Hello Rowland, thank you for advice. I reconfigure both AC-DCs again with new data and send updated data. Unfortunately, the result is the same. I'm also sending a listing from samba-setup-checkup.sh. * Linux: Raspbian, debian stretch lite * Samba version 4.5.12-Debian * DNS: BIND9_DLZ 9.10.x * Installed packages: ntp ntpdate samba smbclient winbind libcups2 samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc ry11citdc dc=ry11cit,dc=lan* Replicate from ry11citdc to ry11citsdc was successful. *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc ry11citsdc dc=ry11cit,dc=lan* ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* Check hostnames : Mismatch in hostname definitions please check : HOST_NAME_SHORT: ry11citdc HOST_NAME_DOMAIN: HOST_NAME_FQDN: ry11citdc HOST_IP1: 10.44.1.10 HOST_IP2: Only one interface detected HOST_GATEWAY: 10.44.1.1 HOST_PRIMARY_INTERFACE: 10.44.1.1 eth0 HOST_RESOLV_DOMAIN: domain ry11cit.lan HOST_RESOLV_SEARCH: search ry11cit.lan HOST_RESOLV_NAMESERV1: 10.44.1.10 HOST_RESOLV_NAMESERV2: 10.44.1.9 HOST_RESOLV_NAMESERV3: Possible error detected in /etc/hosts, mismatch FQDN and detected IP 10.44.1.10 for the host. expected was : 10.44.1.10 ry11citdc ry11citdc Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 10.44.1.1 : Error ping nameserver1: 10.44.1.10 : Ok ping nameserver2: 10.44.1.9 : Ok Check ping google dns : 8.8.8.8 : Error Checking file owner.. -rw-r--r-- pi pi /etc/samba/smb.conf Checking file owner.. -rw-r--r-- pi pi /etc/samba/lmhosts Checking file owner.. Missing file /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba DCS 2(SERVFAIL DC1 2(SERVFAIL DC2 ERROR: Invalid IP address '2(SERVFAIL'! Samba AD DC info: = detected (command and where to look) This server hostname = ry11citdc (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = ry11citdc (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 10.44.1.10 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show) The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo show) The Kerberos REALM name used = RY11CIT.LAN (kinit and /etc/krb5.conf and resolving) The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver *I did not come to the way the hostname -d command would return the domain name. How can I do that? In addition, there are host, lmhost, resolv.conf, and so on** * Please help, I don 't know the advice. System integrator Jiří Knotek "Primary" Active Directory Domain Controler:--------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------- hostname:----------------- ry11citdc.ry11cit.lan hosts:--------------- 127.0.0.1 localhost localhost.localdomain 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan resolv.conf.head:------------------- domain ry11cit.lan search ry11cit.lan systemctl.conf"-------------------- net.ipv4.ip_forward=1 net.ipv6.conf.all.disable_ipv6=1 krb5.conf:------------ [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true named.conf:------------------------ include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; named.conf.options:----------------------- options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; lmhost:-------------------------- 127.0.0.1 localhost 10.44.1.10 ry11citdc 10.44.1.9 ry11citsdc smb.conf:------------------------------ # Global parameters [global] netbios name = RY11CITDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Samba Provision---------------: samba-tool domain provision --realm=RY11CIT.LAN --domain=RY11CIT --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' "Backup / Standby" Active Directory Domain Controler:--------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------- hostname:----------------- ry11citsdc.ry11cit.lan hosts:--------------- 127.0.0.1 localhost localhost.localdomain 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan resolv.conf.head:------------------- domain ry11cit.lan search ry11cit.lan systemctl.conf"-------------------- net.ipv4.ip_forward=1 net.ipv6.conf.all.disable_ipv6=1 krb5.conf:------------ [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true named.conf:------------------------ include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; named.conf.options:----------------------- options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; lmhost:-------------------------- 127.0.0.1 localhost 10.44.1.10 ry11citdc 10.44.1.9 ry11citsdc smb.conf:------------------------------ # Global parameters [global] netbios name = RY11CITSDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Samba join---------------: samba-tool domain join RY11CIT DC -Uadministrator --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' Thanks Jiri Knotek
Ow and.. Your hosts files are incorrect. Layout should be : ip hostname.fqdn hostname So this should be :> 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc > 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdcReboot both servers after the change. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: woensdag 13 december 2017 10:41 > Aan: samba at lists.samba.org > CC: Ji??í Knotek > Onderwerp: Re: [Samba] Replication problems bdc to pdc > > Great you use my script :-) > Now we know something is wrong, run this one. > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh> And post the content to the list, that helps a lot. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Ji??í Knotek via samba > > Verzonden: woensdag 13 december 2017 10:14 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Replication problems bdc to pdc > > > > Hello Rowland, > > > > thank you for advice. I reconfigure both AC-DCs again > > with new data > > and send updated data. Unfortunately, the result is the same. > > I'm also > > sending a listing from > > > > samba-setup-checkup.sh. > > > > * Linux: Raspbian, debian stretch lite > > * Samba version 4.5.12-Debian > > * DNS: BIND9_DLZ 9.10.x > > * Installed packages: ntp ntpdate samba smbclient winbind > libcups2 > > samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user > > > > *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc > > ry11citdc dc=ry11cit,dc=lan* > > Replicate from ry11citdc to ry11citsdc was successful. > > > > *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc > > ry11citsdc dc=ry11cit,dc=lan* > > ERROR(<class 'samba.drs_utils.drsException'>): > DsReplicaSync failed - > > drsException: DsReplicaSync failed (2, 'WERR_BADFILE') > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > > 368, in run > > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > > source_dsa_guid, NC, req_options) > > File > > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, > > in sendDsReplicaSync > > raise drsException("DsReplicaSync failed %s" % estr) > > > > > > *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* > > Check hostnames : Mismatch in hostname definitions > > please check : > > HOST_NAME_SHORT: ry11citdc > > HOST_NAME_DOMAIN: > > HOST_NAME_FQDN: ry11citdc > > HOST_IP1: 10.44.1.10 > > HOST_IP2: Only one interface detected > > HOST_GATEWAY: 10.44.1.1 > > HOST_PRIMARY_INTERFACE: 10.44.1.1 > > eth0 > > HOST_RESOLV_DOMAIN: domain ry11cit.lan > > HOST_RESOLV_SEARCH: search ry11cit.lan > > HOST_RESOLV_NAMESERV1: 10.44.1.10 > > HOST_RESOLV_NAMESERV2: 10.44.1.9 > > HOST_RESOLV_NAMESERV3: > > Possible error detected in /etc/hosts, mismatch FQDN and > detected IP > > 10.44.1.10 for the host. > > expected was : 10.44.1.10 ry11citdc ry11citdc > > Checking detected host ipnumbers from resolv.conf and > default gateway > > Ping gateway ip : 10.44.1.1 : Error > > ping nameserver1: 10.44.1.10 : Ok > > ping nameserver2: 10.44.1.9 : Ok > > Check ping google dns : 8.8.8.8 : Error > > Checking file owner.. > > -rw-r--r-- pi pi /etc/samba/smb.conf > > Checking file owner.. > > -rw-r--r-- pi pi /etc/samba/lmhosts > > Checking file owner.. > > Missing file /etc/samba/smbpasswd > > drwxr-xr-x root root /usr/bin > > drwxr-xr-x root root /var/cache/samba > > drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf > > drwxr-xr-x root root /var/run/samba > > drwxr-x--- root adm /var/log/samba > > drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba > > drwxr-xr-x root root /var/run/samba > > drwxr-xr-x root root /var/lib/samba/private > > drwxr-xr-x root root /usr/sbin > > drwxr-xr-x root root /var/lib/samba > > DCS 2(SERVFAIL > > DC1 2(SERVFAIL > > DC2 > > ERROR: Invalid IP address '2(SERVFAIL'! > > Samba AD DC info: = detected (command and > where to look) > > This server hostname = ry11citdc (hostname -s and > /etc/hosts > > and DNS server) > > This server FQDN (hostname) = ry11citdc (hostname -f and > /etc/hosts > > and DNS server) > > This server primary dnsdomain = (hostname -d and > > /etc/resolv.conf and > > DNS server) > > This server IP address(ses) = 10.44.1.10 Only one > > interface detected > > (hostname -i (-I) and /etc/networking/interfaces and DNS server > > The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) > > The DC (with FSMO) Site name = Default-First-Site-Name > > (samba-tool fsmo > > show) > > The Default Naming Context = DC=ry11cit,DC=lan (samba-tool > > fsmo show) > > The Kerberos REALM name used = RY11CIT.LAN (kinit and > > /etc/krb5.conf > > and resolving) > > The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) > > SAMBA_SERVER_ROLE: active directory domain controller > > SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, > > kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, > > netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, > > backupkey, dnsserver > > > > > > *I did not come to the way the hostname -d command would return the > > domain name. How can I do that? In addition, there are > host, lmhost, > > resolv.conf, and so on** > > * > > > > Please help, I don 't know the advice. > > > > System integrator Ji??í Knotek > > > > > > "Primary" Active Directory Domain > > Controler:---------------------------------------------------- > > ----------------------------------------------- > > > > -------------------------------------------------------------- > > -------------------------------------------------------------- > > ------------------------- > > > > > > hostname:----------------- > > ry11citdc.ry11cit.lan > > > > hosts:--------------- > > 127.0.0.1 localhost localhost.localdomain > > 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan > > 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > > > > resolv.conf.head:------------------- > > domain ry11cit.lan > > search ry11cit.lan > > > > systemctl.conf"-------------------- > > net.ipv4.ip_forward=1 > > net.ipv6.conf.all.disable_ipv6=1 > > > > > > > > krb5.conf:------------ > > > > [libdefaults] > > default_realm = RY11CIT.LAN > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > named.conf:------------------------ > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > include "/var/lib/samba/private/named.conf"; > > > > named.conf.options:----------------------- > > > > options { > > directory "/var/cache/bind"; > > > > dnssec-validation auto; > > > > auth-nxdomain no; # conform to RFC1035 > > listen-on-v6 { none; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > }; > > > > lmhost:-------------------------- > > 127.0.0.1 localhost > > 10.44.1.10 ry11citdc > > 10.44.1.9 ry11citsdc > > > > smb.conf:------------------------------ > > > > # Global parameters > > [global] > > netbios name = RY11CITDC > > realm = RY11CIT.LAN > > server services = -dns > > workgroup = RY11CIT > > server role = active directory domain controller > > > > [netlogon] > > path = /var/lib/samba/sysvol/ry11cit.lan/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > Samba Provision---------------: > > > > samba-tool domain provision --realm=RY11CIT.LAN > --domain=RY11CIT > > --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' > > > > "Backup / Standby" Active Directory Domain > > Controler:---------------------------------------------------- > > ----------------------------------------------- > > > > > > -------------------------------------------------------------- > > -------------------------------------------------------------- > > ------------------------- > > > > > > hostname:----------------- > > ry11citsdc.ry11cit.lan > > > > hosts:--------------- > > 127.0.0.1 localhost localhost.localdomain > > 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan > > 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > > > > resolv.conf.head:------------------- > > domain ry11cit.lan > > search ry11cit.lan > > > > systemctl.conf"-------------------- > > net.ipv4.ip_forward=1 > > net.ipv6.conf.all.disable_ipv6=1 > > > > > > > > krb5.conf:------------ > > > > [libdefaults] > > default_realm = RY11CIT.LAN > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > named.conf:------------------------ > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > include "/var/lib/samba/private/named.conf"; > > > > named.conf.options:----------------------- > > > > options { > > directory "/var/cache/bind"; > > > > dnssec-validation auto; > > > > auth-nxdomain no; # conform to RFC1035 > > listen-on-v6 { none; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > }; > > > > lmhost:-------------------------- > > 127.0.0.1 localhost > > 10.44.1.10 ry11citdc > > 10.44.1.9 ry11citsdc > > > > smb.conf:------------------------------ > > > > # Global parameters > > [global] > > netbios name = RY11CITSDC > > realm = RY11CIT.LAN > > server services = -dns > > workgroup = RY11CIT > > server role = active directory domain controller > > > > [netlogon] > > path = /var/lib/samba/sysvol/ry11cit.lan/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > Samba join---------------: > > > > samba-tool domain join RY11CIT DC -Uadministrator > > --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' > > > > > > Thanks Jiri Knotek > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
See inline comments: On Wed, 13 Dec 2017 10:13:52 +0100 Jiří Knotek via samba <samba at lists.samba.org> wrote:> Hello Rowland, > > thank you for advice. I reconfigure both AC-DCs again with new > data and send updated data. Unfortunately, the result is the same. > I'm also sending a listing from > > samba-setup-checkup.sh. > > * Linux: Raspbian, debian stretch lite > * Samba version 4.5.12-Debian > * DNS: BIND9_DLZ 9.10.x > * Installed packages: ntp ntpdate samba smbclient winbind libcups2 > samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user > > *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc > ry11citdc dc=ry11cit,dc=lan* > Replicate from ry11citdc to ry11citsdc was successful. > > *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc > ry11citsdc dc=ry11cit,dc=lan* > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (2, 'WERR_BADFILE') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 368, in run > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line > 83, in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > > *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* > Check hostnames : Mismatch in hostname definitions > please check : > HOST_NAME_SHORT: ry11citdc > HOST_NAME_DOMAIN: > HOST_NAME_FQDN: ry11citdc > HOST_IP1: 10.44.1.10 > HOST_IP2: Only one interface detected > HOST_GATEWAY: 10.44.1.1 > HOST_PRIMARY_INTERFACE: 10.44.1.1 > eth0 > HOST_RESOLV_DOMAIN: domain ry11cit.lan > HOST_RESOLV_SEARCH: search ry11cit.lan > HOST_RESOLV_NAMESERV1: 10.44.1.10 > HOST_RESOLV_NAMESERV2: 10.44.1.9 > HOST_RESOLV_NAMESERV3: > Possible error detected in /etc/hosts, mismatch FQDN and detected IP > 10.44.1.10 for the host. > expected was : 10.44.1.10 ry11citdc ry11citdc > Checking detected host ipnumbers from resolv.conf and default gateway > Ping gateway ip : 10.44.1.1 : Error > ping nameserver1: 10.44.1.10 : Ok > ping nameserver2: 10.44.1.9 : Ok > Check ping google dns : 8.8.8.8 : Error > Checking file owner.. > -rw-r--r-- pi pi /etc/samba/smb.conf > Checking file owner.. > -rw-r--r-- pi pi /etc/samba/lmhosts > Checking file owner.. > Missing file /etc/samba/smbpasswd > drwxr-xr-x root root /usr/bin > drwxr-xr-x root root /var/cache/samba > drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf > drwxr-xr-x root root /var/run/samba > drwxr-x--- root adm /var/log/samba > drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba > drwxr-xr-x root root /var/run/samba > drwxr-xr-x root root /var/lib/samba/private > drwxr-xr-x root root /usr/sbin > drwxr-xr-x root root /var/lib/samba > DCS 2(SERVFAIL > DC1 2(SERVFAIL > DC2 > ERROR: Invalid IP address '2(SERVFAIL'! > Samba AD DC info: = detected (command and where to look) > This server hostname = ry11citdc (hostname -s and /etc/hosts > and DNS server) > This server FQDN (hostname) = ry11citdc (hostname -f and /etc/hosts > and DNS server) > This server primary dnsdomain = (hostname -d and /etc/resolv.conf > and DNS server) > This server IP address(ses) = 10.44.1.10 Only one interface > detected (hostname -i (-I) and /etc/networking/interfaces and DNS > server The DC with FSMO roles = RY11CITDC (samba-tool fsmo > show) The DC (with FSMO) Site name = Default-First-Site-Name > (samba-tool fsmo show) > The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo > show) The Kerberos REALM name used = RY11CIT.LAN (kinit > and /etc/krb5.conf and resolving) > The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) > SAMBA_SERVER_ROLE: active directory domain controller > SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver > > > *I did not come to the way the hostname -d command would return the > domain name. How can I do that? In addition, there are host, lmhost, > resolv.conf, and so on** > * > > Please help, I don 't know the advice. > > System integrator Jiří Knotek > > > "Primary" Active Directory Domain > Controler:--------------------------------------------------------------------------------------------------- > > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > > hostname:----------------- > ry11citdc.ry11cit.lanThis should be just the short hostname In this case 'ry11citdc'> > hosts:--------------- > 127.0.0.1 localhost localhost.localdomain > 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan > 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lanThis should be: 127.0.0.1 localhost 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc> > resolv.conf.head:------------------- > domain ry11cit.lan > search ry11cit.lanWhat is 'resolv.conf.head' ? Do you have the resolvconf package installed ? if so, remove it and the create an /etc/resolv.conf file with this content: search ry11cit.lan nameserver 10.44.1.10> > systemctl.conf"-------------------- > net.ipv4.ip_forward=1 > net.ipv6.conf.all.disable_ipv6=1 > > > > krb5.conf:------------ > > [libdefaults] > default_realm = RY11CIT.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > named.conf:------------------------ > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > named.conf.options:----------------------- > > options { > directory "/var/cache/bind"; > > dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { none; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > lmhost:-------------------------- > 127.0.0.1 localhost > 10.44.1.10 ry11citdc > 10.44.1.9 ry11citsdc >not required> smb.conf:------------------------------ > > # Global parameters > [global] > netbios name = RY11CITDC > realm = RY11CIT.LAN > server services = -dns > workgroup = RY11CIT > server role = active directory domain controller > > [netlogon] > path = /var/lib/samba/sysvol/ry11cit.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Samba Provision---------------: > > samba-tool domain provision --realm=RY11CIT.LAN --domain=RY11CIT > --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' > > "Backup / Standby" Active Directory Domain > Controler:--------------------------------------------------------------------------------------------------- > > > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > > hostname:----------------- > ry11citsdc.ry11cit.lanshould be just 'ry11citsdc'> > hosts:--------------- > 127.0.0.1 localhost localhost.localdomain > 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan > 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lanshould be: 127.0.0.1 localhost 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc> > resolv.conf.head:------------------- > domain ry11cit.lan > search ry11cit.lan >/etc/resolv.conf should be: search ry11cit.lan nameserver 10.44.1.9> systemctl.conf"-------------------- > net.ipv4.ip_forward=1 > net.ipv6.conf.all.disable_ipv6=1 > > > > krb5.conf:------------ > > [libdefaults] > default_realm = RY11CIT.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > named.conf:------------------------ > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > named.conf.options:----------------------- > > options { > directory "/var/cache/bind"; > > dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { none; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > lmhost:-------------------------- > 127.0.0.1 localhost > 10.44.1.10 ry11citdc > 10.44.1.9 ry11citsdc >Not required> smb.conf:------------------------------ > > # Global parameters > [global] > netbios name = RY11CITSDC > realm = RY11CIT.LAN > server services = -dns > workgroup = RY11CIT > server role = active directory domain controller > > [netlogon] > path = /var/lib/samba/sysvol/ry11cit.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Samba join---------------: > > samba-tool domain join RY11CIT DC -Uadministrator > --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' >You haven't provisioned with '--use-rfc2307' I suggest you go and read this: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD Rowland
On Wed, 13 Dec 2017 10:52:38 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Ow and.. > > Your hosts files are incorrect. > Layout should be : > ip hostname.fqdn hostname > > So this should be : > > 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc > > 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc > Reboot both servers after the change. > >Correct, but wrong at the same time ;-) You should only have the DCs own information in /etc/hosts, the DC should find any other DCs by dns, not by /etc/hosts. Rowland
Hallo Louis, thanks for the response. Yes, change on ry11citsdc, now hostname -d works correctly. Somewhere I saw the opposite entry. Thanks for the repair. Samba-setup-checkup.sh follows:---------------------------------------------------- pi at ry11citsdc:~ $ bash /home/pi/Ry11/samba-setup-checkup.sh Check hostnames : Ok Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 10.44.1.1 : Error ping nameserver1: 10.44.1.9 : Ok ping nameserver2: 10.44.1.10 : Ok Check ping google dns : 8.8.8.8 : Error Checking file owner.. -rw-r--r-- pi pi /etc/samba/smb.conf Checking file owner.. -rw-r--r-- pi pi /etc/samba/lmhosts Checking file owner.. Missing file /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: Permission denied Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 438, in run credentials=creds, lp=lp) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in __init__ options=options) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in connect options=options) ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: Permission denied Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 438, in run credentials=creds, lp=lp) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in __init__ options=options) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in connect options=options) ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: Permission denied Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 438, in run credentials=creds, lp=lp) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in __init__ options=options) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in connect options=options) DCS ry11citsdc.ry11cit.lan ry11citdc.ry11cit.lan DC1 ry11citsdc.ry11cit.lan DC2 ry11citdc.ry11cit.lan Samba AD DC info: = detected (command and where to look) This server hostname = ry11citsdc (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = ry11citsdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 10.44.1.9 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = (samba-tool fsmo show) The DC (with FSMO) Site name = (samba-tool fsmo show) The Default Naming Context = (samba-tool fsmo show) The Kerberos REALM name used = RY11CIT.LAN (kinit and /etc/krb5.conf and resolving) The Ipadres of DC ry11citsdc.ry11cit.lan = 10.44.1.9 The Ipadres of DC ry11citdc.ry11cit.lan = 10.44.1.10 SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver file samba-debug-info.txt:--------------------------------------------------------------------------------------------- an error occurred while running: pi at ry11citsdc:~ $ bash /home/pi/Ry11/samba-collect-debug-info.sh Please wait, collecting debug info. ERROR(runtime): uncaught exception - (-1073741606, 'Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been d enied.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 812, in run self.creds = credopts.get_credentials(self.lp) File "/usr/lib/python2.7/dist-packages/samba/getopt.py", line 212, in get_credentials self.creds.set_machine_account(lp) The debug info about your system can be found in this file: /tmp/samba-debug-info.txt Collected config --- 2017-12-13-11:27 ----------- Hostname: ry11citsdc DNS Domain: ry11cit.lan FQDN: ry11citsdc.ry11cit.lan ipaddress: 10.44.1.9 ----------- Samba is running as an AD DC Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" NAME="Raspbian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0 3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost.localdomain localhost 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = RY11CITSDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- No username map detected. ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3 armhf Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.15-1+deb9u1 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.52-3 armhf Access control list shared library ii libgssapi-krb5-2:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - Support library ii libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1 armhf shared library for communication with SMB/CIFS servers ii libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba winbind client library ii python-samba 2:4.5.12+dfsg-2+deb9u1 armhf Python bindings for Samba ii samba 2:4.5.12+dfsg-2+deb9u1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.12+dfsg-2+deb9u1 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.12+dfsg-2+deb9u1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba core libraries ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Virtual FileSystem plugins ii smbclient 2:4.5.12+dfsg-2+deb9u1 armhf command-line SMB/CIFS clients for Unix ii winbind 2:4.5.12+dfsg-2+deb9u1 armhf service to resolve user and group information from Windows NT servers ----------- Thanks Jiri Knotek On 13. 12. 2017 10:52, L.P.H. van Belle via samba wrote:> Ow and.. > > Your hosts files are incorrect. > Layout should be : > ip hostname.fqdn hostname > > So this should be : >> 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc >> 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc > Reboot both servers after the change. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> L.P.H. van Belle via samba >> Verzonden: woensdag 13 december 2017 10:41 >> Aan: samba at lists.samba.org >> CC: Ji??í Knotek >> Onderwerp: Re: [Samba] Replication problems bdc to pdc >> >> Great you use my script :-) >> Now we know something is wrong, run this one. >> >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh >> And post the content to the list, that helps a lot. >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Ji??í Knotek via samba >>> Verzonden: woensdag 13 december 2017 10:14 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Replication problems bdc to pdc >>> >>> Hello Rowland, >>> >>> thank you for advice. I reconfigure both AC-DCs again >>> with new data >>> and send updated data. Unfortunately, the result is the same. >>> I'm also >>> sending a listing from >>> >>> samba-setup-checkup.sh. >>> >>> * Linux: Raspbian, debian stretch lite >>> * Samba version 4.5.12-Debian >>> * DNS: BIND9_DLZ 9.10.x >>> * Installed packages: ntp ntpdate samba smbclient winbind >> libcups2 >>> samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user >>> >>> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc >>> ry11citdc dc=ry11cit,dc=lan* >>> Replicate from ry11citdc to ry11citsdc was successful. >>> >>> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc >>> ry11citsdc dc=ry11cit,dc=lan* >>> ERROR(<class 'samba.drs_utils.drsException'>): >> DsReplicaSync failed - >>> drsException: DsReplicaSync failed (2, 'WERR_BADFILE') >>> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line >>> 368, in run >>> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, >>> source_dsa_guid, NC, req_options) >>> File >>> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, >>> in sendDsReplicaSync >>> raise drsException("DsReplicaSync failed %s" % estr) >>> >>> >>> *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* >>> Check hostnames : Mismatch in hostname definitions >>> please check : >>> HOST_NAME_SHORT: ry11citdc >>> HOST_NAME_DOMAIN: >>> HOST_NAME_FQDN: ry11citdc >>> HOST_IP1: 10.44.1.10 >>> HOST_IP2: Only one interface detected >>> HOST_GATEWAY: 10.44.1.1 >>> HOST_PRIMARY_INTERFACE: 10.44.1.1 >>> eth0 >>> HOST_RESOLV_DOMAIN: domain ry11cit.lan >>> HOST_RESOLV_SEARCH: search ry11cit.lan >>> HOST_RESOLV_NAMESERV1: 10.44.1.10 >>> HOST_RESOLV_NAMESERV2: 10.44.1.9 >>> HOST_RESOLV_NAMESERV3: >>> Possible error detected in /etc/hosts, mismatch FQDN and >> detected IP >>> 10.44.1.10 for the host. >>> expected was : 10.44.1.10 ry11citdc ry11citdc >>> Checking detected host ipnumbers from resolv.conf and >> default gateway >>> Ping gateway ip : 10.44.1.1 : Error >>> ping nameserver1: 10.44.1.10 : Ok >>> ping nameserver2: 10.44.1.9 : Ok >>> Check ping google dns : 8.8.8.8 : Error >>> Checking file owner.. >>> -rw-r--r-- pi pi /etc/samba/smb.conf >>> Checking file owner.. >>> -rw-r--r-- pi pi /etc/samba/lmhosts >>> Checking file owner.. >>> Missing file /etc/samba/smbpasswd >>> drwxr-xr-x root root /usr/bin >>> drwxr-xr-x root root /var/cache/samba >>> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf >>> drwxr-xr-x root root /var/run/samba >>> drwxr-x--- root adm /var/log/samba >>> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba >>> drwxr-xr-x root root /var/run/samba >>> drwxr-xr-x root root /var/lib/samba/private >>> drwxr-xr-x root root /usr/sbin >>> drwxr-xr-x root root /var/lib/samba >>> DCS 2(SERVFAIL >>> DC1 2(SERVFAIL >>> DC2 >>> ERROR: Invalid IP address '2(SERVFAIL'! >>> Samba AD DC info: = detected (command and >> where to look) >>> This server hostname = ry11citdc (hostname -s and >> /etc/hosts >>> and DNS server) >>> This server FQDN (hostname) = ry11citdc (hostname -f and >> /etc/hosts >>> and DNS server) >>> This server primary dnsdomain = (hostname -d and >>> /etc/resolv.conf and >>> DNS server) >>> This server IP address(ses) = 10.44.1.10 Only one >>> interface detected >>> (hostname -i (-I) and /etc/networking/interfaces and DNS server >>> The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) >>> The DC (with FSMO) Site name = Default-First-Site-Name >>> (samba-tool fsmo >>> show) >>> The Default Naming Context = DC=ry11cit,DC=lan (samba-tool >>> fsmo show) >>> The Kerberos REALM name used = RY11CIT.LAN (kinit and >>> /etc/krb5.conf >>> and resolving) >>> The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) >>> SAMBA_SERVER_ROLE: active directory domain controller >>> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, >>> kdc, drepl, >>> winbindd, ntp_signd, kcc, dnsupdate >>> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, >>> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, >>> backupkey, dnsserver >>> >>> >>> *I did not come to the way the hostname -d command would return the >>> domain name. How can I do that? In addition, there are >> host, lmhost, >>> resolv.conf, and so on** >>> * >>> >>> Please help, I don 't know the advice. >>> >>> System integrator Ji??í Knotek >>> >>> >>> "Primary" Active Directory Domain >>> Controler:---------------------------------------------------- >>> ----------------------------------------------- >>> >>> -------------------------------------------------------------- >>> -------------------------------------------------------------- >>> ------------------------- >>> >>> >>> hostname:----------------- >>> ry11citdc.ry11cit.lan >>> >>> hosts:--------------- >>> 127.0.0.1 localhost localhost.localdomain >>> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan >>> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan >>> >>> resolv.conf.head:------------------- >>> domain ry11cit.lan >>> search ry11cit.lan >>> >>> systemctl.conf"-------------------- >>> net.ipv4.ip_forward=1 >>> net.ipv6.conf.all.disable_ipv6=1 >>> >>> >>> >>> krb5.conf:------------ >>> >>> [libdefaults] >>> default_realm = RY11CIT.LAN >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> named.conf:------------------------ >>> >>> include "/etc/bind/named.conf.options"; >>> include "/etc/bind/named.conf.local"; >>> include "/etc/bind/named.conf.default-zones"; >>> include "/var/lib/samba/private/named.conf"; >>> >>> named.conf.options:----------------------- >>> >>> options { >>> directory "/var/cache/bind"; >>> >>> dnssec-validation auto; >>> >>> auth-nxdomain no; # conform to RFC1035 >>> listen-on-v6 { none; }; >>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >>> }; >>> >>> lmhost:-------------------------- >>> 127.0.0.1 localhost >>> 10.44.1.10 ry11citdc >>> 10.44.1.9 ry11citsdc >>> >>> smb.conf:------------------------------ >>> >>> # Global parameters >>> [global] >>> netbios name = RY11CITDC >>> realm = RY11CIT.LAN >>> server services = -dns >>> workgroup = RY11CIT >>> server role = active directory domain controller >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/ry11cit.lan/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> Samba Provision---------------: >>> >>> samba-tool domain provision --realm=RY11CIT.LAN >> --domain=RY11CIT >>> --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' >>> >>> "Backup / Standby" Active Directory Domain >>> Controler:---------------------------------------------------- >>> ----------------------------------------------- >>> >>> >>> -------------------------------------------------------------- >>> -------------------------------------------------------------- >>> ------------------------- >>> >>> >>> hostname:----------------- >>> ry11citsdc.ry11cit.lan >>> >>> hosts:--------------- >>> 127.0.0.1 localhost localhost.localdomain >>> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan >>> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan >>> >>> resolv.conf.head:------------------- >>> domain ry11cit.lan >>> search ry11cit.lan >>> >>> systemctl.conf"-------------------- >>> net.ipv4.ip_forward=1 >>> net.ipv6.conf.all.disable_ipv6=1 >>> >>> >>> >>> krb5.conf:------------ >>> >>> [libdefaults] >>> default_realm = RY11CIT.LAN >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> named.conf:------------------------ >>> >>> include "/etc/bind/named.conf.options"; >>> include "/etc/bind/named.conf.local"; >>> include "/etc/bind/named.conf.default-zones"; >>> include "/var/lib/samba/private/named.conf"; >>> >>> named.conf.options:----------------------- >>> >>> options { >>> directory "/var/cache/bind"; >>> >>> dnssec-validation auto; >>> >>> auth-nxdomain no; # conform to RFC1035 >>> listen-on-v6 { none; }; >>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >>> }; >>> >>> lmhost:-------------------------- >>> 127.0.0.1 localhost >>> 10.44.1.10 ry11citdc >>> 10.44.1.9 ry11citsdc >>> >>> smb.conf:------------------------------ >>> >>> # Global parameters >>> [global] >>> netbios name = RY11CITSDC >>> realm = RY11CIT.LAN >>> server services = -dns >>> workgroup = RY11CIT >>> server role = active directory domain controller >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/ry11cit.lan/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> Samba join---------------: >>> >>> samba-tool domain join RY11CIT DC -Uadministrator >>> --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' >>> >>> >>> Thanks Jiri Knotek >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Ing. Jiří Knotek* programátor *GEMA s.r.o. Automatizace technologických procesů* Doubravice 13, Pardubice 19, 53353 Tel: +420604570127 E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz> Web:www.gemapce.cz <http://www.gemapce.cz/>
Hai, Both script where missing "run as root". I've update the github versions. Can you run that these again, but as root or with sudo. And post the content again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Ji??í Knotek via samba > Verzonden: woensdag 13 december 2017 11:36 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Replication problems bdc to pdc > > Hallo Louis, > > thanks for the response. > > Yes, change on ry11citsdc, now hostname -d works correctly. > Somewhere I > saw the opposite entry. Thanks for the repair. Samba-setup-checkup.sh > follows:---------------------------------------------------- > > pi at ry11citsdc:~ $ bash /home/pi/Ry11/samba-setup-checkup.sh > Check hostnames : Ok > Checking detected host ipnumbers from resolv.conf and default gateway > Ping gateway ip : 10.44.1.1 : Error > ping nameserver1: 10.44.1.9 : Ok > ping nameserver2: 10.44.1.10 : Ok > Check ping google dns : 8.8.8.8 : Error > Checking file owner.. > -rw-r--r-- pi pi /etc/samba/smb.conf > Checking file owner.. > -rw-r--r-- pi pi /etc/samba/lmhosts > Checking file owner.. > Missing file /etc/samba/smbpasswd > drwxr-xr-x root root /usr/bin > drwxr-xr-x root root /var/cache/samba > drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf > drwxr-xr-x root root /var/run/samba > drwxr-x--- root adm /var/log/samba > drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba > drwxr-xr-x root root /var/run/samba > drwxr-xr-x root root /var/lib/samba/private > drwxr-xr-x root root /usr/sbin > drwxr-xr-x root root /var/lib/samba > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could > not open > file /var/lib/samba/private/sam.ldb: Permission denied > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' > with backend > 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': > Permission > denied > ERROR(ldb): uncaught exception - Unable to open tdb > '/var/lib/samba/private/sam.ldb': Permission denied > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 438, in run > credentials=creds, lp=lp) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", > line 57, in > __init__ > options=options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, > in __init__ > self.connect(url, flags, options) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", > line 72, in > connect > options=options) > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could > not open > file /var/lib/samba/private/sam.ldb: Permission denied > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' > with backend > 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': > Permission > denied > ERROR(ldb): uncaught exception - Unable to open tdb > '/var/lib/samba/private/sam.ldb': Permission denied > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 438, in run > credentials=creds, lp=lp) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", > line 57, in > __init__ > options=options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, > in __init__ > self.connect(url, flags, options) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", > line 72, in > connect > options=options) > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could > not open > file /var/lib/samba/private/sam.ldb: Permission denied > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' > with backend > 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': > Permission > denied > ERROR(ldb): uncaught exception - Unable to open tdb > '/var/lib/samba/private/sam.ldb': Permission denied > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 438, in run > credentials=creds, lp=lp) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", > line 57, in > __init__ > options=options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, > in __init__ > self.connect(url, flags, options) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", > line 72, in > connect > options=options) > DCS ry11citsdc.ry11cit.lan > ry11citdc.ry11cit.lan > DC1 ry11citsdc.ry11cit.lan > DC2 ry11citdc.ry11cit.lan > Samba AD DC info: = detected (command and where to look) > This server hostname = ry11citsdc (hostname -s and > /etc/hosts > and DNS server) > This server FQDN (hostname) = ry11citsdc.ry11cit.lan > (hostname -f and > /etc/hosts and DNS server) > This server primary dnsdomain = ry11cit.lan (hostname -d and > /etc/resolv.conf and DNS server) > This server IP address(ses) = 10.44.1.9 Only one interface > detected > (hostname -i (-I) and /etc/networking/interfaces and DNS server > The DC with FSMO roles = (samba-tool fsmo show) > The DC (with FSMO) Site name = (samba-tool fsmo show) > The Default Naming Context = (samba-tool fsmo show) > The Kerberos REALM name used = RY11CIT.LAN (kinit and > /etc/krb5.conf > and resolving) > The Ipadres of DC ry11citsdc.ry11cit.lan = 10.44.1.9 > The Ipadres of DC ry11citdc.ry11cit.lan = 10.44.1.10 > SAMBA_SERVER_ROLE: active directory domain controller > SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver > > > file > samba-debug-info.txt:----------------------------------------- > ---------------------------------------------------- > > an error occurred while running: > > pi at ry11citsdc:~ $ bash /home/pi/Ry11/samba-collect-debug-info.sh > Please wait, collecting debug info. > ERROR(runtime): uncaught exception - (-1073741606, 'Configuration > information could not be read from the domain controller, > either because > the machine is unavailable or access has been > d enied.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line > 812, in run > self.creds = credopts.get_credentials(self.lp) > File "/usr/lib/python2.7/dist-packages/samba/getopt.py", > line 212, in > get_credentials > self.creds.set_machine_account(lp) > The debug info about your system can be found in this file: > /tmp/samba-debug-info.txt > > > Collected config --- 2017-12-13-11:27 ----------- > > Hostname: ry11citsdc > DNS Domain: ry11cit.lan > FQDN: ry11citsdc.ry11cit.lan > ipaddress: 10.44.1.9 > > ----------- > Samba is running as an AD DC > Checking file: /etc/os-release > PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" > NAME="Raspbian GNU/Linux" > VERSION_ID="9" > VERSION="9 (stretch)" > ID=raspbian > ID_LIKE=debian > HOME_URL="http://www.raspbian.org/" > SUPPORT_URL="http://www.raspbian.org/RaspbianForums" > BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" > > ----------- > > Warning, /etc/devuan_version does not exist > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff > inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0 > 3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast > state DOWN group default qlen 1000 > link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff > ----------- > Checking file: /etc/hosts > 127.0.0.1 localhost.localdomain localhost > 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc > 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc > > ----------- > Checking file: /etc/krb5.conf > [libdefaults] > default_realm = RY11CIT.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > Checking file: /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat > group: compat > shadow: compat > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > Checking file: /etc/samba/smb.conf > # Global parameters > [global] > netbios name = RY11CITSDC > realm = RY11CIT.LAN > server services = -dns > workgroup = RY11CIT > server role = active directory domain controller > > [netlogon] > path = /var/lib/samba/sysvol/ry11cit.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ----------- > No username map detected. > > ----------- > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > // This is the primary configuration file for the BIND DNS > server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > // structure of BIND configuration files in Debian, *BEFORE* > you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > ----------- > Checking file: /etc/bind/named.conf.options > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the > addresses replacing > // the all-0's placeholder. > > // forwarders { > // 0.0.0.0; > // }; > > //===========================================================> ===========> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > //===========================================================> ===========> dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { none; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > > ----------- > Checking file: /etc/bind/named.conf.local > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > > ----------- > Checking file: /etc/bind/named.conf.default-zones > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > > ----------- > > Installed packages, running: dpkg -l | egrep > "samba|winbind|krb5|smb|acl|xattr" > ii acl 2.2.52-3 armhf Access control list > utilities > ii krb5-config 2.6 all > Configuration > files for Kerberos Version 5 > ii krb5-user 1.15-1+deb9u1 armhf basic > programs > to authenticate using MIT Kerberos > ii libacl1:armhf 2.2.52-3 armhf Access > control list shared library > ii libgssapi-krb5-2:armhf 1.15-1+deb9u1 armhf > MIT > Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:armhf 1.15-1+deb9u1 armhf MIT > Kerberos runtime libraries > ii libkrb5support0:armhf 1.15-1+deb9u1 armhf > MIT > Kerberos runtime libraries - Support library > ii libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1 armhf > shared > library for communication with SMB/CIFS servers > ii libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1 armhf > Samba > winbind client library > ii python-samba 2:4.5.12+dfsg-2+deb9u1 armhf Python > bindings for Samba > ii samba 2:4.5.12+dfsg-2+deb9u1 armhf SMB/CIFS file, > print, and login server for Unix > ii samba-common 2:4.5.12+dfsg-2+deb9u1 all > common files > used by both the Samba server and client > ii samba-common-bin 2:4.5.12+dfsg-2+deb9u1 armhf Samba > common files used by both the server and the client > ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1 armhf > Samba > Directory Services Database > ii samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba > core libraries > ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba > Virtual FileSystem plugins > ii smbclient 2:4.5.12+dfsg-2+deb9u1 armhf command-line > SMB/CIFS clients for Unix > ii winbind 2:4.5.12+dfsg-2+deb9u1 armhf service > to resolve > user and group information from Windows NT servers > ----------- > > Thanks Jiri Knotek > > > On 13. 12. 2017 10:52, L.P.H. van Belle via samba wrote: > > Ow and.. > > > > Your hosts files are incorrect. > > Layout should be : > > ip hostname.fqdn hostname > > > > So this should be : > >> 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc > >> 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc > > Reboot both servers after the change. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> L.P.H. van Belle via samba > >> Verzonden: woensdag 13 december 2017 10:41 > >> Aan: samba at lists.samba.org > >> CC: Ji??í Knotek > >> Onderwerp: Re: [Samba] Replication problems bdc to pdc > >> > >> Great you use my script :-) > >> Now we know something is wrong, run this one. > >> > >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > > ollect-debug-info.sh > >> And post the content to the list, that helps a lot. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >>> Ji??í Knotek via samba > >>> Verzonden: woensdag 13 december 2017 10:14 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: Re: [Samba] Replication problems bdc to pdc > >>> > >>> Hello Rowland, > >>> > >>> thank you for advice. I reconfigure both AC-DCs again > >>> with new data > >>> and send updated data. Unfortunately, the result is the same. > >>> I'm also > >>> sending a listing from > >>> > >>> samba-setup-checkup.sh. > >>> > >>> * Linux: Raspbian, debian stretch lite > >>> * Samba version 4.5.12-Debian > >>> * DNS: BIND9_DLZ 9.10.x > >>> * Installed packages: ntp ntpdate samba smbclient winbind > >> libcups2 > >>> samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user > >>> > >>> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc > >>> ry11citdc dc=ry11cit,dc=lan* > >>> Replicate from ry11citdc to ry11citsdc was successful. > >>> > >>> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc > >>> ry11citsdc dc=ry11cit,dc=lan* > >>> ERROR(<class 'samba.drs_utils.drsException'>): > >> DsReplicaSync failed - > >>> drsException: DsReplicaSync failed (2, 'WERR_BADFILE') > >>> File > >> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > >>> 368, in run > >>> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > >>> source_dsa_guid, NC, req_options) > >>> File > >>> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, > >>> in sendDsReplicaSync > >>> raise drsException("DsReplicaSync failed %s" % estr) > >>> > >>> > >>> *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* > >>> Check hostnames : Mismatch in hostname definitions > >>> please check : > >>> HOST_NAME_SHORT: ry11citdc > >>> HOST_NAME_DOMAIN: > >>> HOST_NAME_FQDN: ry11citdc > >>> HOST_IP1: 10.44.1.10 > >>> HOST_IP2: Only one interface detected > >>> HOST_GATEWAY: 10.44.1.1 > >>> HOST_PRIMARY_INTERFACE: 10.44.1.1 > >>> eth0 > >>> HOST_RESOLV_DOMAIN: domain ry11cit.lan > >>> HOST_RESOLV_SEARCH: search ry11cit.lan > >>> HOST_RESOLV_NAMESERV1: 10.44.1.10 > >>> HOST_RESOLV_NAMESERV2: 10.44.1.9 > >>> HOST_RESOLV_NAMESERV3: > >>> Possible error detected in /etc/hosts, mismatch FQDN and > >> detected IP > >>> 10.44.1.10 for the host. > >>> expected was : 10.44.1.10 ry11citdc ry11citdc > >>> Checking detected host ipnumbers from resolv.conf and > >> default gateway > >>> Ping gateway ip : 10.44.1.1 : Error > >>> ping nameserver1: 10.44.1.10 : Ok > >>> ping nameserver2: 10.44.1.9 : Ok > >>> Check ping google dns : 8.8.8.8 : Error > >>> Checking file owner.. > >>> -rw-r--r-- pi pi /etc/samba/smb.conf > >>> Checking file owner.. > >>> -rw-r--r-- pi pi /etc/samba/lmhosts > >>> Checking file owner.. > >>> Missing file /etc/samba/smbpasswd > >>> drwxr-xr-x root root /usr/bin > >>> drwxr-xr-x root root /var/cache/samba > >>> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf > >>> drwxr-xr-x root root /var/run/samba > >>> drwxr-x--- root adm /var/log/samba > >>> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba > >>> drwxr-xr-x root root /var/run/samba > >>> drwxr-xr-x root root /var/lib/samba/private > >>> drwxr-xr-x root root /usr/sbin > >>> drwxr-xr-x root root /var/lib/samba > >>> DCS 2(SERVFAIL > >>> DC1 2(SERVFAIL > >>> DC2 > >>> ERROR: Invalid IP address '2(SERVFAIL'! > >>> Samba AD DC info: = detected (command and > >> where to look) > >>> This server hostname = ry11citdc (hostname -s and > >> /etc/hosts > >>> and DNS server) > >>> This server FQDN (hostname) = ry11citdc (hostname -f and > >> /etc/hosts > >>> and DNS server) > >>> This server primary dnsdomain = (hostname -d and > >>> /etc/resolv.conf and > >>> DNS server) > >>> This server IP address(ses) = 10.44.1.10 Only one > >>> interface detected > >>> (hostname -i (-I) and /etc/networking/interfaces and DNS server > >>> The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) > >>> The DC (with FSMO) Site name = Default-First-Site-Name > >>> (samba-tool fsmo > >>> show) > >>> The Default Naming Context = DC=ry11cit,DC=lan (samba-tool > >>> fsmo show) > >>> The Kerberos REALM name used = RY11CIT.LAN (kinit and > >>> /etc/krb5.conf > >>> and resolving) > >>> The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) > >>> SAMBA_SERVER_ROLE: active directory domain controller > >>> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, > >>> kdc, drepl, > >>> winbindd, ntp_signd, kcc, dnsupdate > >>> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, > >>> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, > >>> backupkey, dnsserver > >>> > >>> > >>> *I did not come to the way the hostname -d command would > return the > >>> domain name. How can I do that? In addition, there are > >> host, lmhost, > >>> resolv.conf, and so on** > >>> * > >>> > >>> Please help, I don 't know the advice. > >>> > >>> System integrator Ji??í Knotek > >>> > >>> > >>> "Primary" Active Directory Domain > >>> Controler:---------------------------------------------------- > >>> ----------------------------------------------- > >>> > >>> -------------------------------------------------------------- > >>> -------------------------------------------------------------- > >>> ------------------------- > >>> > >>> > >>> hostname:----------------- > >>> ry11citdc.ry11cit.lan > >>> > >>> hosts:--------------- > >>> 127.0.0.1 localhost localhost.localdomain > >>> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan > >>> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > >>> > >>> resolv.conf.head:------------------- > >>> domain ry11cit.lan > >>> search ry11cit.lan > >>> > >>> systemctl.conf"-------------------- > >>> net.ipv4.ip_forward=1 > >>> net.ipv6.conf.all.disable_ipv6=1 > >>> > >>> > >>> > >>> krb5.conf:------------ > >>> > >>> [libdefaults] > >>> default_realm = RY11CIT.LAN > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = true > >>> > >>> named.conf:------------------------ > >>> > >>> include "/etc/bind/named.conf.options"; > >>> include "/etc/bind/named.conf.local"; > >>> include "/etc/bind/named.conf.default-zones"; > >>> include "/var/lib/samba/private/named.conf"; > >>> > >>> named.conf.options:----------------------- > >>> > >>> options { > >>> directory "/var/cache/bind"; > >>> > >>> dnssec-validation auto; > >>> > >>> auth-nxdomain no; # conform to RFC1035 > >>> listen-on-v6 { none; }; > >>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > >>> }; > >>> > >>> lmhost:-------------------------- > >>> 127.0.0.1 localhost > >>> 10.44.1.10 ry11citdc > >>> 10.44.1.9 ry11citsdc > >>> > >>> smb.conf:------------------------------ > >>> > >>> # Global parameters > >>> [global] > >>> netbios name = RY11CITDC > >>> realm = RY11CIT.LAN > >>> server services = -dns > >>> workgroup = RY11CIT > >>> server role = active directory domain controller > >>> > >>> [netlogon] > >>> path = /var/lib/samba/sysvol/ry11cit.lan/scripts > >>> read only = No > >>> > >>> [sysvol] > >>> path = /var/lib/samba/sysvol > >>> read only = No > >>> > >>> Samba Provision---------------: > >>> > >>> samba-tool domain provision --realm=RY11CIT.LAN > >> --domain=RY11CIT > >>> --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' > >>> > >>> "Backup / Standby" Active Directory Domain > >>> Controler:---------------------------------------------------- > >>> ----------------------------------------------- > >>> > >>> > >>> -------------------------------------------------------------- > >>> -------------------------------------------------------------- > >>> ------------------------- > >>> > >>> > >>> hostname:----------------- > >>> ry11citsdc.ry11cit.lan > >>> > >>> hosts:--------------- > >>> 127.0.0.1 localhost localhost.localdomain > >>> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan > >>> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > >>> > >>> resolv.conf.head:------------------- > >>> domain ry11cit.lan > >>> search ry11cit.lan > >>> > >>> systemctl.conf"-------------------- > >>> net.ipv4.ip_forward=1 > >>> net.ipv6.conf.all.disable_ipv6=1 > >>> > >>> > >>> > >>> krb5.conf:------------ > >>> > >>> [libdefaults] > >>> default_realm = RY11CIT.LAN > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = true > >>> > >>> named.conf:------------------------ > >>> > >>> include "/etc/bind/named.conf.options"; > >>> include "/etc/bind/named.conf.local"; > >>> include "/etc/bind/named.conf.default-zones"; > >>> include "/var/lib/samba/private/named.conf"; > >>> > >>> named.conf.options:----------------------- > >>> > >>> options { > >>> directory "/var/cache/bind"; > >>> > >>> dnssec-validation auto; > >>> > >>> auth-nxdomain no; # conform to RFC1035 > >>> listen-on-v6 { none; }; > >>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > >>> }; > >>> > >>> lmhost:-------------------------- > >>> 127.0.0.1 localhost > >>> 10.44.1.10 ry11citdc > >>> 10.44.1.9 ry11citsdc > >>> > >>> smb.conf:------------------------------ > >>> > >>> # Global parameters > >>> [global] > >>> netbios name = RY11CITSDC > >>> realm = RY11CIT.LAN > >>> server services = -dns > >>> workgroup = RY11CIT > >>> server role = active directory domain controller > >>> > >>> [netlogon] > >>> path = /var/lib/samba/sysvol/ry11cit.lan/scripts > >>> read only = No > >>> > >>> [sysvol] > >>> path = /var/lib/samba/sysvol > >>> read only = No > >>> > >>> Samba join---------------: > >>> > >>> samba-tool domain join RY11CIT DC -Uadministrator > >>> --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' > >>> > >>> > >>> Thanks Jiri Knotek > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > -- > > *Ing. Ji??í Knotek* > programátor > > *GEMA s.r.o. Automatizace technologických proces??* > > Doubravice 13, Pardubice 19, 53353 > Tel: +420604570127 > E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz> > Web:www.gemapce.cz <http://www.gemapce.cz/> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hello Rowland, See inline comments: If I did not make a mistake somewhere, it's even worse. Additionally, replication does not work ry11citdc to ry11citsdc executed from ry11citdc: --------------------------------------------------------------------------------------------------------------- root at ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc dc=ry11cit,dc=lan ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ry11citsdc failed - drsException: DRS connection to ry11citsdc failed: (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) ---------------------------------------------------------------------------------------------------------------- root at ry11citdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh /home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found Check hostnames : Ok Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 10.44.1.1 : Error Warning, no ping to gateway, this might be firewalled. check you internet connection, AD DNS might need it. ping nameserver1: 10.44.1.10 : Ok Check ping google dns : 8.8.8.8 : Error Warning, no ping to internet dns 8.8.8.8, this might be firewalled. Check you internet connection, AD DNS might need it. Checking file owner.. -rw-r--r-- pi pi /etc/samba/smb.conf Checking file owner.. Missing file /etc/samba/lmhosts Checking file owner.. Missing file /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba DCS ry11citdc.ry11cit.lan DC1 ry11citdc.ry11cit.lan DC2 Samba AD DC info: = detected (command and where to look) This server hostname = ry11citdc (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = ry11citdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 10.44.1.10 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show) The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo show) The Kerberos REALM name used = RY11CIT.LAN (kinit and /etc/krb5.conf and resolving) The Ipadres of DC ry11citdc.ry11cit.lan = 10.44.1.10 SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver ---------------------------------------------------------------------------------------------------------------------- Collected config --- 2017-12-13-15:16 ----------- Hostname: ry11citdc DNS Domain: ry11cit.lan FQDN: ry11citdc.ry11cit.lan ipaddress: 10.44.1.10 ----------- Samba is running as an AD DC Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" NAME="Raspbian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:69:ac:e4 brd ff:ff:ff:ff:ff:ff inet 10.44.1.10/16 brd 10.44.255.255 scope global eth0 ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns mdns4_minimal [NOTFOUND=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = RY11CITDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- No username map detected. ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3 armhf Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.15-1+deb9u1 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.52-3 armhf Access control list shared library ii libgssapi-krb5-2:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - Support library ii libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1 armhf shared library for communication with SMB/CIFS servers ii libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba winbind client library ii python-samba 2:4.5.12+dfsg-2+deb9u1 armhf Python bindings for Samba ii samba 2:4.5.12+dfsg-2+deb9u1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.12+dfsg-2+deb9u1 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.12+dfsg-2+deb9u1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba core libraries ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Virtual FileSystem plugins ii smbclient 2:4.5.12+dfsg-2+deb9u1 armhf command-line SMB/CIFS clients for Unix ii winbind 2:4.5.12+dfsg-2+deb9u1 armhf service to resolve user and group information from Windows NT servers ----------- RY11CITSDC: --------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------- root at ry11citsdc:~# samba-tool drs replicate ry11citdc ry11citsdc dc=ry11cit,dc=lan ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) ------------------------------------------------------------------------------------------------------------------- root at ry11citsdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh /home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found Check hostnames : Ok Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 10.44.1.1 : Error Warning, no ping to gateway, this might be firewalled. check you internet connection, AD DNS might need it. ping nameserver1: 10.44.1.9 : Ok Check ping google dns : 8.8.8.8 : Error Warning, no ping to internet dns 8.8.8.8, this might be firewalled. Check you internet connection, AD DNS might need it. Checking file owner.. -rw-r--r-- pi pi /etc/samba/smb.conf Checking file owner.. Missing file /etc/samba/lmhosts Checking file owner.. Missing file /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba DCS ry11citsdc.ry11cit.lan ry11citdc.ry11cit.lan DC1 ry11citsdc.ry11cit.lan DC2 ry11citdc.ry11cit.lan Samba AD DC info: = detected (command and where to look) This server hostname = ry11citsdc (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = ry11citsdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 10.44.1.9 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show) The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo show) The Kerberos REALM name used = RY11CIT.LAN (kinit and /etc/krb5.conf and resolving) The Ipadres of DC ry11citsdc.ry11cit.lan = 10.44.1.9 The Ipadres of DC ry11citdc.ry11cit.lan = 10.44.1.10 SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver ----------------------------------------------------------------------------------------------------------------------- Collected config --- 2017-12-13-15:22 ----------- Hostname: ry11citsdc DNS Domain: ry11cit.lan FQDN: ry11citsdc.ry11cit.lan ipaddress: 10.44.1.9 ----------- Samba is running as an AD DC Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" NAME="Raspbian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0 3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns mdns4_minimal [NOTFOUND=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = RY11CITSDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- No username map detected. ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3 armhf Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.15-1+deb9u1 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.52-3 armhf Access control list shared library ii libgssapi-krb5-2:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - Support library ii libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1 armhf shared library for communication with SMB/CIFS servers ii libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba winbind client library ii python-samba 2:4.5.12+dfsg-2+deb9u1 armhf Python bindings for Samba ii samba 2:4.5.12+dfsg-2+deb9u1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.12+dfsg-2+deb9u1 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.12+dfsg-2+deb9u1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba core libraries ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Virtual FileSystem plugins ii smbclient 2:4.5.12+dfsg-2+deb9u1 armhf command-line SMB/CIFS clients for Unix ii winbind 2:4.5.12+dfsg-2+deb9u1 armhf service to resolve user and group information from Windows NT servers ----------- On 13. 12. 2017 11:00, Rowland Penny via samba wrote:> See inline comments: > > On Wed, 13 Dec 2017 10:13:52 +0100 > Jiří Knotek via samba <samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> thank you for advice. I reconfigure both AC-DCs again with new >> data and send updated data. Unfortunately, the result is the same. >> I'm also sending a listing from >> >> samba-setup-checkup.sh. >> >> * Linux: Raspbian, debian stretch lite >> * Samba version 4.5.12-Debian >> * DNS: BIND9_DLZ 9.10.x >> * Installed packages: ntp ntpdate samba smbclient winbind libcups2 >> samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user >> >> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc >> ry11citdc dc=ry11cit,dc=lan* >> Replicate from ry11citdc to ry11citsdc was successful. >> >> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc >> ry11citsdc dc=ry11cit,dc=lan* >> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - >> drsException: DsReplicaSync failed (2, 'WERR_BADFILE') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line >> 368, in run >> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, >> source_dsa_guid, NC, req_options) >> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line >> 83, in sendDsReplicaSync >> raise drsException("DsReplicaSync failed %s" % estr) >> >> >> *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* >> Check hostnames : Mismatch in hostname definitions >> please check : >> HOST_NAME_SHORT: ry11citdc >> HOST_NAME_DOMAIN: >> HOST_NAME_FQDN: ry11citdc >> HOST_IP1: 10.44.1.10 >> HOST_IP2: Only one interface detected >> HOST_GATEWAY: 10.44.1.1 >> HOST_PRIMARY_INTERFACE: 10.44.1.1 >> eth0 >> HOST_RESOLV_DOMAIN: domain ry11cit.lan >> HOST_RESOLV_SEARCH: search ry11cit.lan >> HOST_RESOLV_NAMESERV1: 10.44.1.10 >> HOST_RESOLV_NAMESERV2: 10.44.1.9 >> HOST_RESOLV_NAMESERV3: >> Possible error detected in /etc/hosts, mismatch FQDN and detected IP >> 10.44.1.10 for the host. >> expected was : 10.44.1.10 ry11citdc ry11citdc >> Checking detected host ipnumbers from resolv.conf and default gateway >> Ping gateway ip : 10.44.1.1 : Error >> ping nameserver1: 10.44.1.10 : Ok >> ping nameserver2: 10.44.1.9 : Ok >> Check ping google dns : 8.8.8.8 : Error >> Checking file owner.. >> -rw-r--r-- pi pi /etc/samba/smb.conf >> Checking file owner.. >> -rw-r--r-- pi pi /etc/samba/lmhosts >> Checking file owner.. >> Missing file /etc/samba/smbpasswd >> drwxr-xr-x root root /usr/bin >> drwxr-xr-x root root /var/cache/samba >> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf >> drwxr-xr-x root root /var/run/samba >> drwxr-x--- root adm /var/log/samba >> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba >> drwxr-xr-x root root /var/run/samba >> drwxr-xr-x root root /var/lib/samba/private >> drwxr-xr-x root root /usr/sbin >> drwxr-xr-x root root /var/lib/samba >> DCS 2(SERVFAIL >> DC1 2(SERVFAIL >> DC2 >> ERROR: Invalid IP address '2(SERVFAIL'! >> Samba AD DC info: = detected (command and where to look) >> This server hostname = ry11citdc (hostname -s and /etc/hosts >> and DNS server) >> This server FQDN (hostname) = ry11citdc (hostname -f and /etc/hosts >> and DNS server) >> This server primary dnsdomain = (hostname -d and /etc/resolv.conf >> and DNS server) >> This server IP address(ses) = 10.44.1.10 Only one interface >> detected (hostname -i (-I) and /etc/networking/interfaces and DNS >> server The DC with FSMO roles = RY11CITDC (samba-tool fsmo >> show) The DC (with FSMO) Site name = Default-First-Site-Name >> (samba-tool fsmo show) >> The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo >> show) The Kerberos REALM name used = RY11CIT.LAN (kinit >> and /etc/krb5.conf and resolving) >> The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) >> SAMBA_SERVER_ROLE: active directory domain controller >> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, >> backupkey, dnsserver >> >> >> *I did not come to the way the hostname -d command would return the >> domain name. How can I do that? In addition, there are host, lmhost, >> resolv.conf, and so on** >> * >> >> Please help, I don 't know the advice. >> >> System integrator Jiří Knotek >> >> >> "Primary" Active Directory Domain >> Controler:--------------------------------------------------------------------------------------------------- >> >> ----------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> hostname:----------------- >> ry11citdc.ry11cit.lan > This should be just the short hostname > In this case 'ry11citdc'somewhere I've seen this, but of course I'll fix it> >> hosts:--------------- >> 127.0.0.1 localhost localhost.localdomain >> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan >> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > This should be: > > 127.0.0.1 localhost > 10.44.1.10 ry11citdc.ry11cit.lan ry11citdcOK> >> resolv.conf.head:------------------- >> domain ry11cit.lan >> search ry11cit.lan > What is 'resolv.conf.head' ? > Do you have the resolvconf package installed ? > if so, remove it and the create an /etc/resolv.conf file with this > content: > > search ry11cit.lan > nameserver 10.44.1.10resolv.conf.head is for manual records to withstand restart. resolv.conf is compiled by the program resolvconf , nameserver is from dhcpcd.conf, see the generated file resolv.conf: # Generated by resolvconf domain ry11cit.lan search ry11cit.lan nameserver 10.44.1.10 nameserver 10.44.1.9 OK, i will change> >> systemctl.conf"-------------------- >> net.ipv4.ip_forward=1 >> net.ipv6.conf.all.disable_ipv6=1 >> >> >> >> krb5.conf:------------ >> >> [libdefaults] >> default_realm = RY11CIT.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> named.conf:------------------------ >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> named.conf.options:----------------------- >> >> options { >> directory "/var/cache/bind"; >> >> dnssec-validation auto; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { none; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> >> lmhost:-------------------------- >> 127.0.0.1 localhost >> 10.44.1.10 ry11citdc >> 10.44.1.9 ry11citsdc >> > not requiredI placed it for warning v samba-setup-checkup.sh> >> smb.conf:------------------------------ >> >> # Global parameters >> [global] >> netbios name = RY11CITDC >> realm = RY11CIT.LAN >> server services = -dns >> workgroup = RY11CIT >> server role = active directory domain controller >> >> [netlogon] >> path = /var/lib/samba/sysvol/ry11cit.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> Samba Provision---------------: >> >> samba-tool domain provision --realm=RY11CIT.LAN --domain=RY11CIT >> --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' >> >> "Backup / Standby" Active Directory Domain >> Controler:--------------------------------------------------------------------------------------------------- >> >> >> ----------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> hostname:----------------- >> ry11citsdc.ry11cit.lan > should be just 'ry11citsdc'OK> >> hosts:--------------- >> 127.0.0.1 localhost localhost.localdomain >> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan >> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > should be: > > 127.0.0.1 localhost > 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdcOK> >> resolv.conf.head:------------------- >> domain ry11cit.lan >> search ry11cit.lan >> > /etc/resolv.conf should be: > > search ry11cit.lan > nameserver 10.44.1.9 > >> systemctl.conf"-------------------- >> net.ipv4.ip_forward=1 >> net.ipv6.conf.all.disable_ipv6=1 >> >> >> >> krb5.conf:------------ >> >> [libdefaults] >> default_realm = RY11CIT.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> named.conf:------------------------ >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> named.conf.options:----------------------- >> >> options { >> directory "/var/cache/bind"; >> >> dnssec-validation auto; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { none; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> >> lmhost:-------------------------- >> 127.0.0.1 localhost >> 10.44.1.10 ry11citdc >> 10.44.1.9 ry11citsdc >> > Not required > >> smb.conf:------------------------------ >> >> # Global parameters >> [global] >> netbios name = RY11CITSDC >> realm = RY11CIT.LAN >> server services = -dns >> workgroup = RY11CIT >> server role = active directory domain controller >> >> [netlogon] >> path = /var/lib/samba/sysvol/ry11cit.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> Samba join---------------: >> >> samba-tool domain join RY11CIT DC -Uadministrator >> --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' >> > You haven't provisioned with '--use-rfc2307' > I suggest you go and read this: > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_ADThat might be useful, I will try later. But without this I can manage domain users by windows tools.> Rowland > >Thanks Jiri Knotek -- *Ing. Jiří Knotek* programátor *GEMA s.r.o. Automatizace technologických procesů* Doubravice 13, Pardubice 19, 53353 Tel: +420604570127 E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz> Web:www.gemapce.cz <http://www.gemapce.cz/>
Hello Rowland, A small change has been made and replication works in both directions: dhcpcd.conf requires both dns servers in reverse order. RY11CITDC, /etc/dhcpcd.conf -------------------------------------------------------------- ..... interface eth0 static ip_address=10.44.1.10/16 static routers=10.44.1.1 static domain_name_servers=10.44.1.9 10.44.1.10 RY11CITDC, /etc/dhcpcd.conf -------------------------------------------------------------- ...... interface eth0 static ip_address=10.44.1.9/16 static routers=10.44.1.1 static domain_name_servers=10.44.1.10 10.44.1.9 I hope this is the right solution and not just a happy mistake. Thank you very much for explaining the basic configuration, I was in the confusion. Thanks Jiri Knotek Hello Rowland, See inline comments: If I did not make a mistake somewhere, it's even worse. Additionally, replication does not work ry11citdc to ry11citsdc executed from ry11citdc: --------------------------------------------------------------------------------------------------------------- root at ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc dc=ry11cit,dc=lan ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ry11citsdc failed - drsException: DRS connection to ry11citsdc failed: (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) ---------------------------------------------------------------------------------------------------------------- root at ry11citdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh /home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found Check hostnames : Ok Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 10.44.1.1 : Error Warning, no ping to gateway, this might be firewalled. check you internet connection, AD DNS might need it. ping nameserver1: 10.44.1.10 : Ok Check ping google dns : 8.8.8.8 : Error Warning, no ping to internet dns 8.8.8.8, this might be firewalled. Check you internet connection, AD DNS might need it. Checking file owner.. -rw-r--r-- pi pi /etc/samba/smb.conf Checking file owner.. Missing file /etc/samba/lmhosts Checking file owner.. Missing file /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba DCS ry11citdc.ry11cit.lan DC1 ry11citdc.ry11cit.lan DC2 Samba AD DC info: = detected (command and where to look) This server hostname = ry11citdc (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = ry11citdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 10.44.1.10 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show) The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo show) The Kerberos REALM name used = RY11CIT.LAN (kinit and /etc/krb5.conf and resolving) The Ipadres of DC ry11citdc.ry11cit.lan = 10.44.1.10 SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver ---------------------------------------------------------------------------------------------------------------------- Collected config --- 2017-12-13-15:16 ----------- Hostname: ry11citdc DNS Domain: ry11cit.lan FQDN: ry11citdc.ry11cit.lan ipaddress: 10.44.1.10 ----------- Samba is running as an AD DC Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" NAME="Raspbian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:69:ac:e4 brd ff:ff:ff:ff:ff:ff inet 10.44.1.10/16 brd 10.44.255.255 scope global eth0 ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns mdns4_minimal [NOTFOUND=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = RY11CITDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- No username map detected. ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. Seehttp://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. Seehttps://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3 armhf Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.15-1+deb9u1 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.52-3 armhf Access control list shared library ii libgssapi-krb5-2:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - Support library ii libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1 armhf shared library for communication with SMB/CIFS servers ii libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba winbind client library ii python-samba 2:4.5.12+dfsg-2+deb9u1 armhf Python bindings for Samba ii samba 2:4.5.12+dfsg-2+deb9u1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.12+dfsg-2+deb9u1 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.12+dfsg-2+deb9u1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba core libraries ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Virtual FileSystem plugins ii smbclient 2:4.5.12+dfsg-2+deb9u1 armhf command-line SMB/CIFS clients for Unix ii winbind 2:4.5.12+dfsg-2+deb9u1 armhf service to resolve user and group information from Windows NT servers ----------- RY11CITSDC: --------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------- root at ry11citsdc:~# samba-tool drs replicate ry11citdc ry11citsdc dc=ry11cit,dc=lan ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) ------------------------------------------------------------------------------------------------------------------- root at ry11citsdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh /home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found Check hostnames : Ok Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 10.44.1.1 : Error Warning, no ping to gateway, this might be firewalled. check you internet connection, AD DNS might need it. ping nameserver1: 10.44.1.9 : Ok Check ping google dns : 8.8.8.8 : Error Warning, no ping to internet dns 8.8.8.8, this might be firewalled. Check you internet connection, AD DNS might need it. Checking file owner.. -rw-r--r-- pi pi /etc/samba/smb.conf Checking file owner.. Missing file /etc/samba/lmhosts Checking file owner.. Missing file /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba DCS ry11citsdc.ry11cit.lan ry11citdc.ry11cit.lan DC1 ry11citsdc.ry11cit.lan DC2 ry11citdc.ry11cit.lan Samba AD DC info: = detected (command and where to look) This server hostname = ry11citsdc (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = ry11citsdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 10.44.1.9 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = RY11CITDC (samba-tool fsmo show) The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show) The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo show) The Kerberos REALM name used = RY11CIT.LAN (kinit and /etc/krb5.conf and resolving) The Ipadres of DC ry11citsdc.ry11cit.lan = 10.44.1.9 The Ipadres of DC ry11citdc.ry11cit.lan = 10.44.1.10 SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver ----------------------------------------------------------------------------------------------------------------------- Collected config --- 2017-12-13-15:22 ----------- Hostname: ry11citsdc DNS Domain: ry11cit.lan FQDN: ry11citsdc.ry11cit.lan ipaddress: 10.44.1.9 ----------- Samba is running as an AD DC Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" NAME="Raspbian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0 3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = RY11CIT.LAN dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns mdns4_minimal [NOTFOUND=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = RY11CITSDC realm = RY11CIT.LAN server services = -dns workgroup = RY11CIT server role = active directory domain controller [netlogon] path = /var/lib/samba/sysvol/ry11cit.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- No username map detected. ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. Seehttp://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. Seehttps://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3 armhf Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.15-1+deb9u1 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.52-3 armhf Access control list shared library ii libgssapi-krb5-2:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.15-1+deb9u1 armhf MIT Kerberos runtime libraries - Support library ii libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1 armhf shared library for communication with SMB/CIFS servers ii libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba winbind client library ii python-samba 2:4.5.12+dfsg-2+deb9u1 armhf Python bindings for Samba ii samba 2:4.5.12+dfsg-2+deb9u1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.12+dfsg-2+deb9u1 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.12+dfsg-2+deb9u1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1 armhf Samba core libraries ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1 armhf Samba Virtual FileSystem plugins ii smbclient 2:4.5.12+dfsg-2+deb9u1 armhf command-line SMB/CIFS clients for Unix ii winbind 2:4.5.12+dfsg-2+deb9u1 armhf service to resolve user and group information from Windows NT servers ----------- On 13. 12. 2017 11:00, Rowland Penny via samba wrote:> See inline comments: > > On Wed, 13 Dec 2017 10:13:52 +0100 > Jiří Knotek via samba<samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> thank you for advice. I reconfigure both AC-DCs again with new >> data and send updated data. Unfortunately, the result is the same. >> I'm also sending a listing from >> >> samba-setup-checkup.sh. >> >> * Linux: Raspbian, debian stretch lite >> * Samba version 4.5.12-Debian >> * DNS: BIND9_DLZ 9.10.x >> * Installed packages: ntp ntpdate samba smbclient winbind libcups2 >> samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user >> >> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc >> ry11citdc dc=ry11cit,dc=lan* >> Replicate from ry11citdc to ry11citsdc was successful. >> >> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc >> ry11citsdc dc=ry11cit,dc=lan* >> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - >> drsException: DsReplicaSync failed (2, 'WERR_BADFILE') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line >> 368, in run >> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, >> source_dsa_guid, NC, req_options) >> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line >> 83, in sendDsReplicaSync >> raise drsException("DsReplicaSync failed %s" % estr) >> >> >> *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh* >> Check hostnames : Mismatch in hostname definitions >> please check : >> HOST_NAME_SHORT: ry11citdc >> HOST_NAME_DOMAIN: >> HOST_NAME_FQDN: ry11citdc >> HOST_IP1: 10.44.1.10 >> HOST_IP2: Only one interface detected >> HOST_GATEWAY: 10.44.1.1 >> HOST_PRIMARY_INTERFACE: 10.44.1.1 >> eth0 >> HOST_RESOLV_DOMAIN: domain ry11cit.lan >> HOST_RESOLV_SEARCH: search ry11cit.lan >> HOST_RESOLV_NAMESERV1: 10.44.1.10 >> HOST_RESOLV_NAMESERV2: 10.44.1.9 >> HOST_RESOLV_NAMESERV3: >> Possible error detected in /etc/hosts, mismatch FQDN and detected IP >> 10.44.1.10 for the host. >> expected was : 10.44.1.10 ry11citdc ry11citdc >> Checking detected host ipnumbers from resolv.conf and default gateway >> Ping gateway ip : 10.44.1.1 : Error >> ping nameserver1: 10.44.1.10 : Ok >> ping nameserver2: 10.44.1.9 : Ok >> Check ping google dns : 8.8.8.8 : Error >> Checking file owner.. >> -rw-r--r-- pi pi /etc/samba/smb.conf >> Checking file owner.. >> -rw-r--r-- pi pi /etc/samba/lmhosts >> Checking file owner.. >> Missing file /etc/samba/smbpasswd >> drwxr-xr-x root root /usr/bin >> drwxr-xr-x root root /var/cache/samba >> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf >> drwxr-xr-x root root /var/run/samba >> drwxr-x--- root adm /var/log/samba >> drwxr-xr-x root root /usr/lib/arm-linux-gnueabihf/samba >> drwxr-xr-x root root /var/run/samba >> drwxr-xr-x root root /var/lib/samba/private >> drwxr-xr-x root root /usr/sbin >> drwxr-xr-x root root /var/lib/samba >> DCS 2(SERVFAIL >> DC1 2(SERVFAIL >> DC2 >> ERROR: Invalid IP address '2(SERVFAIL'! >> Samba AD DC info: = detected (command and where to look) >> This server hostname = ry11citdc (hostname -s and /etc/hosts >> and DNS server) >> This server FQDN (hostname) = ry11citdc (hostname -f and /etc/hosts >> and DNS server) >> This server primary dnsdomain = (hostname -d and /etc/resolv.conf >> and DNS server) >> This server IP address(ses) = 10.44.1.10 Only one interface >> detected (hostname -i (-I) and /etc/networking/interfaces and DNS >> server The DC with FSMO roles = RY11CITDC (samba-tool fsmo >> show) The DC (with FSMO) Site name = Default-First-Site-Name >> (samba-tool fsmo show) >> The Default Naming Context = DC=ry11cit,DC=lan (samba-tool fsmo >> show) The Kerberos REALM name used = RY11CIT.LAN (kinit >> and /etc/krb5.conf and resolving) >> The Ipadres of DC 2(SERVFAIL = 2(SERVFAIL) >> SAMBA_SERVER_ROLE: active directory domain controller >> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, >> backupkey, dnsserver >> >> >> *I did not come to the way the hostname -d command would return the >> domain name. How can I do that? In addition, there are host, lmhost, >> resolv.conf, and so on** >> * >> >> Please help, I don 't know the advice. >> >> System integrator Jiří Knotek >> >> >> "Primary" Active Directory Domain >> Controler:--------------------------------------------------------------------------------------------------- >> >> ----------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> hostname:----------------- >> ry11citdc.ry11cit.lan > This should be just the short hostname > In this case 'ry11citdc'somewhere I've seen this, but of course I'll fix it>> hosts:--------------- >> 127.0.0.1 localhost localhost.localdomain >> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan >> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > This should be: > > 127.0.0.1 localhost > 10.44.1.10 ry11citdc.ry11cit.lan ry11citdcOK>> resolv.conf.head:------------------- >> domain ry11cit.lan >> search ry11cit.lan > What is 'resolv.conf.head' ? > Do you have the resolvconf package installed ? > if so, remove it and the create an /etc/resolv.conf file with this > content: > > search ry11cit.lan > nameserver 10.44.1.10resolv.conf.head is for manual records to withstand restart. resolv.conf is compiled by the program resolvconf , nameserver is from dhcpcd.conf, see the generated file resolv.conf: # Generated by resolvconf domain ry11cit.lan search ry11cit.lan nameserver 10.44.1.10 nameserver 10.44.1.9 OK, i will change>> systemctl.conf"-------------------- >> net.ipv4.ip_forward=1 >> net.ipv6.conf.all.disable_ipv6=1 >> >> >> >> krb5.conf:------------ >> >> [libdefaults] >> default_realm = RY11CIT.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> named.conf:------------------------ >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> named.conf.options:----------------------- >> >> options { >> directory "/var/cache/bind"; >> >> dnssec-validation auto; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { none; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> >> lmhost:-------------------------- >> 127.0.0.1 localhost >> 10.44.1.10 ry11citdc >> 10.44.1.9 ry11citsdc >> > not requiredI placed it for warning v samba-setup-checkup.sh>> smb.conf:------------------------------ >> >> # Global parameters >> [global] >> netbios name = RY11CITDC >> realm = RY11CIT.LAN >> server services = -dns >> workgroup = RY11CIT >> server role = active directory domain controller >> >> [netlogon] >> path = /var/lib/samba/sysvol/ry11cit.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> Samba Provision---------------: >> >> samba-tool domain provision --realm=RY11CIT.LAN --domain=RY11CIT >> --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....' >> >> "Backup / Standby" Active Directory Domain >> Controler:--------------------------------------------------------------------------------------------------- >> >> >> ----------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> hostname:----------------- >> ry11citsdc.ry11cit.lan > should be just 'ry11citsdc'OK>> hosts:--------------- >> 127.0.0.1 localhost localhost.localdomain >> 10.44.1.10 ry11citdc ry11citdc.ry11cit.lan >> 10.44.1.9 ry11citsdc ry11citsdc.ry11cit.lan > should be: > > 127.0.0.1 localhost > 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdcOK>> resolv.conf.head:------------------- >> domain ry11cit.lan >> search ry11cit.lan >> > /etc/resolv.conf should be: > > search ry11cit.lan > nameserver 10.44.1.9 > >> systemctl.conf"-------------------- >> net.ipv4.ip_forward=1 >> net.ipv6.conf.all.disable_ipv6=1 >> >> >> >> krb5.conf:------------ >> >> [libdefaults] >> default_realm = RY11CIT.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> named.conf:------------------------ >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> named.conf.options:----------------------- >> >> options { >> directory "/var/cache/bind"; >> >> dnssec-validation auto; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { none; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> >> lmhost:-------------------------- >> 127.0.0.1 localhost >> 10.44.1.10 ry11citdc >> 10.44.1.9 ry11citsdc >> > Not required > >> smb.conf:------------------------------ >> >> # Global parameters >> [global] >> netbios name = RY11CITSDC >> realm = RY11CIT.LAN >> server services = -dns >> workgroup = RY11CIT >> server role = active directory domain controller >> >> [netlogon] >> path = /var/lib/samba/sysvol/ry11cit.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> Samba join---------------: >> >> samba-tool domain join RY11CIT DC -Uadministrator >> --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....' >> > You haven't provisioned with '--use-rfc2307' > I suggest you go and read this: > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_ADThat might be useful, I will try later. But without this I can manage domain users by windows tools.> Rowland > >Thanks Jiri Knotek -- *Ing. Jiří Knotek* programátor *GEMA s.r.o. Automatizace technologických procesů* Doubravice 13, Pardubice 19, 53353 Tel: +420604570127 E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz> Web:www.gemapce.cz <http://www.gemapce.cz/>