Rowland Penny
2017-Jun-20 16:12 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 20 Jun 2017 17:54:09 +0200 Prunk Dump via samba <samba at lists.samba.org> wrote:> Hello thanks again for the help ! > > I have analysed samba logs more closely. I'am very worried. I have > three DC (fichdc, fichds01, fichds02) but here I talk just about > fichdc's logs. >How did you upgrade 'jessie' to 'stretch' and why ? Did all the Samba packages get upgraded (this includes things like talloc, tevent etc) Rowland
Prunk Dump
2017-Jun-20 16:52 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
2017-06-20 18:12 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 20 Jun 2017 17:54:09 +0200 > Prunk Dump via samba <samba at lists.samba.org> wrote: > >> Hello thanks again for the help ! >> >> I have analysed samba logs more closely. I'am very worried. I have >> three DC (fichdc, fichds01, fichds02) but here I talk just about >> fichdc's logs. >> > > How did you upgrade 'jessie' to 'stretch' and why ? > > Did all the Samba packages get upgraded (this includes things like > talloc, tevent etc) > > Rowland >Hello. I upgraded Debian from "Jessie" to "Strech" following the Debian Upgrade Handbook. I'am not using special repositories, just the Debian stable branch. Everything is updated with "apt-get upgrade" and "apt-get dist-upgrade". This upgrade is really mandatory because after two years of Debian Jessie I have encountered many difficulties with the samba version. By two times the Debian security team was not able to apply security patch to the base stable Samba version. So two times Samba version change and put my network down. So I can't keep the Jessie Samba Version for two years more I want to maintain good security. But now I'am very disappointed. I don't understand why all my DCs have a bad "/var/lib/samba/private/secret.keytab" I don't understand why Kerberos authentication does not works inside Samba but works with "kinit" (like in the previous log have sent). I'm lost. I don't know what to do... -> How can I regererate the "/var/lib/samba/private/secret.keytab" with all the 5 encryptions ? -> On the DC that have all the FSMO roles have made a "samba-tool dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide). Do I need to do this on the others DCs ? Or is this better to first restoring replication ? -> Do I need to do a manual directory replication ? Thank you very much for your help. Baptiste.
Rowland Penny
2017-Jun-20 17:12 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 20 Jun 2017 18:52:49 +0200 Prunk Dump <prunkdump at gmail.com> wrote:> Hello. > > I upgraded Debian from "Jessie" to "Strech" following the Debian > Upgrade Handbook. I'am not using special repositories, just the Debian > stable branch. Everything is updated with "apt-get upgrade" and > "apt-get dist-upgrade". > > This upgrade is really mandatory because after two years of Debian > Jessie I have encountered many difficulties with the samba version. By > two times the Debian security team was not able to apply security > patch to the base stable Samba version. So two times Samba version > change and put my network down. So I can't keep the Jessie Samba > Version for two years more I want to maintain good security.Not sure if upgrading to an unreleased Debian version is a good idea, you could do what I am doing, use Louis Van Belle's packages on Jessie.> > But now I'am very disappointed. > I don't understand why all my DCs have a bad > "/var/lib/samba/private/secret.keytab" > I don't understand why Kerberos authentication does not works inside > Samba but works with "kinit" (like in the previous log have sent).I don't understand it either, but I feel it must down to at least one of the packages that got upgraded and that are used by Samba. Perhaps Louis can comment here, I feel he knows more about what is required to get the latest version of Samba working on Debian.> > I'm lost. I don't know what to do... > > -> How can I regererate the "/var/lib/samba/private/secret.keytab" > with all the 5 encryptions ?This is something Andrew is going to have to help you with, but I think he gave a hint about using 'chgtdcpass'> > -> On the DC that have all the FSMO roles have made a "samba-tool > dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide). > Do I need to do this on the others DCs ? Or is this better to first > restoring replication ?This should fix any faults in db on this machine, replication should then send any changes to the other DCs, but I can see no reason not to run the command on the other DCs> > -> Do I need to do a manual directory replication ? >I wouldn't at this stage, but if you can fix it on one DC and the fixes don't get replicated, this may be something to consider later. Rowland
L.P.H. van Belle
2017-Jun-21 06:30 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai, Im wondering also what happend here, i cant figure it out (yet). I did read this now few times.. Baptiste, can you give me the following output. ( keep this order for the output please. cat /etc/hosts cat /etc/resolv.conf cat /etc/nssswitch.conf cat /etc/krb5.conf cat /var/lib/samba/private/krb5.conf klist -ket /etc/krb5.keytab klist -ket /var/lib/samba/private/secrets.keytab Get this script, run it, and if you get errors post them. http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh cat /etc/samba/smb.conf> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 20 juni 2017 19:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > On Tue, 20 Jun 2017 18:52:49 +0200 > Prunk Dump <prunkdump at gmail.com> wrote: > > > Hello. > > > > I upgraded Debian from "Jessie" to "Strech" following the Debian > > Upgrade Handbook. I'am not using special repositories, just > the Debian > > stable branch. Everything is updated with "apt-get upgrade" and > > "apt-get dist-upgrade".! I noticed that, samba-dsdb-modules in a "winbind" only install errors again. Not a problem, but check if samba-dsdb-modules is installed on your DC after the upgrade. Better, show me : dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"> > > > This upgrade is really mandatory because after two years of Debian > > Jessie I have encountered many difficulties with the samba > version. By > > two times the Debian security team was not able to apply security > > patch to the base stable Samba version. So two times Samba version > > change and put my network down. So I can't keep the Jessie Samba > > Version for two years more I want to maintain good security.Can you point me to these 2?> > Not sure if upgrading to an unreleased Debian version is a > good idea, you could do what I am doing, use Louis Van > Belle's packages on Jessie.Rowland, Debian Stretch is released 3 days ago ;-)> > > > > But now I'am very disappointed. > > I don't understand why all my DCs have a bad > > "/var/lib/samba/private/secret.keytab" > > I don't understand why Kerberos authentication does not > works inside > > Samba but works with "kinit" (like in the previous log have sent).We will figure this out, .. Just thinking.. kinit uses the defealt /etc/krb5.conf Samba /var/lib/samba/private/krb5.conf System default normaly points to /etc/krb5.keytab Samba /var/lib/samba/private/secret.keytab> > I don't understand it either, but I feel it must down to at > least one of the packages that got upgraded and that are used > by Samba. Perhaps Louis can comment here, I feel he knows > more about what is required to get the latest version of > Samba working on Debian.Im thinging, baptiste, your using nfsv4 kerberized? Do cat /etc/idmap.conf for me also, are you using "[Static"] user namemappings like principal at REALM = localusername> > > > > I'm lost. I don't know what to do... > > > > -> How can I regererate the "/var/lib/samba/private/secret.keytab" > > with all the 5 encryptions ?First the info, then the fix.> > This is something Andrew is going to have to help you with, > but I think he gave a hint about using 'chgtdcpass'> > > > > -> On the DC that have all the FSMO roles have made a "samba-tool > > dbcheck --cross-ncs --fix --yes" (as say on the samba > upgrade guide). > > Do I need to do this on the others DCs ? Or is this better to first > > restoring replication ?Run my samba-check-db-repl.sh script then well see what needs fixing.> > This should fix any faults in db on this machine, replication > should then send any changes to the other DCs, but I can see > no reason not to run the command on the other DCs > > > > > -> Do I need to do a manual directory replication ? > > > > I wouldn't at this stage, but if you can fix it on one DC and > the fixes don't get replicated, this may be something to > consider later. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch