap config WETRON:range = 490-60000 #idmap config WETRON:default = yes #winbind nss info = rfc2307 #winbind trusted domains only = no #winbind use default domain = yes # enum users/group parece que funciona winbind enum users = yes winbind enum groups = yes template homedir = /net/storage01/mnt/pool1/usuarios/%U template shell = /bin/false printing = bsd printcap name = /dev/null disable spoolss = yes ldap server require strong auth = allow_sasl_over_tls allow insecure wide links = yes # para radius - a partir de 4.7 se puede cambiar el yes por # mschapv2-and-ntlmv2-only ntlm auth = yes [netlogon] path = /var/lib/samba/sysvol/samba.wetron.es/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No wide links = Yes -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007