Ok just to verify. DC name= ad41.dc.samges.ru dnsdomain= dc.samges.ru Kerberos domain ?? Im guessing you kerberos to dnsdomain mapping is wrong. Can you post the /etc/hosts /etc/resolv.conf /etc/krb5.conf And, can you post this line u used for provisioning? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Mike Lykov [mailto:combr at samges.ru] > Verzonden: vrijdag 18 november 2016 12:20 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] group policy update fails > > 18.11.2016 12:04, L.P.H. van Belle via samba ??????????: > > This looks all good. > > > > Can you check you database replication with my script. > > http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh > > It does some basic checked to detect the AD DC's. > > And it compaires the ad db database in 2 ways. > > May I ask you about my results interpretation? > > ------------- > Result for [DOMAIN]: FAILURE > Attributes found only in ldap://ad41.dc.samges.ru: > msDS-NcType > serverState > Result for [CONFIGURATION]: FAILURE > Attributes found only in ldap://ad41.dc.samges.ru: > msDS-NcType > subRefs > > Result for [SCHEMA]: FAILURE > Attributes found only in ldap://ad41.dc.samges.ru: > msDS-NcType > --------------- > > What is this attributes means, why they could not replicate? > And how to fix this case? > "samba drs showrepl" show all is ok. > > ----------- > * Comparing [DNSDOMAIN] context... > Failed search of base=DC=DomainDnsZones,DC=dc,DC=samges,DC=ru > ------------ > > Why it can happen? > > > -- > Mike Lykov, system administrator
18.11.2016 16:45, L.P.H. van Belle via samba пишет:
> Ok just to verify.
>
> DC name > ad41.dc.samges.ru
>
> dnsdomain= dc.samges.ru
yes
> Kerberos domain ??
/etc/krb5.conf
[libdefaults]
default_realm = DC.SAMGES.RU
dns_lookup_realm = false
dns_lookup_kdc = true
> Im guessing you kerberos to dnsdomain mapping is wrong.
> Can you post the
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
and see thread "DC server own hostname must be part of ad dc domain?"
here from me.
In your script you use dns query like
SETDNSDOMAIN=`hostname -d`
... $(host -t SRV _kerberos._udp.${SETDNSDOMAIN}
but in my case it's not work, because
SETDNSDOMAIN=samges.ru instead of dc.samges.ru
(I patch it with setting SETDNSDOMAIN=dc.samges.ru by hand)
but all seems work (users authorised, gpo propagated)
> And, can you post this line u used for provisioning?
where I can find it after more than 2 years?
It's like samba-tool domain provision --use-rfc2307 --interactive
Maybe we move to that thread (about own hostname) because here it's some
offtopic not about gpo updates.
>> -----Oorspronkelijk bericht-----
>> Van: Mike Lykov [mailto:combr at samges.ru]
>> Verzonden: vrijdag 18 november 2016 12:20
>> Aan: L.P.H. van Belle
>> Onderwerp: Re: [Samba] group policy update fails
>>
>> 18.11.2016 12:04, L.P.H. van Belle via samba ??????????:
>>> This looks all good.
>>>
>>> Can you check you database replication with my script.
>>> http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
>>> It does some basic checked to detect the AD DC's.
>>> And it compaires the ad db database in 2 ways.
>>
>> May I ask you about my results interpretation?
>>
>> -------------
>> Result for [DOMAIN]: FAILURE
>> Attributes found only in ldap://ad41.dc.samges.ru:
>> msDS-NcType
>> serverState
>> Result for [CONFIGURATION]: FAILURE
>> Attributes found only in ldap://ad41.dc.samges.ru:
>> msDS-NcType
>> subRefs
>>
>> Result for [SCHEMA]: FAILURE
>> Attributes found only in ldap://ad41.dc.samges.ru:
>> msDS-NcType
>> ---------------
>>
>> What is this attributes means, why they could not replicate?
>> And how to fix this case?
>> "samba drs showrepl" show all is ok.
>>
>> -----------
>> * Comparing [DNSDOMAIN] context...
>> Failed search of base=DC=DomainDnsZones,DC=dc,DC=samges,DC=ru
>> ------------
>>
>> Why it can happen?
>>
>>
>> --
>> Mike Lykov, system administrator
>
>
>
On Fri, 18 Nov 2016 21:29:25 +0400 Mike Lykov via samba <samba at lists.samba.org> wrote:> 18.11.2016 16:45, L.P.H. van Belle via samba пишет: > > > Ok just to verify. > > > > DC name> > ad41.dc.samges.ru > > > > dnsdomain= dc.samges.ru > > yes > > > Kerberos domain ?? > > /etc/krb5.conf > [libdefaults] > default_realm = DC.SAMGES.RU > dns_lookup_realm = false > dns_lookup_kdc = true > > > Im guessing you kerberos to dnsdomain mapping is wrong. > > Can you post the > > /etc/hosts > > /etc/resolv.conf > > /etc/krb5.conf > > and see thread "DC server own hostname must be part of ad dc domain?" > here from me. > > In your script you use dns query like > SETDNSDOMAIN=`hostname -d` > ... $(host -t SRV _kerberos._udp.${SETDNSDOMAIN} > but in my case it's not work, because > SETDNSDOMAIN=samges.ru instead of dc.samges.ru > (I patch it with setting SETDNSDOMAIN=dc.samges.ru by hand)If 'hostname -d' is returning 'samges.ru' then everything else will have to be 'samges.ru' I think you need to check in AD, just what is the rootdse ? Is it 'DC=samges,DC=ru' or 'DC=dc,DC=samges,DC=ru' ? If it is the later, then you need to make 'hostname -d' return 'dc.samges.ru' Rowland