samba - Apr 2022 - ODP: Demoting AD DC failed, now it won't start up after ldb and tdb files removed

Thanks a lot Andrew, it did help... kind of.

So I managed to rejoin the domain and restart samba services. But for some
reason on the physical DC that I fixed with the help of Your instructions now
winbind seems to be a bit off (which was my original problem and reason why I
started meddling with it in the first place). Basically, the user ids and group
ids are not what they should be. The box recognizes users, but their IDs are not
what's in the database. For instance my account should be this (as depicted
on any other box correctly in the domain):

localadmin at eonia:~$ id krzysieq
uid=1000016(krzysieq) gid=20002(adults)
groups=20002(adults),20001(cansudo),20004(gdocs),20006(gaudio),20005(gphoto),20008(gstuff),20007(gvideo),20010(jirauser),20011(bitbucketuser),20012(bamboouser),3001(BUILTIN\users),3000(BUILTIN\administrators)

However, on my secondary, physical DC this same ask comes back with:
root at meraki:/etc# id krzysieq
uid=3000007(***\krzysieq) gid=100(users)
groups=100(users),3000007(***\krzysieq),3000008(***\domain
admins),3000009(***\gvideo),3000010(***\gdocs),3000011(***\gaudio),3000012(***\jirauser),3000013(***\cansudo),3000014(***\gstuff),3000015(***\gphoto),3000016(***\bamboouser),3000017(***\bitbucketuser),3000018(***\denied
rodc password replication group),3000001(***\users),3000000(***\administrators)

The Id numbers are the ones stored in samba database, I'm not sure how's
the idmapping kicking in. I masked out the domain name with *** of course. Below
are my configs, first from a domain member where everything works as it should
(eonia box in fact):
[global]
        workgroup = ***
        realm = ***.COM
        security = ADS
        winbind refresh tickets = Yes
        map acl inherit = Yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind use default domain = Yes
        bind interfaces only = Yes
        interfaces = lo enp3s0
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config ***:backend = ad
        idmap config ***:schema_mode = rfc2307
        idmap config ***:range = 10000 - 9999999
        idmap config ***:unix_nss_info = Yes
        idmap config ***:unix_primary_group = Yes
        idmap cache time = 1
        idmap negative cache time = 1
        winbind cache time = 1
        template shell = /bin/bash
        template homedir = /home/%D/%U
        username map = /etc/samba/user.map
        server string = %h server (Samba, Debian)
        log file = /var/log/samba/log.%m
        max log size = 1000
        logging = file
        panic action = /usr/share/samba/panic-action %d
        server role = standalone server
        obey pam restrictions = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = Yes
        map to guest = bad user
        vfs objects = dfs_samba4 acl_xattr recycle
        local master = no
        domain master = no
        preferred master = no
        os level = 0

And from the DC that is acting up:

# Global parameters
[global]
        dns forwarder = 192.168.1.1
        netbios name = MERAKI
        realm = ***.COM
        server role = active directory domain controller
        workgroup = ***
        idmap_ldb:user rfc2307 = Yes
        template shell = /bin/bash
        template homedir = /home/%D/%U
        unix extensions = Yes
        vfs objects = dfs_samba4 acl_xattr recycle
        local master = yes
        preferred master = yes
        domain master = yes
        os level = 255
        bind interfaces only = Yes
        interfaces = lo enp3s0

For reference, the config from the primary dc that works off a VM (winbind is
not configured there though, I don't log on to that box with domain accounts
but I do need that option on the second physical DC)

[global]
        dns forwarder = 192.168.1.1
        netbios name = PRIMARYDC
        realm = ***.COM
        server role = active directory domain controller
        workgroup = ***
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        template homedir = /home/%D/%U
        unix extensions = Yes
        vfs objects = dfs_samba4 acl_xattr recycle
        local master = yes
        preferred master = no
        domain master = no
        os level = 128

Could You point out what is wrong please? I'm a bit clueless, especially
that it all used to work fine a while back and I've not changed these
configs. Appreciate any help.
Cheers,
Chris
________________________________
Od: Andrew Bartlett <abartlet at samba.org>
Wys?ane: poniedzia?ek, 28 marca 2022 01:59
Do: Krzysztof Kucyba?a <krzysieq at hotmail.com>; samba at lists.samba.org
<samba at lists.samba.org>
Temat: Re: [Samba] Demoting AD DC failed, now it won't start up after ldb
and tdb files removed

On Sat, 2022-03-26 at 17:11 +0000, Krzysztof Kucyba?a via samba
wrote:
>
> Could anyone suggest how do I get myself out of this mess that I had
> put myself into? ? I have another DC that seems to be running fine
> at the moment, I was hoping the one I was trying to clean up would
> just replicate itself off it again, but that doesn?t seem to be the
> case currently?. Any help will be very appreciated ?
>
> Cheers,
You need to re-join the domain, Samba needs the database files you
removed and without them is totally lost.

That will clobber the old DC's entry in Active Directory, and because
you removed secrets.ldb/secrets.tdb the safety check won't stop you
doing the re-join.

It should work then.

Andrew Bartlett

--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

On Sat, 2022-04-02 at 14:42 +0000, Krzysztof Kucyba?a via samba
wrote:
> Thanks a lot Andrew, it did help... kind of.
> 
> So I managed to rejoin the domain and restart samba services. But for
> some reason on the physical DC that I fixed with the help of Your
> instructions now winbind seems to be a bit off (which was my original
> problem and reason why I started meddling with it in the first
> place). Basically, the user ids and group ids are not what they
> should be. The box recognizes users, but their IDs are not what's in
> the database. For instance my account should be this (as depicted on
> any other box correctly in the domain):
> 
> localadmin at eonia:~$ id krzysieq
> uid=1000016(krzysieq) gid=20002(adults)
> groups=20002(adults),20001(cansudo),20004(gdocs),20006(gaudio),20005(
> gphoto),20008(gstuff),20007(gvideo),20010(jirauser),20011(bitbucketus
> er),20012(bamboouser),3001(BUILTIN\users),3000(BUILTIN\administrators
> )
> 
> However, on my secondary, physical DC this same ask comes back with:
> root at meraki:/etc# id krzysieq
> uid=3000007(***\krzysieq) gid=100(users)
> groups=100(users),3000007(***\krzysieq),3000008(***\domain
> admins),3000009(***\gvideo),3000010(***\gdocs),3000011(***\gaudio),30
> 00012(***\jirauser),3000013(***\cansudo),3000014(***\gstuff),3000015(
> ***\gphoto),3000016(***\bamboouser),3000017(***\bitbucketuser),300001
> 8(***\denied rodc password replication
> group),3000001(***\users),3000000(***\administrators)
> 
> The Id numbers are the ones stored in samba database, I'm not sure
> how's the idmapping kicking in. I masked out the domain name with ***
> of course. Below are my configs, first from a domain member where
> everything works as it should (eonia box in fact):
> [global]
>         workgroup = ***
>         realm = ***.COM
>         security = ADS
>         winbind refresh tickets = Yes
>         map acl inherit = Yes
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind use default domain = Yes
>         bind interfaces only = Yes
>         interfaces = lo enp3s0
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config ***:backend = ad
>         idmap config ***:schema_mode = rfc2307
>         idmap config ***:range = 10000 - 9999999
>         idmap config ***:unix_nss_info = Yes
>         idmap config ***:unix_primary_group = Yes
>         idmap cache time = 1
>         idmap negative cache time = 1
>         winbind cache time = 1
>         template shell = /bin/bash
>         template homedir = /home/%D/%U
>         username map = /etc/samba/user.map
>         server string = %h server (Samba, Debian)
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         logging = file
>         panic action = /usr/share/samba/panic-action %d
>         server role = standalone server
>         obey pam restrictions = Yes
>         unix password sync = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         pam password change = Yes
>         map to guest = bad user
>         vfs objects = dfs_samba4 acl_xattr recycle
>         local master = no
>         domain master = no
>         preferred master = no
>         os level = 0
> 
> And from the DC that is acting up:
> 
> # Global parameters
> [global]
>         dns forwarder = 192.168.1.1
>         netbios name = MERAKI
>         realm = ***.COM
>         server role = active directory domain controller
>         workgroup = ***
>         idmap_ldb:user rfc2307 = Yes
>         template shell = /bin/bash
>         template homedir = /home/%D/%U
>         unix extensions = Yes
>         vfs objects = dfs_samba4 acl_xattr recycle
>         local master = yes
>         preferred master = yes
>         domain master = yes
>         os level = 255
>         bind interfaces only = Yes
>         interfaces = lo enp3s0
> 
> For reference, the config from the primary dc that works off a VM
> (winbind is not configured there though, I don't log on to that box
> with domain accounts but I do need that option on the second physical
> DC)
> 
> [global]
>         dns forwarder = 192.168.1.1
>         netbios name = PRIMARYDC
>         realm = ***.COM
>         server role = active directory domain controller
>         workgroup = ***
>         idmap_ldb:use rfc2307 = yes
>         template shell = /bin/bash
>         template homedir = /home/%D/%U
>         unix extensions = Yes
>         vfs objects = dfs_samba4 acl_xattr recycle
>         local master = yes
>         preferred master = no
>         domain master = no
>         os level = 128
> 
> Could You point out what is wrong please? I'm a bit clueless,
> especially that it all used to work fine a while back and I've not
> changed these configs. Appreciate any help.
> Cheers,
> Chris
First can I suggest you remove these lines from your Unix domain member
smb.conf:

        server role = standalone server
        local master = no
        domain master = no
        preferred master = no
        os level = 0
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = Yes
        idmap cache time = 1
        idmap negative cache time = 1

You do not need them and the 'server role' is definitely wrong.

Can I also suggest you remove these lines from the DC:

        template homedir = /home/%D/%U
        unix extensions = Yes
        local master = yes
        preferred master = yes
        domain master = yes
        os level = 255

Having got that out of the way, lets turn to your main problem, the
different IDs on your DC and the Unix domain member.

I note that you are using the 'ad' idmap backend and this appears to be
working, this shows that you have added RFC2307 attributes to AD. These
attributes should override the IDs found in idmap.ldb, provided that
'idmap_ldb:user rfc2307 = Yes' is set in the DCs smb.conf (which you
appear to have), have you tried running 'net cache flush' ?

Rowland