samba - Jan 2018 - User Permissions issue

Hi Denis & Rowland

Thanks for the suggestion to trim the smb.conf after which the DC-1 is
connecting to the Windows Server 2008 shared folder smbclient -k
//IUMSVRAPP01/Pastel12 -d 9
and DC-2 is also connecting after using the DNS name of the Windows server.

*You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
for larger site (looking at your DNS domain name, I guess it might be a
university). You can take a look there [1]
Yes you are right we are a University which is growing every year and I
want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
instructions given in your wiki link but before doing I like to clear few
doubts:
1. Can I migrate from Internal to Bind-DLZ in a running samba environment.
2. Will it migrate all the current DNS records.
3. Do I have to do the same migration for other samba DC's in the network.
4. I also have samba RODC in the network so do I have to migrate it from
Internal to Bind-DLZ.
5. Do I have to install Bind-DLZ package on a different machine or it can
be installed on the same Samba machine.


> samba-tool drs showrepl on DC-1 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMSVRPDC via RPC
>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
>                 17863 consecutive failure(s).
>                 Last success @ Sat Jan 13 23:16:52 2018 WAST
>

This is probably your error. Replication of your main partition is not
working. Domain members are changing their machine password one a month. If
it has been changed on one of the server, but the replication didn't went
throught to the other, it is normal to get the failure you are having.

You should look at your samba log when trying replication for that
partition. There is probably a corrupted entry somewhere that is preventing
replication.

Can you please give few steps on how to check the drs replication logs and
find out the corrupted entry and how to remove it.

Also I am trying to remove one offline RODC which I joined last month for
testing by using the command which is failing
samba-tool domain demote --remove-other-dead-server='
iumong-rodc.iumnet.edu.na' -UAdministrator
ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na is not an
AD DC in iumnet.edu.na
A transaction is still active in ldb context [0x22b0b20] on
tdb:///var/lib/samba/private/sam.ldb

Also I am trying to remove the offline RODC record manually which is failing
ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb 'IUMONG-RODC'
failed to delete CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na -
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to remove
backlink of msDS-RevealedDSAs when deleting CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na: (null)

How can I manually remove the records for the offline DC.

Regards

Harsh



*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA






On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon at tranquil.it>
wrote:
> Hi Harsh,
>
>>
>> Thanks for your advise I will not use these wordings here.
>>
>
> thanks!
>
> Please check the result below when I run the command on the DC-1 when
>> DC-2 is off or on
>> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
>>
> > ...
>
>> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>>
>
> Looking at this message, I would start with doing some cleanup in your
> smb.conf. I would trim your smb.conf like below:
>
> *Here is the smb.conf dump from DC-1:*
>> # Global parameters
>>
> [global]
>          workgroup = IUMNET
>          realm = IUMNET.EDU.NA
>          netbios name = IUMDCDP01
>          server role = active directory domain controller
>          dns forwarder = 172.16.10.254
>          allow dns updates = nonsecure and secure
>          ntlm auth = yes
>          client use spnego = no
>          client ldap sasl wrapping = sign
>          ldap server require strong auth = no
>          full_audit:prefix = %u|%I|%m|%S
>          full_audit:failure = connect
>          full_audit:success = connect disconnect
>          log level = 9 dns:0
>
> [netlogon]
>          path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>          read only = No
>          browsable = no
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
> for larger site (looking at your DNS domain name, I guess it might be a
> university). You can take a look there [1]
>
> And I wouldn't store anything else than AD stuff on an AD like below:
>
> [softshare]
>>        path = /home/administrator/ad
>>        read only = No
>>
>
>
>
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>>
>> smbclient -k //172.16.10.21/Pastel12 -d 9
>>
>
> When doing Kerberos authentication, you shouldn't use ip address,
> otherwise kerberos won't work. Try it again with real DNS name.
>
> > ...
>
>> got OID=1.2.840.48018.1.2.2
>> Kerberos auth with 'administrator at IUMNET.EDU.NA
>> <mailto:administrator at IUMNET.EDU.NA>' (IUMNET\root) to
access
>> '172.16.10.21' not possible
>> SPNEGO login failed: {Access Denied} A process has requested access to
>> an object but has not been granted those access rights.
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>>
> You can cleanup your smb.conf the same way as pointed before.
>
> *Here is the smb.conf dump from DC-2:*
>>
>> # Global parameters
>> [global]
>>         netbios name = IUMSVRPDC
>>         realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>>
>>         workgroup = IUMNET
>>         server role = active directory domain controller
>>         dns forwarder = 172.16.10.254
>> #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>>         allow dns updates = nonsecure and secure
>>         ntlm auth = yes
>>         ldap server require strong auth = no
>>         time server = Yes
>>         template shell = /bin/bash
>>         template homedir = /home/%U
>> #       idmap config * : backend = tdb
>> #       idmap config *:range = 50000-1000000
>>         full_audit:prefix = %u|%I|%m|%S
>>         full_audit:failure = connect
>>         full_audit:success = connect disconnect
>>         tls enabled = yes
>>         tls keyfile  = tls/key.pem
>>         tls certfile = tls/cert.pem
>>         tls cafile   = tls/ca.pem
>>         log level = 9 dns:0
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>>         read only = No
>>          browsable = no
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>> *samba-tool drs showrepl on DC-1 is replicating successfully except for
>> below under INBOUND NEIGHBOR: *
>>
>> DC=iumnet,DC=edu,DC=na
>>         Default-First-Site-Name\IUMSVRPDC via RPC
>>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
>> result 58 (WERR_BAD_NET_RESP)
>>                 17863 consecutive failure(s).
>>                 Last success @ Sat Jan 13 23:16:52 2018 WAST
>>
>
>
> This is probably your error. Replication of your main partition is not
> working. Domain members are changing their machine password one a month. If
> it has been changed on one of the server, but the replication didn't
went
> throught to the other, it is normal to get the failure you are having.
>
> You should look at your samba log when trying replication for that
> partition. There is probably a corrupted entry somewhere that is preventing
> replication.
>
>
> *samba-tool drs showrepl on DC-2 is replicating successfully except for
>> below under INBOUND NEIGHBOR: *
>>
>> CN=Configuration,DC=iumnet,DC=edu,DC=na
>>         Default-First-Site-Name\IUMDCDP01 via RPC
>>                 DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
>>                 Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
>> result 58 (WERR_BAD_NET_RESP)
>>                 1926 consecutive failure(s).
>>                 Last success @ Tue Jan  9 14:15:43 2018 CAT
>>
>
> this is not good either, and should be resolved too.
>
> Cheers,
>
> Denis
>
> [1] it is in French, but your favorite search engine should be able to
> translate it for you : https://dev.tranquil.it/wiki/S
> AMBA_-_Integration_avec_bind9
>
>
>>
>>
>> *Harsh Kukreja *Systems Administrator
>>
>> **International University of Namibia* *Tel: 061-4336000 -
>> E-mail: h.kukreja at ium.edu.na
>> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
>> <http://www.ium.edu.na/>
>> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>> Windhoek, NAMIBIA
>>
>> ____
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon at
tranquil.it
>> <mailto:dcardon at tranquil.it>> wrote:
>>
>>     Hi Harsh,
>>
>>
>>         I have two Samba 4 DC’s as below
>>         server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu
12.04
>>         server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu
>>         16.04
>>
>>         The problem is when I share files from my Windows 2008 file
>>         sharing server
>>         which shows it is logged on to Server-2 DC and the  client PC
>>         which logs on
>>         to the server-1 DC cannot access the shared folder and gives an
>>         error Logon
>>         Failure: The target account name is incorrect.
>>
>>
>>     Windows error messages are not very sysadmin friendly. Could you
>>     please use instead smbclient command line from a domain member
linux
>>     client to do your debugging:
>>      kinit myusername
>>      smbclient -k //win2k8server/sharename -d 9
>>
>>     And do it with both with dc1 on and off.
>>
>>         To fix the problem I have to shutdown server-2 DC and restart
my
>>         Windows
>>         File server which logs on to the server-1 and then the client
>>         can access
>>         the shared folder.
>>
>>
>>     Could you check if replication is working properly?
>>      samba-tool drs showrepl
>>
>>         Please assist to fix this issue as I have to run both the DC’s
>>         in the
>>         network.
>>
>>
>>     You should avoid wordings like "please assist for fix".
It is deemed
>>     rude (at least in my culture) to give orders to people who
don't owe
>>     you anything... They are many kind people on this mailing list that
>>     would be happy to help, but this kind of wording just make them
>>     dismiss your message directly.
>>
>>     Cheers,
>>
>>     Denis
>>
>>
>>         *Harsh Kukreja *Systems Administrator
>>         *International University of Namibia *Tel: 061-4336000 -
E-mail:
>>         h.kukreja
>>         @ium.edu.na <http://ium.edu.na> - Web:
>>         *http://www.ium.edu.na <http://www.ium.edu.na/>*Private
Bag
>>         14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek,
>>         NAMIBIA
>>
>>
>>     --
>>     Denis Cardon
>>     Tranquil IT Systems
>>     Les Espaces Jules Verne, bâtiment A
>>     12 avenue Jules Verne
>>     44230 Saint Sébastien sur Loire
>>     tel : +33 (0) 2.40.97.57.55
<tel:%2B33%20%280%29%202.40.97.57.55>
>>     http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>

On Wed, 17 Jan 2018 12:42:24 +0200
Harsh Kukreja <h.kukreja at ium.edu.na> wrote:
> Hi Denis & Rowland
> 
> Thanks for the suggestion to trim the smb.conf after which the DC-1 is
> connecting to the Windows Server 2008 shared folder smbclient -k
> //IUMSVRAPP01/Pastel12 -d 9
> and DC-2 is also connecting after using the DNS name of the Windows
> server.
> 
> *You'd better switch your DNS to Bind-DLZ. Internal DNS is not that
> good for larger site (looking at your DNS domain name, I guess it
> might be a university). You can take a look there [1]
> Yes you are right we are a University which is growing every year and
> I want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
> instructions given in your wiki link but before doing I like to clear
> few doubts:
> 1. Can I migrate from Internal to Bind-DLZ in a running samba
> environment.
Yes
 
> 2. Will it migrate all the current DNS records.
Well, yes and no ;-)
The DNS records are in AD and as such are not touched, upgrading to
Bind9 just sets up Bind to use these records and turns off the internal
Samba dns server.
> 3. Do I have to do the same migration for other samba DC's in the
> network.
This is not mandatory, but is a very very very good idea.
 
> 4. I also have samba RODC in the network so do I have to
> migrate it from Internal to Bind-DLZ.
See the answer to 3, plus if you using an RODC running a version of
Samba < 4.7.0, you should upgrade Samba.
> 5. Do I have to install Bind-DLZ package on a different machine or it
> can be installed on the same Samba machine.
You must install Bind9 on the DC.

Rowland

Hi Harsh,
> Thanks for the suggestion to trim the smb.conf after which the DC-1 is
> connecting to the Windows Server 2008 shared folder smbclient -k
> //IUMSVRAPP01/Pastel12 -d 9
> and DC-2 is also connecting after using the DNS name of the Windows server.
>
> *You'd better switch your DNS to Bind-DLZ. Internal DNS is not that
good
> for larger site (looking at your DNS domain name, I guess it might be a
> university). You can take a look there [1]
> Yes you are right we are a University which is growing every year and I
> want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
> instructions given in your wiki link but before doing I like to clear
> few doubts:
> 1. Can I migrate from Internal to Bind-DLZ in a running samba environment.
> 2. Will it migrate all the current DNS records.
> 3. Do I have to do the same migration for other samba DC's in the
network.
> 4. I also have samba RODC in the network so do I have to migrate it from
> Internal to Bind-DLZ.
> 5. Do I have to install Bind-DLZ package on a different machine or it
> can be installed on the same Samba machine.
>
>
>
>     samba-tool drs showrepl on DC-1 is replicating successfully except for
>     below under INBOUND NEIGHBOR: *
>
>     DC=iumnet,DC=edu,DC=na
>             Default-First-Site-Name\IUMSVRPDC via RPC
>                     DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                     Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
>     result 58 (WERR_BAD_NET_RESP)
>                     17863 consecutive failure(s).
>                     Last success @ Sat Jan 13 23:16:52 2018 WAST
>
>
>
> This is probably your error. Replication of your main partition is not
> working. Domain members are changing their machine password one a month.
> If it has been changed on one of the server, but the replication didn't
> went throught to the other, it is normal to get the failure you are having.
>
> You should look at your samba log when trying replication for that
> partition. There is probably a corrupted entry somewhere that is
> preventing replication.
>
> Can you please give few steps on how to check the drs replication logs
> and find out the corrupted entry and how to remove it.
>
> Also I am trying to remove one offline RODC which I joined last month
> for testing by using the command which is failing
> samba-tool domain demote
> --remove-other-dead-server='iumong-rodc.iumnet.edu.na
> <http://iumong-rodc.iumnet.edu.na>' -UAdministrator
> ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na
> <http://iumong-rodc.iumnet.edu.na> is not an AD DC in iumnet.edu.na
> <http://iumnet.edu.na>
> A transaction is still active in ldb context [0x22b0b20] on
> tdb:///var/lib/samba/private/sam.ldb
Like Rowland said previously, you should remove all RODC that have been 
installed prior to Samba 4.7. There are many fixes that have been added 
since 4.6.

I just demoted a DC on my test network to print you out the list of 
entries. You'll find the list of entries to remove below, there may be 
missing entries because it is a RODC, I'll let you handle that :-)

Moreover, you may upgrade all your DC to 4.7.4, it handles better the 
removal of dead repsfrom/repsto after removal of DC, which are harder to 
delete by hand.

Cheers,

Denis


Removing nTDSConnection: CN=bcc8c224-6a9f-4103-8888-e558b91dcdb1,CN=NTDS 
Settings,CN=SRVADS,CN=Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it
Removing nTDSDSA: CN=NTDS 
Settings,CN=WIN-6814UGPEM27,CN=Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it
(and any children)
Removing RID Set: CN=RID Set,CN=WIN-6814UGPEM27,OU=Domain 
Controllers,DC=test,DC=tranquil,DC=it
Removing computer account: CN=WIN-6814UGPEM27,OU=Domain 
Controllers,DC=test,DC=tranquil,DC=it (and any child objects)
updating test.tranquil.it keeping 6 values, removing 1 values
updating ForestDnsZones.test.tranquil.it keeping 2 values, removing 1 values
updating DomainDnsZones.test.tranquil.it keeping 2 values, removing 1 values
updating 
DC=67,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 0 values, removing 1 values
updating 
DC=@,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=@,DC=151.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=@,DC=0.149.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_ldap._tcp.saint-seb._sites.DomainDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_ldap._tcp.saint-seb._sites.ForestDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_kerberos._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_ldap._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_gc._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_ldap._tcp.DomainDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_ldap._tcp.ForestDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_kerberos._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_kerberos._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_kpasswd._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_kpasswd._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_ldap._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_gc._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=@,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 5 values, removing 1 values
updating 
DC=_ldap._tcp.7158087d-44be-436a-897b-ea76ba39cf5f.domains,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=d976907c-3f56-4ab7-9ee1-3cbb3a9acc29,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 0 values, removing 1 values
updating 
DC=_kerberos._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_ldap._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_ldap._tcp.saint-seb._sites.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating 
DC=_kerberos._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_ldap._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=_ldap._tcp.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating 
DC=@,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 3 values, removing 1 values
Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Enterprise,CN=Microsoft 
System Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it
Removing Sysvol reference: 
CN=WIN-6814UGPEM27,CN=test.tranquil.it,CN=Microsoft System 
Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it
Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Domain System Volumes 
(SYSVOL share),CN=File Replication 
Service,CN=System,DC=test,DC=tranquil,DC=it
Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Topology,CN=Domain 
System Volume,CN=DFSR-GlobalSettings,CN=System,DC=test,DC=tranquil,DC=it


>
> Also I am trying to remove the offline RODC record manually which is
failing
> ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb
'IUMONG-RODC'
> failed to delete CN=IUMONG-RODC,OU=Domain
> Controllers,DC=iumnet,DC=edu,DC=na -
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to
> remove backlink of msDS-RevealedDSAs when deleting
> CN=IUMONG-RODC,OU=Domain Controllers,DC=iumnet,DC=edu,DC=na: (null)
>
> How can I manually remove the records for the offline DC.
>
> Regards
>
> Harsh
>
>
>
> *Harsh Kukreja *Systems Administrator
>
> **International University of Namibia* *Tel: 061-4336000 -
> E-mail: h.kukreja at ium.edu.na
> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
> <http://www.ium.edu.na/>
> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
> Windhoek, NAMIBIA
>
> ____
>
> 	
>
>
> 	
>
>
>
>
>
> On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
>     Hi Harsh,
>
>
>         Thanks for your advise I will not use these wordings here.
>
>
>     thanks!
>
>         Please check the result below when I run the command on the DC-1
>         when
>         DC-2 is off or on
>         smbclient -k //IUMSVRAPP01/Pastel12 -d 9
>
>     > ...
>
>         session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>
>
>     Looking at this message, I would start with doing some cleanup in
>     your smb.conf. I would trim your smb.conf like below:
>
>         *Here is the smb.conf dump from DC-1:*
>         # Global parameters
>
>     [global]
>              workgroup = IUMNET
>              realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>              netbios name = IUMDCDP01
>              server role = active directory domain controller
>              dns forwarder = 172.16.10.254
>              allow dns updates = nonsecure and secure
>              ntlm auth = yes
>              client use spnego = no
>              client ldap sasl wrapping = sign
>              ldap server require strong auth = no
>              full_audit:prefix = %u|%I|%m|%S
>              full_audit:failure = connect
>              full_audit:success = connect disconnect
>              log level = 9 dns:0
>
>     [netlogon]
>              path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>     <http://iumnet.edu.na/scripts>
>              read only = No
>              browsable = no
>
>     [sysvol]
>              path = /var/lib/samba/sysvol
>              read only = No
>
>     You'd better switch your DNS to Bind-DLZ. Internal DNS is not that
>     good for larger site (looking at your DNS domain name, I guess it
>     might be a university). You can take a look there [1]
>
>     And I wouldn't store anything else than AD stuff on an AD like
below:
>
>         [softshare]
>                path = /home/administrator/ad
>                read only = No
>
>
>
>
>         *When I ran the same command on DC-2 ( Samba 4.7.4) *
>
>         smbclient -k //172.16.10.21/Pastel12
>         <http://172.16.10.21/Pastel12> -d 9
>
>
>     When doing Kerberos authentication, you shouldn't use ip address,
>     otherwise kerberos won't work. Try it again with real DNS name.
>
>     > ...
>
>         got OID=1.2.840.48018.1.2.2
>         Kerberos auth with 'administrator at IUMNET.EDU.NA
>         <mailto:administrator at IUMNET.EDU.NA>
>         <mailto:administrator at IUMNET.EDU.NA
>         <mailto:administrator at IUMNET.EDU.NA>>'
(IUMNET\root) to access
>         '172.16.10.21' not possible
>         SPNEGO login failed: {Access Denied} A process has requested
>         access to
>         an object but has not been granted those access rights.
>         session setup failed: NT_STATUS_ACCESS_DENIED
>
>
>     You can cleanup your smb.conf the same way as pointed before.
>
>         *Here is the smb.conf dump from DC-2:*
>
>         # Global parameters
>         [global]
>                 netbios name = IUMSVRPDC
>                 realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>         <http://IUMNET.EDU.NA>
>
>                 workgroup = IUMNET
>                 server role = active directory domain controller
>                 dns forwarder = 172.16.10.254
>         #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>                 allow dns updates = nonsecure and secure
>                 ntlm auth = yes
>                 ldap server require strong auth = no
>                 time server = Yes
>                 template shell = /bin/bash
>                 template homedir = /home/%U
>         #       idmap config * : backend = tdb
>         #       idmap config *:range = 50000-1000000
>                 full_audit:prefix = %u|%I|%m|%S
>                 full_audit:failure = connect
>                 full_audit:success = connect disconnect
>                 tls enabled = yes
>                 tls keyfile  = tls/key.pem
>                 tls certfile = tls/cert.pem
>                 tls cafile   = tls/ca.pem
>                 log level = 9 dns:0
>
>         [netlogon]
>                 path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>         <http://iumnet.edu.na/scripts>
>                 read only = No
>                  browsable = no
>
>         [sysvol]
>                 path = /var/lib/samba/sysvol
>                 read only = No
>
>         *samba-tool drs showrepl on DC-1 is replicating successfully
>         except for
>         below under INBOUND NEIGHBOR: *
>
>         DC=iumnet,DC=edu,DC=na
>                 Default-First-Site-Name\IUMSVRPDC via RPC
>                         DSA object GUID:
>         27182378-a9c7-451e-bb95-7b2172a5f311
>                         Last attempt @ Tue Jan 16 14:24:05 2018 WAST
failed,
>         result 58 (WERR_BAD_NET_RESP)
>                         17863 consecutive failure(s).
>                         Last success @ Sat Jan 13 23:16:52 2018 WAST
>
>
>
>     This is probably your error. Replication of your main partition is
>     not working. Domain members are changing their machine password one
>     a month. If it has been changed on one of the server, but the
>     replication didn't went throught to the other, it is normal to get
>     the failure you are having.
>
>     You should look at your samba log when trying replication for that
>     partition. There is probably a corrupted entry somewhere that is
>     preventing replication.
>
>
>         *samba-tool drs showrepl on DC-2 is replicating successfully
>         except for
>         below under INBOUND NEIGHBOR: *
>
>         CN=Configuration,DC=iumnet,DC=edu,DC=na
>                 Default-First-Site-Name\IUMDCDP01 via RPC
>                         DSA object GUID:
>         8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
>                         Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
>         result 58 (WERR_BAD_NET_RESP)
>                         1926 consecutive failure(s).
>                         Last success @ Tue Jan  9 14:15:43 2018 CAT
>
>
>     this is not good either, and should be resolved too.
>
>     Cheers,
>
>     Denis
>
>     [1] it is in French, but your favorite search engine should be able
>     to translate it for you :
>     https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
>     <https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9>
>
>
>
>
>         *Harsh Kukreja *Systems Administrator
>
>         **International University of Namibia* *Tel: 061-4336000 -
>         E-mail: h.kukreja at ium.edu.na <mailto:h.kukreja at
ium.edu.na>
>         <mailto:h.kukreja at ium.edu.na <mailto:h.kukreja at
ium.edu.na>> -
>         Web: _http://www.ium.edu.na
>         <http://www.ium.edu.na/>
>         _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>         Windhoek, NAMIBIA
>
>         ____
>
>
>
>
>
>
>
>
>
>
>         On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon
>         <dcardon at tranquil.it <mailto:dcardon at tranquil.it>
>         <mailto:dcardon at tranquil.it <mailto:dcardon at
tranquil.it>>> wrote:
>
>             Hi Harsh,
>
>
>                 I have two Samba 4 DC’s as below
>                 server-1 with all FSMO roles running Samba 4.6.12 on
>         Ubuntu 12.04
>                 server-2 joined to server-1 as a DC running Samba 4.7.4
>         Ubuntu
>                 16.04
>
>                 The problem is when I share files from my Windows 2008 file
>                 sharing server
>                 which shows it is logged on to Server-2 DC and the
>         client PC
>                 which logs on
>                 to the server-1 DC cannot access the shared folder and
>         gives an
>                 error Logon
>                 Failure: The target account name is incorrect.
>
>
>             Windows error messages are not very sysadmin friendly. Could
you
>             please use instead smbclient command line from a domain
>         member linux
>             client to do your debugging:
>              kinit myusername
>              smbclient -k //win2k8server/sharename -d 9
>
>             And do it with both with dc1 on and off.
>
>                 To fix the problem I have to shutdown server-2 DC and
>         restart my
>                 Windows
>                 File server which logs on to the server-1 and then the
>         client
>                 can access
>                 the shared folder.
>
>
>             Could you check if replication is working properly?
>              samba-tool drs showrepl
>
>                 Please assist to fix this issue as I have to run both
>         the DC’s
>                 in the
>                 network.
>
>
>             You should avoid wordings like "please assist for
fix". It
>         is deemed
>             rude (at least in my culture) to give orders to people who
>         don't owe
>             you anything... They are many kind people on this mailing
>         list that
>             would be happy to help, but this kind of wording just make them
>             dismiss your message directly.
>
>             Cheers,
>
>             Denis
>
>
>                 *Harsh Kukreja *Systems Administrator
>                 *International University of Namibia *Tel: 061-4336000 -
>         E-mail:
>                 h.kukreja
>                 @ium.edu.na <http://ium.edu.na>
<http://ium.edu.na> - Web:
>                 *http://www.ium.edu.na
<http://www.ium.edu.na/>*Private Bag
>                 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>         Windhoek,
>                 NAMIBIA
>
>
>             --
>             Denis Cardon
>             Tranquil IT Systems
>             Les Espaces Jules Verne, bâtiment A
>             12 avenue Jules Verne
>             44230 Saint Sébastien sur Loire
>             tel : +33 (0) 2.40.97.57.55
>         <tel:%2B33%20%280%29%202.40.97.57.55>
>         <tel:%2B33%20%280%29%202.40.97.57.55>
>             http://www.tranquil-it-systems.fr
>         <http://www.tranquil-it-systems.fr>
>         <http://www.tranquil-it-systems.fr
>         <http://www.tranquil-it-systems.fr>>
>
>
>
>     --
>     Denis Cardon
>     Tranquil IT Systems
>     Les Espaces Jules Verne, bâtiment A
>     12 avenue Jules Verne
>     44230 Saint Sébastien sur Loire
>     tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
>     http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Hi Denis

I have upgraded my samba DC-1 from 4.6.12 to 4.7.4 which has solved the
replication issues between DC-1 and DC-2. Now both the DC's are running on
4.7.4.

Like Rowland said previously, you should remove all RODC that have been
installed prior to Samba 4.7. There are many fixes that have been added
since 4.6.
Before I remove my RODC's I like to clear out few doubts:
1. Instead of  removing RODC's running 4.6.x version of samba can I not
upgrade them to 4.7.4 version. Will it make a difference?
2. If I remove 4.6.x RODC's then can I use the same NETBIOS name and IP
Address for the new 4.7.4 RODC.
3. After upgrading Samba to 4.7 on RODC can I remove it from the domain and
then join it again.

I have upgraded one of the RODC from 4.6 to 4.7 and then when I run the
command to check replication it is giving the below error.
samba-tool drs showrepl
ONGWEDIVA\IUMONGDC01
DSA Options: 0x00000025
DSA object GUID: f7d666a9-eefd-4d27-99eb-4c79e1a6af31
DSA invocationId: 3396c36a-96dc-4e03-9c0b-5abfed607bc3

==== INBOUND NEIGHBORS ===
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
'WERR_DS_DRA_ACCESS_DENIED')

*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA






On Wed, Jan 17, 2018 at 1:21 PM, Denis Cardon <dcardon at tranquil.it>
wrote:
> Hi Harsh,
>
> Thanks for the suggestion to trim the smb.conf after which the DC-1 is
>> connecting to the Windows Server 2008 shared folder smbclient -k
>> //IUMSVRAPP01/Pastel12 -d 9
>> and DC-2 is also connecting after using the DNS name of the Windows
>> server.
>>
>> *You'd better switch your DNS to Bind-DLZ. Internal DNS is not that
good
>> for larger site (looking at your DNS domain name, I guess it might be a
>> university). You can take a look there [1]
>> Yes you are right we are a University which is growing every year and I
>> want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
>> instructions given in your wiki link but before doing I like to clear
>> few doubts:
>> 1. Can I migrate from Internal to Bind-DLZ in a running samba
environment.
>> 2. Will it migrate all the current DNS records.
>> 3. Do I have to do the same migration for other samba DC's in the
network.
>> 4. I also have samba RODC in the network so do I have to migrate it
from
>> Internal to Bind-DLZ.
>> 5. Do I have to install Bind-DLZ package on a different machine or it
>> can be installed on the same Samba machine.
>>
>>
>>
>>     samba-tool drs showrepl on DC-1 is replicating successfully except
for
>>     below under INBOUND NEIGHBOR: *
>>
>>     DC=iumnet,DC=edu,DC=na
>>             Default-First-Site-Name\IUMSVRPDC via RPC
>>                     DSA object GUID:
27182378-a9c7-451e-bb95-7b2172a5f311
>>                     Last attempt @ Tue Jan 16 14:24:05 2018 WAST
failed,
>>     result 58 (WERR_BAD_NET_RESP)
>>                     17863 consecutive failure(s).
>>                     Last success @ Sat Jan 13 23:16:52 2018 WAST
>>
>>
>>
>> This is probably your error. Replication of your main partition is not
>> working. Domain members are changing their machine password one a
month.
>> If it has been changed on one of the server, but the replication
didn't
>> went throught to the other, it is normal to get the failure you are
>> having.
>>
>> You should look at your samba log when trying replication for that
>> partition. There is probably a corrupted entry somewhere that is
>> preventing replication.
>>
>> Can you please give few steps on how to check the drs replication logs
>> and find out the corrupted entry and how to remove it.
>>
>> Also I am trying to remove one offline RODC which I joined last month
>> for testing by using the command which is failing
>> samba-tool domain demote
>> --remove-other-dead-server='iumong-rodc.iumnet.edu.na
>> <http://iumong-rodc.iumnet.edu.na>' -UAdministrator
>> ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na
>> <http://iumong-rodc.iumnet.edu.na> is not an AD DC in
iumnet.edu.na
>> <http://iumnet.edu.na>
>> A transaction is still active in ldb context [0x22b0b20] on
>> tdb:///var/lib/samba/private/sam.ldb
>>
>
> Like Rowland said previously, you should remove all RODC that have been
> installed prior to Samba 4.7. There are many fixes that have been added
> since 4.6.
>
> I just demoted a DC on my test network to print you out the list of
> entries. You'll find the list of entries to remove below, there may be
> missing entries because it is a RODC, I'll let you handle that :-)
>
> Moreover, you may upgrade all your DC to 4.7.4, it handles better the
> removal of dead repsfrom/repsto after removal of DC, which are harder to
> delete by hand.
>
> Cheers,
>
> Denis
>
>
> Removing nTDSConnection: CN=bcc8c224-6a9f-4103-8888-e558b91dcdb1,CN=NTDS
> Settings,CN=SRVADS,CN=Servers,CN=saint-seb,CN=Sites,CN=Confi
> guration,DC=test,DC=tranquil,DC=it
> Removing nTDSDSA: CN=NTDS Settings,CN=WIN-6814UGPEM27,CN
> =Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it
> (and any children)
> Removing RID Set: CN=RID Set,CN=WIN-6814UGPEM27,OU=Domain
> Controllers,DC=test,DC=tranquil,DC=it
> Removing computer account: CN=WIN-6814UGPEM27,OU=Domain
> Controllers,DC=test,DC=tranquil,DC=it (and any child objects)
> updating test.tranquil.it keeping 6 values, removing 1 values
> updating ForestDnsZones.test.tranquil.it keeping 2 values, removing 1
> values
> updating DomainDnsZones.test.tranquil.it keeping 2 values, removing 1
> values
> updating DC=67,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainD
> nsZones,DC=test,DC=tranquil,DC=it keeping 0 values, removing 1 values
> updating DC=@,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDn
> sZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values
> updating DC=@,DC=151.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDn
> sZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values
> updating
DC=@,DC=0.149.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
> keeping 2 values, removing 1 values
> updating DC=_ldap._tcp.saint-seb._sites.DomainDnsZones,DC=test.tranquil.it
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1
> values, removing 1 values
> updating DC=_ldap._tcp.saint-seb._sites.ForestDnsZones,DC=test.tranquil.it
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1
> values, removing 1 values
> updating DC=_kerberos._tcp.saint-seb._sites,DC=test.tranquil.it,CN=Mi
> crosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values,
> removing 1 values
> updating DC=_ldap._tcp.saint-seb._sites,DC=test.tranquil.it,CN=Micros
> oftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values,
> removing 1 values
> updating DC=_gc._tcp.saint-seb._sites,DC=test.tranquil.it,CN=Microsof
> tDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values,
> removing 1 values
> updating DC=_ldap._tcp.DomainDnsZones,DC=test.tranquil.it,CN=Microsof
> tDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values,
> removing 1 values
> updating DC=_ldap._tcp.ForestDnsZones,DC=test.tranquil.it,CN=Microsof
> tDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values,
> removing 1 values
> updating DC=_kerberos._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC>
DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=_kerberos._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC>
DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=_kpasswd._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC>
DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=_kpasswd._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC>
DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=_ldap._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC>
DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=_gc._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDns
> Zones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values
> updating
DC=@,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
> keeping 5 values, removing 1 values
> updating DC=_ldap._tcp.7158087d-44be-436a-897b-ea76ba39cf5f.domains,DC=_
>
msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
> keeping 2 values, removing 1 values
> updating DC=d976907c-3f56-4ab7-9ee1-3cbb3a9acc29,DC=_msdcs.test.tranq
> uil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
> keeping 0 values, removing 1 values
> updating DC=_kerberos._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it
> ,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 1
> values, removing 1 values
> updating DC=_ldap._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it
> ,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 1
> values, removing 1 values
> updating DC=_ldap._tcp.saint-seb._sites.gc,DC=_msdcs.test.tranquil.it
> ,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 1
> values, removing 1 values
> updating DC=_kerberos._tcp.dc,DC=_msdcs.test.tranquil.it,CN=Microsoft
> DNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values,
> removing 1 values
> updating DC=_ldap._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,
> DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=_ldap._tcp.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,
> DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1
> values
> updating DC=@,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDns
> Zones,DC=test,DC=tranquil,DC=it keeping 3 values, removing 1 values
> Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Enterprise,CN=Microsoft
> System Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it
> Removing Sysvol reference:
CN=WIN-6814UGPEM27,CN=test.tranquil.it,CN=Microsoft
> System Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it
> Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Domain System Volumes
> (SYSVOL share),CN=File Replication Service,CN=System,DC=test,DC=t
> ranquil,DC=it
> Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Topology,CN=Domain
> System Volume,CN=DFSR-GlobalSettings,CN=System,DC=test,DC=tranquil,DC=it
>
>
>
>
>> Also I am trying to remove the offline RODC record manually which is
>> failing
>> ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb
'IUMONG-RODC'
>> failed to delete CN=IUMONG-RODC,OU=Domain
>> Controllers,DC=iumnet,DC=edu,DC=na -
>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to
>> remove backlink of msDS-RevealedDSAs when deleting
>> CN=IUMONG-RODC,OU=Domain Controllers,DC=iumnet,DC=edu,DC=na: (null)
>>
>> How can I manually remove the records for the offline DC.
>>
>> Regards
>>
>> Harsh
>>
>>
>>
>> *Harsh Kukreja *Systems Administrator
>>
>> **International University of Namibia* *Tel: 061-4336000 -
>> E-mail: h.kukreja at ium.edu.na
>> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
>> <http://www.ium.edu.na/>
>> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>> Windhoek, NAMIBIA
>>
>> ____
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon at
tranquil.it
>> <mailto:dcardon at tranquil.it>> wrote:
>>
>>     Hi Harsh,
>>
>>
>>         Thanks for your advise I will not use these wordings here.
>>
>>
>>     thanks!
>>
>>         Please check the result below when I run the command on the
DC-1
>>         when
>>         DC-2 is off or on
>>         smbclient -k //IUMSVRAPP01/Pastel12 -d 9
>>
>>     > ...
>>
>>         session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>>
>>
>>     Looking at this message, I would start with doing some cleanup in
>>     your smb.conf. I would trim your smb.conf like below:
>>
>>         *Here is the smb.conf dump from DC-1:*
>>         # Global parameters
>>
>>     [global]
>>              workgroup = IUMNET
>>              realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>>              netbios name = IUMDCDP01
>>              server role = active directory domain controller
>>              dns forwarder = 172.16.10.254
>>              allow dns updates = nonsecure and secure
>>              ntlm auth = yes
>>              client use spnego = no
>>              client ldap sasl wrapping = sign
>>              ldap server require strong auth = no
>>              full_audit:prefix = %u|%I|%m|%S
>>              full_audit:failure = connect
>>              full_audit:success = connect disconnect
>>              log level = 9 dns:0
>>
>>     [netlogon]
>>              path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>>     <http://iumnet.edu.na/scripts>
>>              read only = No
>>              browsable = no
>>
>>     [sysvol]
>>              path = /var/lib/samba/sysvol
>>              read only = No
>>
>>     You'd better switch your DNS to Bind-DLZ. Internal DNS is not
that
>>     good for larger site (looking at your DNS domain name, I guess it
>>     might be a university). You can take a look there [1]
>>
>>     And I wouldn't store anything else than AD stuff on an AD like
below:
>>
>>         [softshare]
>>                path = /home/administrator/ad
>>                read only = No
>>
>>
>>
>>
>>         *When I ran the same command on DC-2 ( Samba 4.7.4) *
>>
>>         smbclient -k //172.16.10.21/Pastel12
>>         <http://172.16.10.21/Pastel12> -d 9
>>
>>
>>     When doing Kerberos authentication, you shouldn't use ip
address,
>>     otherwise kerberos won't work. Try it again with real DNS name.
>>
>>     > ...
>>
>>         got OID=1.2.840.48018.1.2.2
>>         Kerberos auth with 'administrator at IUMNET.EDU.NA
>>         <mailto:administrator at IUMNET.EDU.NA>
>>         <mailto:administrator at IUMNET.EDU.NA
>>
>>         <mailto:administrator at IUMNET.EDU.NA>>'
(IUMNET\root) to access
>>         '172.16.10.21' not possible
>>         SPNEGO login failed: {Access Denied} A process has requested
>>         access to
>>         an object but has not been granted those access rights.
>>         session setup failed: NT_STATUS_ACCESS_DENIED
>>
>>
>>     You can cleanup your smb.conf the same way as pointed before.
>>
>>         *Here is the smb.conf dump from DC-2:*
>>
>>         # Global parameters
>>         [global]
>>                 netbios name = IUMSVRPDC
>>                 realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>>         <http://IUMNET.EDU.NA>
>>
>>                 workgroup = IUMNET
>>                 server role = active directory domain controller
>>                 dns forwarder = 172.16.10.254
>>         #       server services = +s3fs,+dnsupdate,+dns,+winbind
>> ,+kdc,+ldap
>>                 allow dns updates = nonsecure and secure
>>                 ntlm auth = yes
>>                 ldap server require strong auth = no
>>                 time server = Yes
>>                 template shell = /bin/bash
>>                 template homedir = /home/%U
>>         #       idmap config * : backend = tdb
>>         #       idmap config *:range = 50000-1000000
>>                 full_audit:prefix = %u|%I|%m|%S
>>                 full_audit:failure = connect
>>                 full_audit:success = connect disconnect
>>                 tls enabled = yes
>>                 tls keyfile  = tls/key.pem
>>                 tls certfile = tls/cert.pem
>>                 tls cafile   = tls/ca.pem
>>                 log level = 9 dns:0
>>
>>         [netlogon]
>>                 path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>>         <http://iumnet.edu.na/scripts>
>>
>>                 read only = No
>>                  browsable = no
>>
>>         [sysvol]
>>                 path = /var/lib/samba/sysvol
>>                 read only = No
>>
>>         *samba-tool drs showrepl on DC-1 is replicating successfully
>>         except for
>>         below under INBOUND NEIGHBOR: *
>>
>>         DC=iumnet,DC=edu,DC=na
>>                 Default-First-Site-Name\IUMSVRPDC via RPC
>>                         DSA object GUID:
>>         27182378-a9c7-451e-bb95-7b2172a5f311
>>                         Last attempt @ Tue Jan 16 14:24:05 2018 WAST
>> failed,
>>         result 58 (WERR_BAD_NET_RESP)
>>                         17863 consecutive failure(s).
>>                         Last success @ Sat Jan 13 23:16:52 2018 WAST
>>
>>
>>
>>     This is probably your error. Replication of your main partition is
>>     not working. Domain members are changing their machine password one
>>     a month. If it has been changed on one of the server, but the
>>     replication didn't went throught to the other, it is normal to
get
>>     the failure you are having.
>>
>>     You should look at your samba log when trying replication for that
>>     partition. There is probably a corrupted entry somewhere that is
>>     preventing replication.
>>
>>
>>         *samba-tool drs showrepl on DC-2 is replicating successfully
>>         except for
>>         below under INBOUND NEIGHBOR: *
>>
>>         CN=Configuration,DC=iumnet,DC=edu,DC=na
>>                 Default-First-Site-Name\IUMDCDP01 via RPC
>>                         DSA object GUID:
>>         8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
>>                         Last attempt @ Tue Jan 16 14:26:56 2018 CAT
>> failed,
>>         result 58 (WERR_BAD_NET_RESP)
>>                         1926 consecutive failure(s).
>>                         Last success @ Tue Jan  9 14:15:43 2018 CAT
>>
>>
>>     this is not good either, and should be resolved too.
>>
>>     Cheers,
>>
>>     Denis
>>
>>     [1] it is in French, but your favorite search engine should be able
>>     to translate it for you :
>>     https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
>>     <https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9>
>>
>>
>>
>>
>>         *Harsh Kukreja *Systems Administrator
>>
>>         **International University of Namibia* *Tel: 061-4336000 -
>>         E-mail: h.kukreja at ium.edu.na <mailto:h.kukreja at
ium.edu.na>
>>         <mailto:h.kukreja at ium.edu.na <mailto:h.kukreja at
ium.edu.na>> -
>>         Web: _http://www.ium.edu.na
>>         <http://www.ium.edu.na/>
>>         _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado
Park,
>>         Windhoek, NAMIBIA
>>
>>         ____
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>         On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon
>>         <dcardon at tranquil.it <mailto:dcardon at
tranquil.it>
>>         <mailto:dcardon at tranquil.it <mailto:dcardon at
tranquil.it>>> wrote:
>>
>>             Hi Harsh,
>>
>>
>>                 I have two Samba 4 DC’s as below
>>                 server-1 with all FSMO roles running Samba 4.6.12 on
>>         Ubuntu 12.04
>>                 server-2 joined to server-1 as a DC running Samba 4.7.4
>>         Ubuntu
>>                 16.04
>>
>>                 The problem is when I share files from my Windows 2008
>> file
>>                 sharing server
>>                 which shows it is logged on to Server-2 DC and the
>>         client PC
>>                 which logs on
>>                 to the server-1 DC cannot access the shared folder and
>>         gives an
>>                 error Logon
>>                 Failure: The target account name is incorrect.
>>
>>
>>             Windows error messages are not very sysadmin friendly.
Could
>> you
>>             please use instead smbclient command line from a domain
>>         member linux
>>             client to do your debugging:
>>              kinit myusername
>>              smbclient -k //win2k8server/sharename -d 9
>>
>>             And do it with both with dc1 on and off.
>>
>>                 To fix the problem I have to shutdown server-2 DC and
>>         restart my
>>                 Windows
>>                 File server which logs on to the server-1 and then the
>>         client
>>                 can access
>>                 the shared folder.
>>
>>
>>             Could you check if replication is working properly?
>>              samba-tool drs showrepl
>>
>>                 Please assist to fix this issue as I have to run both
>>         the DC’s
>>                 in the
>>                 network.
>>
>>
>>             You should avoid wordings like "please assist for
fix". It
>>         is deemed
>>             rude (at least in my culture) to give orders to people who
>>         don't owe
>>             you anything... They are many kind people on this mailing
>>         list that
>>             would be happy to help, but this kind of wording just make
>> them
>>             dismiss your message directly.
>>
>>             Cheers,
>>
>>             Denis
>>
>>
>>                 *Harsh Kukreja *Systems Administrator
>>                 *International University of Namibia *Tel: 061-4336000
-
>>         E-mail:
>>                 h.kukreja
>>                 @ium.edu.na <http://ium.edu.na>
<http://ium.edu.na> -
>> Web:
>>
>>                 *http://www.ium.edu.na
<http://www.ium.edu.na/>*Private
>> Bag
>>                 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>>         Windhoek,
>>                 NAMIBIA
>>
>>
>>             --
>>             Denis Cardon
>>             Tranquil IT Systems
>>             Les Espaces Jules Verne, bâtiment A
>>             12 avenue Jules Verne
>>             44230 Saint Sébastien sur Loire
>>             tel : +33 (0) 2.40.97.57.55
>>         <tel:%2B33%20%280%29%202.40.97.57.55>
>>         <tel:%2B33%20%280%29%202.40.97.57.55>
>>             http://www.tranquil-it-systems.fr
>>         <http://www.tranquil-it-systems.fr>
>>         <http://www.tranquil-it-systems.fr
>>         <http://www.tranquil-it-systems.fr>>
>>
>>
>>
>>     --
>>     Denis Cardon
>>     Tranquil IT Systems
>>     Les Espaces Jules Verne, bâtiment A
>>     12 avenue Jules Verne
>>     44230 Saint Sébastien sur Loire
>>     tel : +33 (0) 2.40.97.57.55
<tel:%2B33%20%280%29%202.40.97.57.55>
>>     http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>