Hi all, I have an old dc (4.0.9). Let's call it dc1. I also have a new one (4.5.16) which I'm planning to switch to. Let's call it dc2. After initial set up of dc2 I initialised replication and things looked ok for a couple of weeks. Recently I've managed to mess it up. Possibly by editing users and DNS records. Or copying Kerberos cache and trying to use it elsewhere for DHCP with DDNS. I can connect to DNS with Windows domain tool fine and can see both domain controllers. Active Directory Users and Computers fails intermittently (not always) with: "Naming information cannot be located because: The user name or password is incorrect. Contact your system administrator to verify that your domain is properly configured and is currently online" Another symptom is network drives not being automatically mounted with group policy (similar authentication error). They can be mounted manually though. Users can log in and computers can quit and rejoin the domain. So the situation is not dramatic yet. Errors from samba-tool (output abbreviated). *dc1:* samba-tool drs showrepl ==== INBOUND NEIGHBORS === DC=DomainDnsZones Last attempt failed, result 87 (WERR_INVALID_PARAM) 1463 consecutive failure(s) DC=ForestDnsZones Last attempt failed, result 87 (WERR_INVALID_PARAM) 1463 consecutive failure(s) DC=my_domain_name Last attempt failed, result 87 (WERR_INVALID_PARAM) 1474 consecutive failure(s) DC=Schema Last attempt failed, result 87 (WERR_INVALID_PARAM) 1463 consecutive failure(s) DC=Configuration Last attempt failed, result 87 (WERR_INVALID_PARAM) 1463 consecutive failure(s) ==== OUTBOUND NEIGHBORS === DC=DomainDnsZones Last attempt failed, result 87 (WERR_INVALID_PARAM) 26 consecutive failure(s) DC=ForestDnsZones Last attempt @ NTTIME(0) was successful 0 consecutive failure(s) DC=my_domain_name Last attempt failed, result 87 (WERR_INVALID_PARAM) 26 consecutive failure(s) DC=Schema Last attempt @ NTTIME(0) was successful 0 consecutive failure(s) DC=Configuration Last attempt @ NTTIME(0) was successful 0 consecutive failure(s) *dc2:* All the sections above show success but I can see some other errors: resolve_lmhosts: Attempting lmhosts lookup for name dc2.my_domain_name<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory Server ldap/dc2.my_domain_name at my_domain_name is not registered with our KDC:? Miscellaneous failure (see text): Server (ldap/dc2.my_domain_name at my_domain_name) unknown SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER *dc1: *samba-tool dbcheck Checking 466 objects ERROR: orphaned backlink attribute 'memberOf' in CN=... Not removing orphaned backlink member ERROR: incorrect DN string component for member in object CN=... Not fixing incorrect string version of DN ERROR: orphaned backlink attribute 'memberOf' in CN=... Not removing orphaned backlink member Please use --fix to fix these errors Checked 466 objects (86 errors) *dc2:* samba-tool dbcheck Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes Checking 466 objects Checked 466 objects (0 errors) I don't care about any data on dc2. I'm happy to purge it and re-run replication if it makes my issue go away. But I do care a lot about dc1 since it's live and was working fine not long ago. What's the likely root cause of my problems? How to fix it safely without risking things getting worse? Is it safe to run "samba-tool dbcheck --fix" on dc1? Any other hints? Thanks, Adam
Can you run this on both your DC's wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh bash samba-collect-debug-info.sh As im seeing multiple "invalid parameter" message, we need to see more of the setup. Anonimize the output if needed. Run this on both DC's : touch /etc/samba/lmhosts And that lmhosts message is gone. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam > Weremczuk via samba > Verzonden: dinsdag 16 juli 2019 13:30 > Aan: samba at lists.samba.org > Onderwerp: [Samba] messy replication > > Hi all, > > I have an old dc (4.0.9). Let's call it dc1. > I also have a new one (4.5.16) which I'm planning to switch to. Let's > call it dc2. > > After initial set up of dc2 I initialised replication and > things looked > ok for a couple of weeks. > Recently I've managed to mess it up. Possibly by editing > users and DNS > records. Or copying Kerberos cache and trying to use it elsewhere for > DHCP with DDNS. > > I can connect to DNS with Windows domain tool fine and can see both > domain controllers. > > Active Directory Users and Computers fails intermittently > (not always) with: > > "Naming information cannot be located because: > The user name or password is incorrect. > Contact your system administrator to verify that your domain > is properly > configured and is currently online" > > Another symptom is network drives not being automatically > mounted with > group policy (similar authentication error). > They can be mounted manually though. > Users can log in and computers can quit and rejoin the domain. > So the situation is not dramatic yet. > > Errors from samba-tool (output abbreviated). > > *dc1:* samba-tool drs showrepl > > ==== INBOUND NEIGHBORS ===> > DC=DomainDnsZones > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > DC=ForestDnsZones > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > DC=my_domain_name > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1474 consecutive failure(s) > > DC=Schema > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > DC=Configuration > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > ==== OUTBOUND NEIGHBORS ===> > DC=DomainDnsZones > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 26 consecutive failure(s) > > DC=ForestDnsZones > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s) > > DC=my_domain_name > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 26 consecutive failure(s) > > DC=Schema > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s) > > DC=Configuration > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s) > > *dc2:* All the sections above show success but I can see some > other errors: > > resolve_lmhosts: Attempting lmhosts lookup for name > dc2.my_domain_name<0x20> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > Error was No > such file or directory > > Server ldap/dc2.my_domain_name at my_domain_name is not > registered with our > KDC:? Miscellaneous failure (see text): Server > (ldap/dc2.my_domain_name at my_domain_name) unknown > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > NT_STATUS_INVALID_PARAMETER > > *dc1: *samba-tool dbcheck > > Checking 466 objects > ERROR: orphaned backlink attribute 'memberOf' in CN=... > Not removing orphaned backlink member > > ERROR: incorrect DN string component for member in object CN=... > Not fixing incorrect string version of DN > > ERROR: orphaned backlink attribute 'memberOf' in CN=... > Not removing orphaned backlink member > > Please use --fix to fix these errors > Checked 466 objects (86 errors) > > *dc2:* samba-tool dbcheck > > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > Checking 466 objects > Checked 466 objects (0 errors) > > I don't care about any data on dc2. I'm happy to purge it and re-run > replication if it makes my issue go away. > > But I do care a lot about dc1 since it's live and was working > fine not > long ago. > > What's the likely root cause of my problems? > > How to fix it safely without risking things getting worse? > > Is it safe to run "samba-tool dbcheck --fix" on dc1? > > Any other hints? > > Thanks, > Adam > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 16/07/2019 12:30, Adam Weremczuk via samba wrote:> Hi all, > > I have an old dc (4.0.9). Let's call it dc1.Yes, that is an old DC ;-)> I also have a new one (4.5.16) which I'm planning to switch to. Let's > call it dc2.No that is still an old DC ;-)> > After initial set up of dc2 I initialised replication and things > looked ok for a couple of weeks. > Recently I've managed to mess it up. Possibly by editing users and DNS > records.How did you edit the users and why ?> Or copying Kerberos cache and trying to use it elsewhere for DHCP with > DDNS.You do not use the kerberos cache with dhcp.> > > I can connect to DNS with Windows domain tool fine and can see both > domain controllers. > > Active Directory Users and Computers fails intermittently (not always) > with: > > "Naming information cannot be located because: > The user name or password is incorrect. > Contact your system administrator to verify that your domain is > properly configured and is currently online" > > Another symptom is network drives not being automatically mounted with > group policy (similar authentication error). > They can be mounted manually though. > Users can log in and computers can quit and rejoin the domain. > So the situation is not dramatic yet. > > Errors from samba-tool (output abbreviated). > > *dc1:* samba-tool drs showrepl > > ==== INBOUND NEIGHBORS ===> > DC=DomainDnsZones > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > DC=ForestDnsZones > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > DC=my_domain_name > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1474 consecutive failure(s) > > DC=Schema > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > DC=Configuration > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 1463 consecutive failure(s) > > ==== OUTBOUND NEIGHBORS ===> > DC=DomainDnsZones > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 26 consecutive failure(s) > > DC=ForestDnsZones > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s) > > DC=my_domain_name > Last attempt failed, result 87 (WERR_INVALID_PARAM) > 26 consecutive failure(s) > > DC=Schema > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s) > > DC=Configuration > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s) > > *dc2:* All the sections above show success but I can see some other > errors: > > resolve_lmhosts: Attempting lmhosts lookup for name > dc2.my_domain_name<0x20> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No > such file or directory >That isn't an error as such, so it can be ignored.> Server ldap/dc2.my_domain_name at my_domain_name is not registered with > our KDC:? Miscellaneous failure (see text): Server > (ldap/dc2.my_domain_name at my_domain_name) unknown > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > NT_STATUS_INVALID_PARAMETERIt looks like the SPN hasn't replicated.> > *dc1: *samba-tool dbcheck > > Checking 466 objects > ERROR: orphaned backlink attribute 'memberOf' in CN=... > Not removing orphaned backlink memberAh, did you remove a 'member' attribute from a group ?> > ERROR: incorrect DN string component for member in object CN=... > Not fixing incorrect string version of DN > > ERROR: orphaned backlink attribute 'memberOf' in CN=... > Not removing orphaned backlink member > > Please use --fix to fix these errors > Checked 466 objects (86 errors) > > *dc2:* samba-tool dbcheck > > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > Checking 466 objects > Checked 466 objects (0 errors) > > I don't care about any data on dc2. I'm happy to purge it and re-run > replication if it makes my issue go away. > > But I do care a lot about dc1 since it's live and was working fine not > long ago. > > What's the likely root cause of my problems? > > How to fix it safely without risking things getting worse? > > Is it safe to run "samba-tool dbcheck --fix" on dc1? > > Any other hints? > > Thanks, > Adam >I see Louis has responded, please do what he has requested and we will take it from there. Rowland
On 16/07/2019 13:03, Adam Weremczuk wrote:> Hi Louis and Rowland, > > Thank you for a prompt reply. > > I'm ok with skipping anonimisation as long as the files are only share > with you and maybe a small audience of other trusted Samba gurus.OK, after reading your files, there are numerous problems, but the main one is, you are using the Wheezy DC as if it was a fileserver. Now this is permissible for a small office, but you seem to be taking it to extremes, 15 shares! As for the other problems, do you want them listed here or offlist ? Rowland
I've summerized a bit.. And i saw Rowland also answered already. Below is anonimized, but it shows, 2 completely different server setups. I really suggest you setup your AD-DC's the same. To summ up. DC1 Samba is running as an AD DC but 'winbindd' is NOT running. You running SSSD on the AD-DC, which is not supported. Your using a really out-dated OS.. The hosts is not correct : 127.0.0.1 localhost.localdomain localhost Better 127.0.0.1 localhost localhost.localdomain resolv.conf is not correctly setup, sidenote, its possible, but not needed. nsswitch.conf reffers to sss not winbind Which is not supported. Smb.conf.. realm = USE-CAPS-FOR-KERBEROSDOMAINS You did not remove the base settings of a stand alone server. kdc:service ticket lifetime = 24 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 168 Are beter if set in krb5.conf And AD-DC domain server, with guest ok = yes ? By default no guest is allowed. Shares with to long names might give problems. Bind9 auth-nxdomain yes; # because this server is autoritive for this dnsdomain name. tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; Verify if bind still has access to that file. # packages. Still Lenny and Squeeze left overs. All and all.. Hmm, well, thats a lot of time to fix this. Next DC2. Debian 9.5 , out dated, should be 9.9. Hosts Remove : 127.0.1.1 domain-controller /etc/nsswitch.conf No setup, possible, but often not wanted. Smb.conf A good to bad setting shown in realm= winbind use default domain = true Where this is not working on the AD-DC's. The kdc: entries to be removed. 2x ldap server require strong auth = no This server used internal DNS the other BIND9_DLZ> -----Oorspronkelijk bericht----- > Van: Adam Weremczuk [mailto:adamw at matrixscience.com] > Verzonden: dinsdag 16 juli 2019 14:03 > Aan: L.P.H. van Belle; Rowland penny > Onderwerp: Re: [Samba] messy replication > > Hi Louis and Rowland, > > Thank you for a prompt reply. > > I'm ok with skipping anonimisation as long as the files are > only share > with you and maybe a small audience of other trusted Samba gurus. >.... Removed ..> Both diagnostic log files attached. > > Thanks, > Adam > > > On 16/07/19 12:38, L.P.H. van Belle via samba wrote: > > Can you run this on both your DC's > > > > wget > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh> > bash samba-collect-debug-info.sh > > > > As im seeing multiple "invalid parameter" message, we need > to see more of the setup. > > Anonimize the output if needed. > > > > Run this on both DC's : touch /etc/samba/lmhosts > > And that lmhosts message is gone. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam > >> Weremczuk via samba > >> Verzonden: dinsdag 16 juli 2019 13:30 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] messy replication > >> > >> Hi all, > >> > >> I have an old dc (4.0.9). Let's call it dc1. > >> I also have a new one (4.5.16) which I'm planning to > switch to. Let's > >> call it dc2. > >> > >> After initial set up of dc2 I initialised replication and > >> things looked > >> ok for a couple of weeks. > >> Recently I've managed to mess it up. Possibly by editing > >> users and DNS > >> records. Or copying Kerberos cache and trying to use it > elsewhere for > >> DHCP with DDNS. > >> > >> I can connect to DNS with Windows domain tool fine and can see both > >> domain controllers. > >> > >> Active Directory Users and Computers fails intermittently > >> (not always) with: > >> > >> "Naming information cannot be located because: > >> The user name or password is incorrect. > >> Contact your system administrator to verify that your domain > >> is properly > >> configured and is currently online" > >> > >> Another symptom is network drives not being automatically > >> mounted with > >> group policy (similar authentication error). > >> They can be mounted manually though. > >> Users can log in and computers can quit and rejoin the domain. > >> So the situation is not dramatic yet. > >> > >> Errors from samba-tool (output abbreviated). > >> > >> *dc1:* samba-tool drs showrepl > >> > >> ==== INBOUND NEIGHBORS ===> >> > >> DC=DomainDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=ForestDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=my_domain_name > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1474 consecutive failure(s) > >> > >> DC=Schema > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=Configuration > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> ==== OUTBOUND NEIGHBORS ===> >> > >> DC=DomainDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 26 consecutive failure(s) > >> > >> DC=ForestDnsZones > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> DC=my_domain_name > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 26 consecutive failure(s) > >> > >> DC=Schema > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> DC=Configuration > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> *dc2:* All the sections above show success but I can see some > >> other errors: > >> > >> resolve_lmhosts: Attempting lmhosts lookup for name > >> dc2.my_domain_name<0x20> > >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > >> Error was No > >> such file or directory > >> > >> Server ldap/dc2.my_domain_name at my_domain_name is not > >> registered with our > >> KDC:? Miscellaneous failure (see text): Server > >> (ldap/dc2.my_domain_name at my_domain_name) unknown > >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > >> NT_STATUS_INVALID_PARAMETER > >> > >> *dc1: *samba-tool dbcheck > >> > >> Checking 466 objects > >> ERROR: orphaned backlink attribute 'memberOf' in CN=... > >> Not removing orphaned backlink member > >> > >> ERROR: incorrect DN string component for member in object CN=... > >> Not fixing incorrect string version of DN > >> > >> ERROR: orphaned backlink attribute 'memberOf' in CN=... > >> Not removing orphaned backlink member > >> > >> Please use --fix to fix these errors > >> Checked 466 objects (86 errors) > >> > >> *dc2:* samba-tool dbcheck > >> > >> Processing section "[netlogon]" > >> Processing section "[sysvol]" > >> pm_process() returned Yes > >> Checking 466 objects > >> Checked 466 objects (0 errors) > >> > >> I don't care about any data on dc2. I'm happy to purge it > and re-run > >> replication if it makes my issue go away. > >> > >> But I do care a lot about dc1 since it's live and was working > >> fine not > >> long ago. > >> > >> What's the likely root cause of my problems? > >> > >> How to fix it safely without risking things getting worse? > >> > >> Is it safe to run "samba-tool dbcheck --fix" on dc1? > >> > >> Any other hints? > >> > >> Thanks, > >> Adam > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > >