Stefan G. Weichinger
2022-Nov-22 10:34 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 22.11.22 um 10:59 schrieb Stefan G. Weichinger via samba:> Am 22.11.22 um 10:00 schrieb Andrew Bartlett: >> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba >> wrote: >>> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba: >>> >>>> but I don't have it OK yet: >>> >>> Update: seems OK now >>> >>> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now. >>> >>> Vacation starts on thursday ... >> >> It really comes down to how much you trust your users. ?Remember that >> each of them is domain admin in Samba 4.16.2 > > Hmm, yes, that sounds scary. Although the users there should be > trustworthy. > > I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 soon.On 4.17.3 now on one DC. The DCs recently also became Kea-DHCP-servers, so they have interfaces in various VLANs. That seems to mess with winbind ... # wbinfo -u could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! Error looking up domain users I added this to smb.conf: bind interfaces only = yes interfaces = lo enp0s31f6 .. to only let the DC run in the LAN. Restarted samba-ad-dc.service, doesn't help. systemd-resolved is disabled and stoppped journal shows: Nov 22 11:25:33 adc2 samba[303310]: /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.849094, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) Nov 22 11:25:33 adc2 samba[303310]: /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.920546, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Nov 22 11:25:33 adc2 samba[303310]: dnsupdate_nameupdate_done: Failed DNS update with exit code 20 - DRS replication seems to work, though random tests: # wbinfo -t could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the trust secret for domain (null) via RPC calls failed failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE Could not check secret # wbinfo --ping-dc could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the NETLOGON for domain[] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE - winbindd is running according to journal and "ps avx"
Rowland Penny
2022-Nov-22 10:55 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
On 22/11/2022 10:34, Stefan G. Weichinger via samba wrote:> Am 22.11.22 um 10:59 schrieb Stefan G. Weichinger via samba: >> Am 22.11.22 um 10:00 schrieb Andrew Bartlett: >>> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba >>> wrote: >>>> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba: >>>> >>>>> but I don't have it OK yet: >>>> >>>> Update: seems OK now >>>> >>>> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now. >>>> >>>> Vacation starts on thursday ... >>> >>> It really comes down to how much you trust your users. ?Remember that >>> each of them is domain admin in Samba 4.16.2 >> >> Hmm, yes, that sounds scary. Although the users there should be >> trustworthy. >> >> I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 >> soon. > > On 4.17.3 now on one DC. > > The DCs recently also became Kea-DHCP-servers, so they have interfaces > in various VLANs.My personal opinion of kea is that there first thought was 'how do we make this so complicated that users have to pay us to sort it out'. Your opinion may differ.> > That seems to mess with winbind ...But it shouldn't do, it should just hand out the same info that the isc-dhcp-server did, just with the possibility of IPv6 addresses. I cannot understand why anyone uses IPv6 internally, do they really have more computers, printers etc working for the organisation than there are people on the planet ?> > # wbinfo -u > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > Error looking up domain users > > I added this to smb.conf: > > bind interfaces only = yes > interfaces = lo enp0s31f6 > > .. to only let the DC run in the LAN. > > Restarted samba-ad-dc.service, doesn't help. > > systemd-resolved is disabled and stoppped > > > > journal shows: > > Nov 22 11:25:33 adc2 samba[303310]:?? /usr/sbin/samba_dnsupdate: ; TSIG > error with server: tsig verify failure > Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.849094,? 0] > ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) > Nov 22 11:25:33 adc2 samba[303310]:?? /usr/sbin/samba_dnsupdate: ; TSIG > error with server: tsig verify failure > Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.920546,? 0] > ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) > Nov 22 11:25:33 adc2 samba[303310]:?? dnsupdate_nameupdate_done: Failed > DNS update with exit code 20 >Try adding this to the smb.conf and then restart Samba: dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool> - > > DRS replication seems to work, though > > random tests: > > # wbinfo -t > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > checking the trust secret for domain (null) via RPC calls failed > failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE > Could not check secret > > # wbinfo --ping-dc > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > checking the NETLOGON for domain[] dc connection to "" failed > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE > > - > > winbindd is running according to journal and "ps avx"That all sounds like dns problems. Rowland
Stefan G. Weichinger
2022-Nov-22 11:00 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 22.11.22 um 11:34 schrieb Stefan G. Weichinger via samba:> Am 22.11.22 um 10:59 schrieb Stefan G. Weichinger via samba: >> Am 22.11.22 um 10:00 schrieb Andrew Bartlett: >>> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba >>> wrote: >>>> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba: >>>> >>>>> but I don't have it OK yet: >>>> >>>> Update: seems OK now >>>> >>>> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now. >>>> >>>> Vacation starts on thursday ... >>> >>> It really comes down to how much you trust your users. ?Remember that >>> each of them is domain admin in Samba 4.16.2 >> >> Hmm, yes, that sounds scary. Although the users there should be >> trustworthy. >> >> I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 >> soon. > > On 4.17.3 now on one DC. > > The DCs recently also became Kea-DHCP-servers, so they have interfaces > in various VLANs. > > That seems to mess with winbind ... > > # wbinfo -u > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > Error looking up domain users > > I added this to smb.conf: > > bind interfaces only = yes > interfaces = lo enp0s31f6 > > .. to only let the DC run in the LAN. > > Restarted samba-ad-dc.service, doesn't help. > > systemd-resolved is disabled and stoppped > > > > journal shows: > > Nov 22 11:25:33 adc2 samba[303310]:?? /usr/sbin/samba_dnsupdate: ; TSIG > error with server: tsig verify failure > Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.849094,? 0] > ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) > Nov 22 11:25:33 adc2 samba[303310]:?? /usr/sbin/samba_dnsupdate: ; TSIG > error with server: tsig verify failure > Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.920546,? 0] > ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) > Nov 22 11:25:33 adc2 samba[303310]:?? dnsupdate_nameupdate_done: Failed > DNS update with exit code 20 > > - > > DRS replication seems to work, though > > random tests: > > # wbinfo -t > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > checking the trust secret for domain (null) via RPC calls failed > failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE > Could not check secret > > # wbinfo --ping-dc > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > checking the NETLOGON for domain[] dc connection to "" failed > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE > > - > > winbindd is running according to journal and "ps avx"Additional observations on ADC2: # tail log.samba [2022/11/22 11:52:06.058000, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on CN=Configuration,DC=arbeitsgruppe,DC=ikw-amstetten,DC=at and looking for deleted objects [2022/11/22 11:53:57.118027, 1] ../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth) dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR [2022/11/22 11:53:57.959838, 1] ../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth) dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR [2022/11/22 11:54:24.196900, 1] ../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth) dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR [2022/11/22 11:54:25.032117, 1] ../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth) dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR # tail log.wb-ARBEITSGRUPPE [2022/11/20 00:00:07.109539, 1] ../../source3/winbindd/winbindd.c:364(winbindd_sig_hup_handler) Reloading services after SIGHUP [2022/11/22 09:03:04.040791, 0] ../../source3/winbindd/winbindd_dual.c:1957(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2022/11/22 11:22:52.368820, 0] ../../source3/winbindd/winbindd_dual.c:1957(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2022/11/22 11:50:17.402770, 0] ../../source3/winbindd/winbindd_dual.c:1957(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2022/11/22 11:58:34.500594, 0] ../../source3/winbindd/winbindd_dual.c:1957(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0)