durwin at mgtsciences.com
2020-Feb-27 17:25 UTC
[Samba] User names not replicating to secondary DC
Two attachments are not being sent. Pasting contents.
DC0 smb.conf
# Global parameters
[global]
netbios name = DC0
realm = MSI.MYDOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MSI
# This line was added 190710 (DFD)
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
==
DC1 smb.conf
# Global parameters
[global]
netbios name = DC1
realm = MSI.MYDOMAIN.COM
server role = active directory domain controller
workgroup = MSI
dns forwarder = 172.23.93.3
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
# This line added 200129 DFD.
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
[netlogon]
path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
==Resent as last did not show the other 2 attachments.
OS: Linux dc0 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
OS: Linux dc1 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu18.04> samba --version
Version 4.7.6-Ubuntu
==DC0 resolv.conf
Ubuntu18.04> less /etc/resolv.conf
nameserver 172.23.93.25
nameserver 172.23.93.3
search msi.mydomain.com mydomain.com
==
DC1 resolv.conf
Ubuntu18.04> less /etc/resolv.conf
nameserver 172.23.93.25
nameserver 172.23.93.3
search msi.mydomain.com mydomain.com
==
DC0 hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.23.93.25 dc0.msi.mydomain.com dc0
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
==
DC1 hosts
127.0.0.1 localhost
172.23.93.25 dc0.msi.mydomain.com dc0
172.23.93.26 dc1.msi.mydomain.com dc1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
==
Ub18.04> host -t SRV _ldap._tcp.msi.mydomain.com.
_ldap._tcp.msi.mydomain.com has SRV record 0 100 389 dc1.msi.mydomain.com.
_ldap._tcp.msi.mydomain.com has SRV record 0 100 389 dc0.msi.mydomain.com.
==
Anything else needed?
Thank you,
Durwin
> From: "Rowland penny via samba" <samba at lists.samba.org>
> To: samba at lists.samba.org
> Date: 02/27/2020 09:26 AM
> Subject: Re: [Samba] User names not replicating to secondary DC
> Sent by: "samba" <samba-bounces at lists.samba.org>
>
> On 27/02/2020 15:48, Durwin via samba wrote:
> > I have 2 Ububtu DCs. One acting as a secondary/failover.
> You have 2 DCs, one holds all the FSMO roles, the other holds none
> > At one point
> > the users were replicated from primary to secondary.
> Replication between them used to work.
> > But now they are not
> > replicating.
> Now it doesn't.
> > The output from samba-tool drs showrepl is attached. What else may I
> > provide to aid diagnostics?
> > I know Samba does not replicate sysvol 'yet', so rsync is
needed, but
that> > does not seem to contain the users.
> Sysvol holds the GPOs (they are also in AD), the user objects etc are
> only in AD, these are what is replicated between DCs.
>
> Going to need a lot more info, OS, Samba version, smb.conf files etc.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
This email message and any attachments are for the sole use of the
intended recipient(s) and may contain proprietary and/or confidential
information which may be privileged or otherwise protected from
disclosure. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient(s), please contact the
sender by reply email and destroy the original message and any copies of
the message as well as any attachments to the original message.
On 27/02/2020 17:25, durwin at mgtsciences.com wrote:> Two attachments are not being sent. ?Pasting contents.Attachments are stripped by this mailing lists> DC1 smb.conf > ? ? ? ? winbind use default domain = true > ? ? ? ? winbind offline logon = false > ? ? ? ? winbind nss info = rfc2307 > ? ? ? ? winbind enum users = yes > ? ? ? ? winbind enum groups = yesThe above lines have no place in a DC smb.conf or are defaults Change the following files as shown: ==DC0 /etc/resolv.conf nameserver 172.23.93.25 search msi.mydomain.com == DC1 /etc/resolv.conf nameserver 172.23.93.3 search msi.mydomain.com == DC0 /etc/hosts 127.0.0.1?????? localhost 172.23.93.25??? dc0.msi.mydomain.com dc0 # The following lines are desirable for IPv6 capable hosts ::1???? localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts == DC1 /etc/hosts 127.0.0.1?????? localhost 172.23.93.26??? dc1.msi.mydomain.com dc1 # The following lines are desirable for IPv6 capable hosts ::1???? ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters == Why are you using the internal dns server on one DC and Bind9 on the other ? Can you post the named.conf files from the one that is running Bind9. Rowland
durwin at mgtsciences.com
2020-Feb-27 19:56 UTC
[Samba] User names not replicating to secondary DC
> > DC1 smb.conf > > winbind use default domain = true > > winbind offline logon = false > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > > The above lines have no place in a DC smb.conf or are defaultsCommented them out.> > Change the following files as shown:Done.> > ==> DC0 /etc/resolv.conf > > nameserver 172.23.93.25 > search msi.mydomain.com > ==> > DC1 /etc/resolv.conf > > nameserver 172.23.93.3 > search msi.mydomain.com > ==> > DC0 /etc/hosts > 127.0.0.1 localhost > 172.23.93.25 dc0.msi.mydomain.com dc0 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhosts > ==> > DC1 /etc/hosts > 127.0.0.1 localhost > 172.23.93.26 dc1.msi.mydomain.com dc1 > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ==> > Why are you using the internal dns server on one DC and Bind9 on theother ? I am very familiar with configuring Named on Fedora. I thought it would be just as easy on Ubuntu. After discovering the files were in different places and so many more being 'included', I decided to use internal on the second one. I believe there is a command to switch over to internal, correct?> > Can you post the named.conf files from the one that is running Bind9.named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; named.conf.options acl "trusted" { 172.23.93.0/24; 192.168.4.0/24; 10.8.3.0/24; 10.8.2.0/24; 127.0.0.1; localnets; localhost; }; options { directory "/var/cache/bind"; notify no; empty-zones-enable no; allow-query { trusted;}; allow-recursion { trusted;}; forwarders { 172.23.93.3; }; allow-transfer { trusted;}; allow-update { trusted;}; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; listen-on-v6 { none; }; listen-on port 53 { 172.23.93.25; 127.0.0.1; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; named.conf.local include "/var/lib/samba/bind-dns/named.conf"; /var/lib/samba/bind-dns/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; # For BIND 9.11.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; }; /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; The command 'samba-tool drs showrepl' shows zero failures. That was the attachments I thought went out on first email.> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.