Hello James,
To your questions:
*"Are DC1 and DC2 in the same geographical location?"*
Yes, they are in same location, & they are in the same subnet as well.
*"I'm also unclear from your message if you are still having password
issues or not."*
**It appears to have been resolved. When we randomly checked, users were
able to change their passwords. However logging in with new passwords
were taking sometime.
*"It also appears you are missing 'dns forwarder =' in DC2
smb.conf"*
**As we understand, the dns forwarder is only used for resolving the
names that are not in Internal DNS A Records right? Now the forwarder
DNS will not have DC1 or DC2 records. Should it not resolve internally?
We even changed the nameserver in resolv.conf, put the IP of DC1 and DC2
both there, same error appears.
Even on DC1, when we use nslookup to check the dns forwarding, it
returns an error confirming that it is not forwarding.
I will share the output of the command you mentioned and also the output
of nslookup from both DC1 and DC2.
--
Thanks & Regards,
Anantha Raghava
DISCLAIMER:
This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.
Do not print this e-mail unless required. Save Paper & trees.
On Friday 05 May 2017 09:03 PM, lingpanda101 wrote:> On 5/5/2017 11:08 AM, Anantha Raghava wrote:
>>
>> Hello James,
>>
>> Even after setting the rfc2307 in smb.conf replication error
>> continues and password change error continues. Error thrown while
>> forcing replication is shown below.
>>
>> -------------------------------------------------------------------
>> Even after setting RFC, DC2 is not getting synced from DC1.
>> Connection time out error comes.
>>
>> #samba-tool drs replicate DC2.KTKBANKLTD.COM
>> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
>> <http://DC1.KTKBANKLTD.COM>
DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM
>>
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM
>>
<http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31]
>> NT_STATUS_IO_TIMEOUT
>> ERROR(<class 'samba.drs_utils.drsException'>): DRS
connection to
>> DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed -
drsException:
>> DRS connection to DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM>
>> failed: (-1073741643, '{Device Timeout} The specified I/O operation
>> on %hs was not completed before the time-out period expired.')
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
>> line 41, in drsuapi_connect
>> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
>> = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
>> line 54, in drsuapi_connect
>> raise drsException("DRS connection to %s failed: %s" %
(server, e))
>> ----------------------------------------------------------------------
>>
>> Also, as you had suggested, we have run the command 'samba-tool
>> domain passwordsettinsg show'
>> ----------------------------------------------------------------------
>> Before modification:
>>
>> Password informations for domain 'DC=ktkbankltd,DC=com'
>>
>> Password complexity: on
>> Store plaintext passwords: off
>> Password history length: 24
>> Minimum password length: 7
>> Minimum password age (days): 1
>> Maximum password age (days): 42
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>>
----------------------------------------------------------------------------------
>> Passowrd information for domain after modification using samba-tool:
>>
>> Password informations for domain 'DC=ktkbankltd,DC=com'
>>
>> Password complexity: off
>> Store plaintext passwords: off
>> Password history length: 3
>> Minimum password length: 7
>> Minimum password age (days): 0
>> Maximum password age (days): 60
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>>
---------------------------------------------------------------------------------
>>
>> When we reset the password policy using samba-tool, after about 10
>> minutes, the policy comes to DC2 from DC1 and users are allowed to
>> change their password. Now we have disabled the GPO for Password
>> settings.
>>
>> Probably I feel, due to this replication issue, the DB is becoming
>> inconsistent and errors are being thrown. Also, DNS errors appear to
>> exist in the Domain Controllers. We are using INTERNAL DNS which is
>> adding to problem.
>>
>> Request you to help us in solving this issue.
>>
>> --
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>>
>> DISCLAIMER:
>> This e-mail communication and any attachments may be privileged and
>> confidential to eXza Technology Consulting & Services, and are
>> intended only for the use of the recipients named above If you are
>> not the addressee you may not copy, forward, disclose or use any part
>> of it. If you have received this message in error, please delete it
>> and all copies from your system and notify the sender immediately by
>> return e-mail. Internet communications cannot be guaranteed to be
>> timely, secure, error or virus-free. The sender does not accept
>> liability for any errors or omissions.
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
>> On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:
>>>
>>> Thanks & Regards,
>>>
>>
> The error on replication is
>
> failed: (-1073741643, '{Device Timeout} The specified I/O operation on
> %hs was not completed before the time-out period expired
>
> Are DC1 and DC2 in the same geographical location? Can you post the
> results of
>
> 'samba-tool drs showrepl' from DC1 and DC2?
>
> It also appears you are missing
>
> 'dns forwarder ='
>
> in DC2 smb.conf
>
> I see you commented this out of DC1
>
> #interfaces = 127.0.0.1 172.20.107.30
>
> I would verify you have correctly assigned the proper hostname and
> static IP's on each DC. Can you run this command again and append -d
> 4? This will provide additional debug info.
>
>
> 'samba-tool drs replicate DC2.KTKBANKLTD.COM
> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM -d
4'
>
> I'm also unclear from your message if you are still having password
> issues or not.
>
>
>
>
> --
> --
> James
On 5/5/2017 10:56 PM, Anantha Raghava wrote:> > Hello James, > > To your questions: > > *"Are DC1 and DC2 in the same geographical location?"* > > Yes, they are in same location, & they are in the same subnet as well. > > *"I'm also unclear from your message if you are still having password > issues or not."* > > **It appears to have been resolved. When we randomly checked, users > were able to change their passwords. However logging in with new > passwords were taking sometime. > > *"It also appears you are missing 'dns forwarder =' in DC2 smb.conf"* > > **As we understand, the dns forwarder is only used for resolving the > names that are not in Internal DNS A Records right? Now the forwarder > DNS will not have DC1 or DC2 records. Should it not resolve > internally? We even changed the nameserver in resolv.conf, put the IP > of DC1 and DC2 both there, same error appears. > > Even on DC1, when we use nslookup to check the dns forwarding, it > returns an error confirming that it is not forwarding. > > I will share the output of the command you mentioned and also the > output of nslookup from both DC1 and DC2. > > -- > > Thanks & Regards, > > > Anantha Raghava > > > DISCLAIMER: > This e-mail communication and any attachments may be privileged and > confidential to eXza Technology Consulting & Services, and are > intended only for the use of the recipients named above If you are not > the addressee you may not copy, forward, disclose or use any part of > it. If you have received this message in error, please delete it and > all copies from your system and notify the sender immediately by > return e-mail. Internet communications cannot be guaranteed to be > timely, secure, error or virus-free. The sender does not accept > liability for any errors or omissions. > > > Do not print this e-mail unless required. Save Paper & trees. > > On Friday 05 May 2017 09:03 PM, lingpanda101 wrote: >> On 5/5/2017 11:08 AM, Anantha Raghava wrote: >>> >>> Hello James, >>> >>> Even after setting the rfc2307 in smb.conf replication error >>> continues and password change error continues. Error thrown while >>> forcing replication is shown below. >>> >>> ------------------------------------------------------------------- >>> Even after setting RFC, DC2 is not getting synced from DC1. >>> Connection time out error comes. >>> >>> #samba-tool drs replicate DC2.KTKBANKLTD.COM >>> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM >>> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM >>> >>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for >>> ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM >>> <http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31] >>> NT_STATUS_IO_TIMEOUT >>> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to >>> DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed - >>> drsException: DRS connection to DC2.KTKBANKLTD.COM >>> <http://DC2.KTKBANKLTD.COM> failed: (-1073741643, '{Device Timeout} >>> The specified I/O operation on %hs was not completed before the >>> time-out period expired.') >>> File >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", >>> line 41, in drsuapi_connect >>> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) >>> = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) >>> File >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", >>> line 54, in drsuapi_connect >>> raise drsException("DRS connection to %s failed: %s" % (server, e)) >>> ---------------------------------------------------------------------- >>> >>> Also, as you had suggested, we have run the command 'samba-tool >>> domain passwordsettinsg show' >>> ---------------------------------------------------------------------- >>> Before modification: >>> >>> Password informations for domain 'DC=ktkbankltd,DC=com' >>> >>> Password complexity: on >>> Store plaintext passwords: off >>> Password history length: 24 >>> Minimum password length: 7 >>> Minimum password age (days): 1 >>> Maximum password age (days): 42 >>> Account lockout duration (mins): 30 >>> Account lockout threshold (attempts): 0 >>> Reset account lockout after (mins): 30 >>> ---------------------------------------------------------------------------------- >>> Passowrd information for domain after modification using samba-tool: >>> >>> Password informations for domain 'DC=ktkbankltd,DC=com' >>> >>> Password complexity: off >>> Store plaintext passwords: off >>> Password history length: 3 >>> Minimum password length: 7 >>> Minimum password age (days): 0 >>> Maximum password age (days): 60 >>> Account lockout duration (mins): 30 >>> Account lockout threshold (attempts): 0 >>> Reset account lockout after (mins): 30 >>> --------------------------------------------------------------------------------- >>> >>> When we reset the password policy using samba-tool, after about 10 >>> minutes, the policy comes to DC2 from DC1 and users are allowed to >>> change their password. Now we have disabled the GPO for Password >>> settings. >>> >>> Probably I feel, due to this replication issue, the DB is becoming >>> inconsistent and errors are being thrown. Also, DNS errors appear to >>> exist in the Domain Controllers. We are using INTERNAL DNS which is >>> adding to problem. >>> >>> Request you to help us in solving this issue. >>> >>> -- >>> >>> Thanks & Regards, >>> >>> >>> Anantha Raghava >>> >>> >>> DISCLAIMER: >>> This e-mail communication and any attachments may be privileged and >>> confidential to eXza Technology Consulting & Services, and are >>> intended only for the use of the recipients named above If you are >>> not the addressee you may not copy, forward, disclose or use any >>> part of it. If you have received this message in error, please >>> delete it and all copies from your system and notify the sender >>> immediately by return e-mail. Internet communications cannot be >>> guaranteed to be timely, secure, error or virus-free. The sender >>> does not accept liability for any errors or omissions. >>> >>> >>> Do not print this e-mail unless required. Save Paper & trees. >>> >>> On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote: >>>> >>>> Thanks & Regards, >>>> >>> >> The error on replication is >> >> failed: (-1073741643, '{Device Timeout} The specified I/O operation >> on %hs was not completed before the time-out period expired >> >> Are DC1 and DC2 in the same geographical location? Can you post the >> results of >> >> 'samba-tool drs showrepl' from DC1 and DC2? >> >> It also appears you are missing >> >> 'dns forwarder =' >> >> in DC2 smb.conf >> >> I see you commented this out of DC1 >> >> #interfaces = 127.0.0.1 172.20.107.30 >> >> I would verify you have correctly assigned the proper hostname and >> static IP's on each DC. Can you run this command again and append -d >> 4? This will provide additional debug info. >> >> >> 'samba-tool drs replicate DC2.KTKBANKLTD.COM >> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM >> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM -d 4' >> >> I'm also unclear from your message if you are still having password >> issues or not. >> >> >> >> >> -- >> -- >> James >* * *"It also appears you are missing 'dns forwarder =' in DC2 smb.conf"* **_/As we understand, the dns forwarder is only used for resolving the names that are not in Internal DNS A Records right? Now the forwarder DNS will not have DC1 or DC2 records. Should it not resolve internally? We even changed the nameserver in resolv.conf, put the IP of DC1 and DC2 both there, same error appears./_ _//_ _/ Even on DC1, when we use nslookup to check the dns forwarding, it returns an error confirming that it is not forwarding. /_ _/ /_ To your answer above*;* Correct among other internal records**such as AAA,CNAME etc. However if DC1 goes down, clients connecting to DC2 will not be able to resolve queries needing to be forwarded. Resolv.conf should contain the IP's of DC1 and DC2. Some debate on which should go first. Just make sure they both exists. Using the internal DNS should be fine. It's recommended to use bind for complex dns requirements. * On DC2, it appears to look for lmhosts file, which does not exist. Should one create a lmhost file?* To your question above; You do not need to create a lmhost file. However you can create one to simply make the error go away. *DNS forwarder is not working at all.* To your statement above; Add the dns forwarder line in DC2 as I suggested. Configure it to point to google dns(8.8.8.8) or another IP that does public DNS resolution. I would verify you host file is setup correctly. From the Wiki /Verify that the /etc/hosts file on the DC correctly resolves the fully-qualified domain name (FQDN) and short host name to the LAN IP address of the DC. For example:/ /127.0.0.1 localhost localhost.localdomain 10.99.0.1 DC1.samdom.example.com DC1/ /The host name and FQDN must not resolve to the 127.0.0.1 IP address or any other IP address than the one used on the LAN interface of the DC./ * * Verify resolv.conf is confiigured correctly. From the Wiki again. /Disable tools, such as resolvconf, that automatically update your /etc/resolv.conf DNS resolver configuration file. Active Directory (AD) DCs and domain members must use an DNS server that is able to resolve the AD DNS zones./ I can't recall where to configure the resov.conf on CentOS. Maybe someone else can chime in. I'm using Ubuntu Server. -- -- James
On Mon, 8 May 2017 09:42:34 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote:> > Verify resolv.conf is confiigured correctly. From the Wiki again. > > /Disable tools, such as resolvconf, that automatically update your > /etc/resolv.conf DNS resolver configuration file. Active Directory > (AD) DCs and domain members must use an DNS server that is able to > resolve the AD DNS zones./ > > I can't recall where to configure the resov.conf on CentOS. Maybe > someone else can chime in. I'm using Ubuntu Server. >I recently setup a Samba server with a fixed IP and had problems with resolv.conf being overwritten. I removed resolvconf and that is where my problems really started. It seems that you cannot create a new /etc/resolv.conf (well, I couldn't). I ended up recursively coping everything in /etc to /etc1 I then created /etc1/resolv.conf and then copied /etc1 over /etc. This worked and survived a reboot. I am sure that there must be a better way to do this, but I couldn't easily find one and I was just testing something. YMMV Rowland
>It seems that you cannot create a new /etc/resolv.conf ..Did you remove resolvconf with apt-get remove --purge resolvconf? That should have restored the static resolv.conf back. Or just make use of resolvconf, Debian/ubuntu : just correctly configure interfaces. /etc/network/interfaces auto eth0 allow-hotplug eth0 iface eth0 inet static address 10.0.0.11 netmask 255.255.255.0 gateway 10.0.0.254 dns-search your.domain.tld dns-nameservers 10.0.0.1 10.0.0.2 And your done. Ps. Do not add gateway of dns to an alias interface.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 8 mei 2017 16:35 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba Active Directory Domain Controller > > On Mon, 8 May 2017 09:42:34 -0400 > lingpanda101 via samba <samba at lists.samba.org> wrote: > > > > > Verify resolv.conf is confiigured correctly. From the Wiki again. > > > > /Disable tools, such as resolvconf, that automatically update your > > /etc/resolv.conf DNS resolver configuration file. Active Directory > > (AD) DCs and domain members must use an DNS server that is able to > > resolve the AD DNS zones./ > > > > I can't recall where to configure the resov.conf on CentOS. Maybe > > someone else can chime in. I'm using Ubuntu Server. > > > > I recently setup a Samba server with a fixed IP and had > problems with resolv.conf being overwritten. I removed > resolvconf and that is where my problems really started. > > It seems that you cannot create a new /etc/resolv.conf (well, > I couldn't). I ended up recursively coping everything in /etc > to /etc1 I then created /etc1/resolv.conf and then copied > /etc1 over /etc. This worked and survived a reboot. I am sure > that there must be a better way to do this, but I couldn't > easily find one and I was just testing something. YMMV > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >