On 5/31/22 09:13, Rowland Penny via samba wrote:> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>>
>> Basically normal Samba and Domain AD Logins fail with
>>
>> NT_STATUS_INVALID_SID
>>
>> A Bug report has been opened at:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=15079
>>
>> Kerberos KDC and LDAP functionality still works, but not much else
>> does. I believe that some sort of corruption has entered the
>> database.
>> My other two DCs are unaffected. Please review the errors in the bug
>> reports and advise.
> Please provide the output from 'testparm -s' as requested.
>
> Also, you do not have a primary DC, you just have a DC that holds the
> FSMO roles including the PDC_Emulator. If you have a problem with just
> one DC, then demote it and add a new one, even if it is the DC holding
> the FSMO roles.
>
> Rowland
>
>
>
The DC Did have the FSMO Roles, but I tried? to demote the DC and rejoin
it. The DC Won't Demote normally. It will refuse to transfer roles. a
Secondary DC has Seized the roles, nut the Primary DC thinks it still
has them when it does not.
I also tried the? Demote as a Dead DC procedure. That worked but after
Re-join the original DC was still corrupt.
lpcfg_do_global_parameter: WARNING: The "domain logons" option is
deprecated
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
???????domain logons = Yes
???????domain master = Yes
???????ntlm auth = ntlmv1-permitted
???????os level = 40
???????passdb backend = samba_dsdb
???????preferred master = Yes
???????realm = PUKEY
???????server min protocol = NT1
???????server role = active directory domain controller
???????server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
???????tls cafile = tls/ca.crt
???????tls certfile = tls/olympia.pukey.crt
???????tls keyfile = tls/olympia.pukey.key
???????winbind nss info = rfc2307
???????workgroup = PUKEY-NT
???????rpc_server:tcpip = no
???????rpc_daemon:spoolssd = embedded
???????rpc_server:spoolss = embedded
???????rpc_server:winreg = embedded
???????rpc_server:ntsvcs = embedded
???????rpc_server:eventlog = embedded
???????rpc_server:srvsvc = embedded
???????rpc_server:svcctl = embedded
???????rpc_server:default = external
???????winbindd:use external pipes = true
???????idmap_ldb:use rfc2307 = yes
???????idmap config * : backend = tdb
???????map archive = No
???????vfs objects = dfs_samba4 acl_xattr
[netlogon]
???????path = /var/lib/samba/sysvol/pukey/scripts
???????read only = No
[sysvol]
???????path = /var/lib/samba/sysvol
???????read only = No
[homes]
???????comment = Home Directories
???????create mask = 0700
???????directory mask = 0700
???????read only = No
[pdf-gen]
???????comment = PDF Generator (only valid users)
???????lpq command = /bin/true
???????lprm command = lprm -P'%p' %j
???????path = /var/tmp
???????printable = Yes
???????print command = /usr/share/samba/scripts/print-pdf "%s"
"%H"
"//%L/%u" "%m" "%I" "%J" &
???????printing = bsd
[printers]
???????browseable = No
???????comment = All Printers
???????create mask = 0700
???????guest ok = Yes
???????path = /var/spool/samba
???????printable = Yes
[print$]
???????guest ok = Yes
???????inherit permissions = Yes
???????path = /var/lib/samba/printers
???????write list = @adm root
[Public]
???????comment = Public Files
???????path = /opt/var/public/
???????read only = No