Le 23/05/2016 à 14:46, Rowland penny a écrit :> On 23/05/16 12:56, Sam wrote: >> > > It looks like your problems have nothing to do with dhcp, one problem > appears to be related to dnssec: > > May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50: > choices.truste.com A: no valid signature found > > If you have 'dnssec-validation yes;' in 'named.conf.options', change > it to 'dnssec-validation auto;' > > Your main problem has been reported before, not sure if a fix was > found, can I suggest you upgrade to the latest Sernet 4.2 package > (4.2.12), this may contain a fix. If it doesn't, can you post the > smb.conf from the DCs, also both resolv.conf files, raise the log > level to 10 and see if anything else pops out. > > Rowland > > ||Hello Rowland, in named.conf.options, dnssec-validation is already set to auto. Ok I put syslog = 10 in smb.conf and tell if I get more details. I prefer not trying to upgrade, the servers are in production. here is the files : S4bis smb.conf file : # Global parameters [global] workgroup = ARIANE realm = ariane.intra netbios name = S4BIS server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ## KEEP THIS OFF !! Only used for modify-ing the AD Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles sdb:schema update allowed = no ## Dont forget to set the idmap_ldb on ALL DC's if you use it idmap_ldb:use rfc2307 = yes idmap config * :backend = tdb idmap config * :range = 2000-9999 idmap config ARIANE : backend = ad idmap config ARIANE : range = 10000-3999999 #when using idmap backend RID enable these #template shell = /bin/sh template homedir = /home/users/%ACCOUNTNAME% winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind max clients = 800 interfaces = 127.0.0.1 172.20.2.3 bind interfaces only = yes time server = yes wins support = yes # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes kerberos method = system keytab client ldap sasl wrapping = sign allow dns updates = secure nsupdate command = /usr/bin/nsupdate -g [netlogon] path = /var/lib/samba/sysvol/ariane.intra/scripts read only = No acl_xattr:ignore system acl = yes [sysvol] path = /var/lib/samba/sysvol read only = No acl_xattr:ignore system acl = yes S4bis Resolv.conf file : search ariane.intra nameserver 172.20.2.2 nameserver 172.20.2.3 S4 smb.conf file : # Global parameters [global] workgroup = ARIANE realm = ariane.intra netbios name = S4 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ## KEEP THIS OFF !! Only used for modify-ing the AD Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles sdb:schema update allowed = no ## Dont forget to set the idmap_ldb on ALL DC's if you use it idmap_ldb:use rfc2307 = yes idmap config * :backend = tdb idmap config * :range = 2000-9999 idmap config ARIANE : backend = ad idmap config ARIANE : range = 10000-3999999 #when using idmap backend RID enable these #template shell = /bin/sh template homedir = /home/users/%ACCOUNTNAME% winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind max clients = 800 interfaces = 127.0.0.1 172.20.2.2 bind interfaces only = yes time server = yes wins support = yes # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes kerberos method = system keytab client ldap sasl wrapping = sign allow dns updates = secure nsupdate command = /usr/bin/nsupdate -g syslog = 10 [netlogon] path = /var/lib/samba/sysvol/ariane.intra/scripts read only = No acl_xattr:ignore system acl = yes [sysvol] path = /var/lib/samba/sysvol read only = No acl_xattr:ignore system acl = yes S4bis Resolv.conf file : search ariane.intra nameserver 172.20.2.3 nameserver 172.20.2.2 Thank you! Sam
As lot of things would quickly rely on AD, AD mustn't fail. To avoid failure, we set up AD with several DC in a way we have more DC than needed to be able to lost some of them without lowering the service quality. At least that's how I see it. According to that why not prepare another DC on some VM (VM because easy to add, destroy, etc.) with newer Samba version? You keep your 2 [almost] working DC, you just get another on which client can connect and so you can check if the issue exist also with that new version. If the issue is not existing on new version you have 3 DC when 2 seem to be enough so you can gently upgrade one of them, then you'll be able to upgrade the last one. Once finished you can remove the third DC or leave it, as you want. That way (more servers than needed, use some of them to play with when needed, have a plan to reinstall the DC you were playing with in case you destroy it for some reason) seems to me a nice way to manage Samba as AD. We do follow that way to upgrade our DC for months and we tried almost all last versions during last year, without service interruption. To be sure your playground-DC is not used during you play with you can deal with AD site (at least one site with DCs to answer clients auth requests, this site must be linked to CIDR network address(es) and another one with no CIDR network address link to. You put your playground-DC into that second site without CIDR associated and no client should try to use it (as long as you have working DC on the other site and CIDR addresses associated cover all clients addresses. My 2 cents :) 2016-05-23 17:36 GMT+02:00 Sam <sr42354 at gmail.com>:> Le 23/05/2016 à 14:46, Rowland penny a écrit : > >> On 23/05/16 12:56, Sam wrote: >> >>> >>> >> It looks like your problems have nothing to do with dhcp, one problem >> appears to be related to dnssec: >> >> May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50: >> choices.truste.com A: no valid signature found >> >> If you have 'dnssec-validation yes;' in 'named.conf.options', change it >> to 'dnssec-validation auto;' >> >> Your main problem has been reported before, not sure if a fix was found, >> can I suggest you upgrade to the latest Sernet 4.2 package (4.2.12), this >> may contain a fix. If it doesn't, can you post the smb.conf from the DCs, >> also both resolv.conf files, raise the log level to 10 and see if anything >> else pops out. >> >> Rowland >> >> || >> > Hello Rowland, > in named.conf.options, dnssec-validation is already set to auto. > Ok I put syslog = 10 in smb.conf and tell if I get more details. > > I prefer not trying to upgrade, the servers are in production. > > here is the files : > > S4bis smb.conf file : > # Global parameters > [global] > workgroup = ARIANE > realm = ariane.intra > netbios name = S4BIS > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > idmap config ARIANE : backend = ad > idmap config ARIANE : range = 10000-3999999 > > #when using idmap backend RID enable these > #template shell = /bin/sh > template homedir = /home/users/%ACCOUNTNAME% > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind max clients = 800 > > interfaces = 127.0.0.1 172.20.2.3 > bind interfaces only = yes > time server = yes > wins support = yes > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > kerberos method = system keytab > client ldap sasl wrapping = sign > allow dns updates = secure > nsupdate command = /usr/bin/nsupdate -g > > [netlogon] > path = /var/lib/samba/sysvol/ariane.intra/scripts > read only = No > acl_xattr:ignore system acl = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acl = yes > > S4bis Resolv.conf file : > search ariane.intra > nameserver 172.20.2.2 > nameserver 172.20.2.3 > > S4 smb.conf file : > # Global parameters > [global] > workgroup = ARIANE > realm = ariane.intra > netbios name = S4 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > idmap config ARIANE : backend = ad > idmap config ARIANE : range = 10000-3999999 > > #when using idmap backend RID enable these > #template shell = /bin/sh > template homedir = /home/users/%ACCOUNTNAME% > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind max clients = 800 > > interfaces = 127.0.0.1 172.20.2.2 > bind interfaces only = yes > time server = yes > wins support = yes > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > kerberos method = system keytab > client ldap sasl wrapping = sign > allow dns updates = secure > nsupdate command = /usr/bin/nsupdate -g > > syslog = 10 > > [netlogon] > path = /var/lib/samba/sysvol/ariane.intra/scripts > read only = No > acl_xattr:ignore system acl = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acl = yes > > S4bis Resolv.conf file : > search ariane.intra > nameserver 172.20.2.3 > nameserver 172.20.2.2 > > Thank you! > Sam > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 23/05/16 16:36, Sam wrote:> Le 23/05/2016 à 14:46, Rowland penny a écrit : >> On 23/05/16 12:56, Sam wrote: >>> >> >> It looks like your problems have nothing to do with dhcp, one problem >> appears to be related to dnssec: >> >> May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50: >> choices.truste.com A: no valid signature found >> >> If you have 'dnssec-validation yes;' in 'named.conf.options', change >> it to 'dnssec-validation auto;' >> >> Your main problem has been reported before, not sure if a fix was >> found, can I suggest you upgrade to the latest Sernet 4.2 package >> (4.2.12), this may contain a fix. If it doesn't, can you post the >> smb.conf from the DCs, also both resolv.conf files, raise the log >> level to 10 and see if anything else pops out. >>>> Rowland >> >> || > Hello Rowland, > in named.conf.options, dnssec-validation is already set to auto. > Ok I put syslog = 10 in smb.conf and tell if I get more details. > > I prefer not trying to upgrade, the servers are in production. > > here is the files : > > S4bis smb.conf file : > # Global parameters > [global] > workgroup = ARIANE > realm = ariane.intra > netbios name = S4BIS > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > idmap config ARIANE : backend = ad > idmap config ARIANE : range = 10000-3999999 > > #when using idmap backend RID enable these > #template shell = /bin/sh > template homedir = /home/users/%ACCOUNTNAME% > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind max clients = 800 > > interfaces = 127.0.0.1 172.20.2.3 > bind interfaces only = yes > time server = yes > wins support = yes > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > kerberos method = system keytab > client ldap sasl wrapping = sign > allow dns updates = secure > nsupdate command = /usr/bin/nsupdate -g > > [netlogon] > path = /var/lib/samba/sysvol/ariane.intra/scripts > read only = No > acl_xattr:ignore system acl = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acl = yes > > S4bis Resolv.conf file : > search ariane.intra > nameserver 172.20.2.2 > nameserver 172.20.2.3 > > S4 smb.conf file : > # Global parameters > [global] > workgroup = ARIANE > realm = ariane.intra > netbios name = S4 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > idmap config ARIANE : backend = ad > idmap config ARIANE : range = 10000-3999999 > > #when using idmap backend RID enable these > #template shell = /bin/sh > template homedir = /home/users/%ACCOUNTNAME% > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind max clients = 800 > > interfaces = 127.0.0.1 172.20.2.2 > bind interfaces only = yes > time server = yes > wins support = yes > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > kerberos method = system keytab > client ldap sasl wrapping = sign > allow dns updates = secure > nsupdate command = /usr/bin/nsupdate -g > > syslog = 10 > > [netlogon] > path = /var/lib/samba/sysvol/ariane.intra/scripts > read only = No > acl_xattr:ignore system acl = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acl = yes > > S4bis Resolv.conf file : > search ariane.intra > nameserver 172.20.2.3 > nameserver 172.20.2.2 > > Thank you! > SamOK, you have a few lines in smb.conf that do nothing or are defaults: These do nothing on an AD DC: idmap config * :backend = tdb idmap config * :range = 2000-9999 idmap config ARIANE : backend = ad idmap config ARIANE : range = 10000-3999999 You only need this when it is set to 'yes': ## KEEP THIS OFF !! Only used for modify-ing the AD Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles sdb:schema update allowed = no These are default lines: winbind trusted domains only = no client ldap sasl wrapping = sign nsupdate command = /usr/bin/nsupdate -g allow dns updates = secure # Note: it is actually 'secure only' and that is the default. Your resolv.conf files seem to be wrong, each DC should point to the other first and then themselves. As for upgrading, this is of course your decision, but I should point out that there was a major security update recently and the Samba version you are running is liable to a possible MITM attack. Rowland
Hi, A word about DNS resolver set up on DC. MS really advise to set first resolver pointing to some other DC. The reason Microsoft gave to me is: when booting a MS DC waits for [others than DNS] AD [parts] to be up before running before starting DNS service but to start [others than DNS] AD [parts] Windows server send some DNS requests, without response to these DNS requests Windows server do not start [others than DNS] AD [parts]... After some time MS Windows Servers finally start DNS service and the rest of AD : ) To work around that issue MS advise to set up DNS resolver on DC to aim another DC. IIRC this limitation was removed with MS Windows Server 2012. Here all my Samba4 DC are running DNS service, all of them are configured to send DNS requests to themselves and all these DC are working well, starting well, synching well. What all that means: Samba team developed its software nicely enough to avoid that mistake MS did and so the need to set up DC's resolver to aim another DC is not needed at all on Samba DC. Have a nice day all, mathias 2016-05-23 18:18 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 23/05/16 16:36, Sam wrote: > >> Le 23/05/2016 à 14:46, Rowland penny a écrit : >> >>> On 23/05/16 12:56, Sam wrote: >>> >>>> >>>> >>> It looks like your problems have nothing to do with dhcp, one problem >>> appears to be related to dnssec: >>> >>> May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50: >>> choices.truste.com A: no valid signature found >>> >>> If you have 'dnssec-validation yes;' in 'named.conf.options', change it >>> to 'dnssec-validation auto;' >>> >>> Your main problem has been reported before, not sure if a fix was found, >>> can I suggest you upgrade to the latest Sernet 4.2 package (4.2.12), this >>> may contain a fix. If it doesn't, can you post the smb.conf from the DCs, >>> also both resolv.conf files, raise the log level to 10 and see if anything >>> else pops out. >>> >>> > Rowland >>> >>> || >>> >> Hello Rowland, >> in named.conf.options, dnssec-validation is already set to auto. >> Ok I put syslog = 10 in smb.conf and tell if I get more details. >> >> I prefer not trying to upgrade, the servers are in production. >> >> here is the files : >> >> S4bis smb.conf file : >> # Global parameters >> [global] >> workgroup = ARIANE >> realm = ariane.intra >> netbios name = S4BIS >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> >> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >> sdb:schema update allowed = no >> >> ## Dont forget to set the idmap_ldb on ALL DC's if you use it >> idmap_ldb:use rfc2307 = yes >> >> idmap config * :backend = tdb >> idmap config * :range = 2000-9999 >> idmap config ARIANE : backend = ad >> idmap config ARIANE : range = 10000-3999999 >> >> #when using idmap backend RID enable these >> #template shell = /bin/sh >> template homedir = /home/users/%ACCOUNTNAME% >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind max clients = 800 >> >> interfaces = 127.0.0.1 172.20.2.3 >> bind interfaces only = yes >> time server = yes >> wins support = yes >> >> # Disable printing completely >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> kerberos method = system keytab >> client ldap sasl wrapping = sign >> allow dns updates = secure >> nsupdate command = /usr/bin/nsupdate -g >> >> [netlogon] >> path = /var/lib/samba/sysvol/ariane.intra/scripts >> read only = No >> acl_xattr:ignore system acl = yes >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> acl_xattr:ignore system acl = yes >> >> S4bis Resolv.conf file : >> search ariane.intra >> nameserver 172.20.2.2 >> nameserver 172.20.2.3 >> >> S4 smb.conf file : >> # Global parameters >> [global] >> workgroup = ARIANE >> realm = ariane.intra >> netbios name = S4 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> >> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >> sdb:schema update allowed = no >> >> ## Dont forget to set the idmap_ldb on ALL DC's if you use it >> idmap_ldb:use rfc2307 = yes >> >> idmap config * :backend = tdb >> idmap config * :range = 2000-9999 >> idmap config ARIANE : backend = ad >> idmap config ARIANE : range = 10000-3999999 >> >> #when using idmap backend RID enable these >> #template shell = /bin/sh >> template homedir = /home/users/%ACCOUNTNAME% >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind max clients = 800 >> >> interfaces = 127.0.0.1 172.20.2.2 >> bind interfaces only = yes >> time server = yes >> wins support = yes >> >> # Disable printing completely >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> kerberos method = system keytab >> client ldap sasl wrapping = sign >> allow dns updates = secure >> nsupdate command = /usr/bin/nsupdate -g >> >> syslog = 10 >> >> [netlogon] >> path = /var/lib/samba/sysvol/ariane.intra/scripts >> read only = No >> acl_xattr:ignore system acl = yes >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> acl_xattr:ignore system acl = yes >> >> S4bis Resolv.conf file : >> search ariane.intra >> nameserver 172.20.2.3 >> nameserver 172.20.2.2 >> >> Thank you! >> Sam >> > > > OK, you have a few lines in smb.conf that do nothing or are defaults: > > These do nothing on an AD DC: > > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > idmap config ARIANE : backend = ad > idmap config ARIANE : range = 10000-3999999 > > You only need this when it is set to 'yes': > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > These are default lines: > > winbind trusted domains only = no > client ldap sasl wrapping = sign > nsupdate command = /usr/bin/nsupdate -g > allow dns updates = secure # Note: it is actually 'secure only' and that > is the default. > > Your resolv.conf files seem to be wrong, each DC should point to the other > first and then themselves. > > As for upgrading, this is of course your decision, but I should point out > that there was a major security update recently and the Samba version you > are running is liable to a possible MITM attack. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >