Stefan G. Weichinger
2022-Nov-22 09:59 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 22.11.22 um 10:00 schrieb Andrew Bartlett:> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba > wrote: >> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba: >> >>> but I don't have it OK yet: >> >> Update: seems OK now >> >> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now. >> >> Vacation starts on thursday ... > > It really comes down to how much you trust your users. ?Remember that > each of them is domain admin in Samba 4.16.2Hmm, yes, that sounds scary. Although the users there should be trustworthy. I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 soon. thanks
Stefan G. Weichinger
2022-Nov-22 10:34 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 22.11.22 um 10:59 schrieb Stefan G. Weichinger via samba:> Am 22.11.22 um 10:00 schrieb Andrew Bartlett: >> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba >> wrote: >>> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba: >>> >>>> but I don't have it OK yet: >>> >>> Update: seems OK now >>> >>> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now. >>> >>> Vacation starts on thursday ... >> >> It really comes down to how much you trust your users. ?Remember that >> each of them is domain admin in Samba 4.16.2 > > Hmm, yes, that sounds scary. Although the users there should be > trustworthy. > > I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 soon.On 4.17.3 now on one DC. The DCs recently also became Kea-DHCP-servers, so they have interfaces in various VLANs. That seems to mess with winbind ... # wbinfo -u could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! Error looking up domain users I added this to smb.conf: bind interfaces only = yes interfaces = lo enp0s31f6 .. to only let the DC run in the LAN. Restarted samba-ad-dc.service, doesn't help. systemd-resolved is disabled and stoppped journal shows: Nov 22 11:25:33 adc2 samba[303310]: /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.849094, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) Nov 22 11:25:33 adc2 samba[303310]: /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.920546, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Nov 22 11:25:33 adc2 samba[303310]: dnsupdate_nameupdate_done: Failed DNS update with exit code 20 - DRS replication seems to work, though random tests: # wbinfo -t could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the trust secret for domain (null) via RPC calls failed failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE Could not check secret # wbinfo --ping-dc could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the NETLOGON for domain[] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE - winbindd is running according to journal and "ps avx"