samba - Jan 2023 - Issues demoting a samba DC.

08.01.2023 18:54, Michael Tokarev wrote:
...
> And nope, after removing this stale A gc._msdcs record from samba DNS, it
> still does not work and still logs the same error message, apparenlty when
> trying to log in to the other DC for replication:
> 
> [2023/01/08 18:50:43.390974,? 0]
../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>  ? Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>
ncacn_ip_tcp:192.168.19.6[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_princi
> 
> I'll try to strace it to find out what's going on.
strace itself didin't help , but it gave me a clue, because at the very
place
where it logs this error, it opens the samba keytab file.  And earlier I thought
maybe after doing some DC stuff, I'll have to regenerate the keytabs?

And indeed, there was an error in /etc/krb5.conf, - this file were still
referring to the old DC which I just removed.

Unfortunately, all guides I've read so far about samba and kerberos, are
*wrong*.
They say to create krb5.conf with the given contents, but this does not work
at all when you have more than one realm in there, so by creating the new
krb5.conf, you're breaking other realms.  But this is a different issue.
> Unfortunately I still don't know what does it *mean*, what exactly it
tries
> to do when "binding to uuid"?
(still no answer to this).

Thanks,

/mjt

On 08/01/2023 16:03, Michael Tokarev via samba wrote:
> 08.01.2023 18:54, Michael Tokarev wrote:
> ...
>> And nope, after removing this stale A gc._msdcs record from samba DNS,
it
>> still does not work and still logs the same error message, apparenlty 
>> when
>> trying to log in to the other DC for replication:
>>
>> [2023/01/08 18:50:43.390974,? 0] 
>> ../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>> ?? Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>>
ncacn_ip_tcp:192.168.19.6[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_princi
>>
>> I'll try to strace it to find out what's going on.
> 
> strace itself didin't help , but it gave me a clue, because at the very
> place
> where it logs this error, it opens the samba keytab file.? And earlier I 
> thought
> maybe after doing some DC stuff, I'll have to regenerate the keytabs?
> 
> And indeed, there was an error in /etc/krb5.conf, - this file were still
> referring to the old DC which I just removed.
> 
> Unfortunately, all guides I've read so far about samba and kerberos,
are
> *wrong*.
> They say to create krb5.conf with the given contents, but this does not 
> work
> at all when you have more than one realm in there, so by creating the new
> krb5.conf, you're breaking other realms.? But this is a different
issue.
> 
>> Unfortunately I still don't know what does it *mean*, what exactly
it
>> tries
>> to do when "binding to uuid"?
> 
> (still no answer to this).
> 
> Thanks,
> 
> /mjt
> 
> 
Ah, I forgot that you are running your Samba AD DC's in an unsupported 
way, for a start you really should only have one realm in krb5.conf on a DC.

I cannot help you further with this, an NT4-style DC != an AD DC and you 
shouldn't try to run AD anything like NT4

Rowland