I've summerized a bit.. And i saw Rowland also answered already. Below is anonimized, but it shows, 2 completely different server setups. I really suggest you setup your AD-DC's the same. To summ up. DC1 Samba is running as an AD DC but 'winbindd' is NOT running. You running SSSD on the AD-DC, which is not supported. Your using a really out-dated OS.. The hosts is not correct : 127.0.0.1 localhost.localdomain localhost Better 127.0.0.1 localhost localhost.localdomain resolv.conf is not correctly setup, sidenote, its possible, but not needed. nsswitch.conf reffers to sss not winbind Which is not supported. Smb.conf.. realm = USE-CAPS-FOR-KERBEROSDOMAINS You did not remove the base settings of a stand alone server. kdc:service ticket lifetime = 24 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 168 Are beter if set in krb5.conf And AD-DC domain server, with guest ok = yes ? By default no guest is allowed. Shares with to long names might give problems. Bind9 auth-nxdomain yes; # because this server is autoritive for this dnsdomain name. tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; Verify if bind still has access to that file. # packages. Still Lenny and Squeeze left overs. All and all.. Hmm, well, thats a lot of time to fix this. Next DC2. Debian 9.5 , out dated, should be 9.9. Hosts Remove : 127.0.1.1 domain-controller /etc/nsswitch.conf No setup, possible, but often not wanted. Smb.conf A good to bad setting shown in realm= winbind use default domain = true Where this is not working on the AD-DC's. The kdc: entries to be removed. 2x ldap server require strong auth = no This server used internal DNS the other BIND9_DLZ> -----Oorspronkelijk bericht----- > Van: Adam Weremczuk [mailto:adamw at matrixscience.com] > Verzonden: dinsdag 16 juli 2019 14:03 > Aan: L.P.H. van Belle; Rowland penny > Onderwerp: Re: [Samba] messy replication > > Hi Louis and Rowland, > > Thank you for a prompt reply. > > I'm ok with skipping anonimisation as long as the files are > only share > with you and maybe a small audience of other trusted Samba gurus. >.... Removed ..> Both diagnostic log files attached. > > Thanks, > Adam > > > On 16/07/19 12:38, L.P.H. van Belle via samba wrote: > > Can you run this on both your DC's > > > > wget > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh> > bash samba-collect-debug-info.sh > > > > As im seeing multiple "invalid parameter" message, we need > to see more of the setup. > > Anonimize the output if needed. > > > > Run this on both DC's : touch /etc/samba/lmhosts > > And that lmhosts message is gone. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam > >> Weremczuk via samba > >> Verzonden: dinsdag 16 juli 2019 13:30 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] messy replication > >> > >> Hi all, > >> > >> I have an old dc (4.0.9). Let's call it dc1. > >> I also have a new one (4.5.16) which I'm planning to > switch to. Let's > >> call it dc2. > >> > >> After initial set up of dc2 I initialised replication and > >> things looked > >> ok for a couple of weeks. > >> Recently I've managed to mess it up. Possibly by editing > >> users and DNS > >> records. Or copying Kerberos cache and trying to use it > elsewhere for > >> DHCP with DDNS. > >> > >> I can connect to DNS with Windows domain tool fine and can see both > >> domain controllers. > >> > >> Active Directory Users and Computers fails intermittently > >> (not always) with: > >> > >> "Naming information cannot be located because: > >> The user name or password is incorrect. > >> Contact your system administrator to verify that your domain > >> is properly > >> configured and is currently online" > >> > >> Another symptom is network drives not being automatically > >> mounted with > >> group policy (similar authentication error). > >> They can be mounted manually though. > >> Users can log in and computers can quit and rejoin the domain. > >> So the situation is not dramatic yet. > >> > >> Errors from samba-tool (output abbreviated). > >> > >> *dc1:* samba-tool drs showrepl > >> > >> ==== INBOUND NEIGHBORS ===> >> > >> DC=DomainDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=ForestDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=my_domain_name > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1474 consecutive failure(s) > >> > >> DC=Schema > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=Configuration > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> ==== OUTBOUND NEIGHBORS ===> >> > >> DC=DomainDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 26 consecutive failure(s) > >> > >> DC=ForestDnsZones > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> DC=my_domain_name > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 26 consecutive failure(s) > >> > >> DC=Schema > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> DC=Configuration > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> *dc2:* All the sections above show success but I can see some > >> other errors: > >> > >> resolve_lmhosts: Attempting lmhosts lookup for name > >> dc2.my_domain_name<0x20> > >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > >> Error was No > >> such file or directory > >> > >> Server ldap/dc2.my_domain_name at my_domain_name is not > >> registered with our > >> KDC:? Miscellaneous failure (see text): Server > >> (ldap/dc2.my_domain_name at my_domain_name) unknown > >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > >> NT_STATUS_INVALID_PARAMETER > >> > >> *dc1: *samba-tool dbcheck > >> > >> Checking 466 objects > >> ERROR: orphaned backlink attribute 'memberOf' in CN=... > >> Not removing orphaned backlink member > >> > >> ERROR: incorrect DN string component for member in object CN=... > >> Not fixing incorrect string version of DN > >> > >> ERROR: orphaned backlink attribute 'memberOf' in CN=... > >> Not removing orphaned backlink member > >> > >> Please use --fix to fix these errors > >> Checked 466 objects (86 errors) > >> > >> *dc2:* samba-tool dbcheck > >> > >> Processing section "[netlogon]" > >> Processing section "[sysvol]" > >> pm_process() returned Yes > >> Checking 466 objects > >> Checked 466 objects (0 errors) > >> > >> I don't care about any data on dc2. I'm happy to purge it > and re-run > >> replication if it makes my issue go away. > >> > >> But I do care a lot about dc1 since it's live and was working > >> fine not > >> long ago. > >> > >> What's the likely root cause of my problems? > >> > >> How to fix it safely without risking things getting worse? > >> > >> Is it safe to run "samba-tool dbcheck --fix" on dc1? > >> > >> Any other hints? > >> > >> Thanks, > >> Adam > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > >
On 16/07/2019 13:49, L.P.H. van Belle via samba wrote:> I've summerized a bit.. > And i saw Rowland also answered already. > Below is anonimized, but it shows, 2 completely different server setups. > I really suggest you setup your AD-DC's the same. > > To summ up. > > DC1 > > Samba is running as an AD DC but 'winbindd' is NOT running. > You running SSSD on the AD-DC, which is not supported. > Your using a really out-dated OS.. > > The hosts is not correct : > 127.0.0.1 localhost.localdomain localhost > Better > 127.0.0.1 localhost localhost.localdomain > > > resolv.conf is not correctly setup, sidenote, its possible, but not needed. > nsswitch.conf reffers to sss not winbind > Which is not supported. > > Smb.conf.. > realm = USE-CAPS-FOR-KERBEROSDOMAINS > > You did not remove the base settings of a stand alone server. > kdc:service ticket lifetime = 24 > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 168 > > Are beter if set in krb5.conf > > And AD-DC domain server, with guest ok = yes ? > By default no guest is allowed. > > Shares with to long names might give problems. > > > Bind9 > auth-nxdomain yes; # because this server is autoritive for this dnsdomain name. > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > Verify if bind still has access to that file. > > # packages. > Still Lenny and Squeeze left overs. > > All and all.. Hmm, well, thats a lot of time to fix this. > > Next DC2. > Debian 9.5 , out dated, should be 9.9. > > Hosts > Remove : 127.0.1.1 domain-controller > > /etc/nsswitch.conf > No setup, possible, but often not wanted. > > Smb.conf > A good to bad setting shown in realm> > winbind use default domain = true > Where this is not working on the AD-DC's. > > The kdc: entries to be removed. > > 2x ldap server require strong auth = no > > This server used internal DNS the other BIND9_DLZVirtually what I found, an out of date Samba AD DC, that was wrongly set up in the first place. I would demote DC2 and then fix DC1 before joining a new second DC (with a different name) Rowland
Hai Rowland,
Yes, agree here, better correct DC1, then join new.
So i'll post this, its focused on Debian servers, but usable for any other.
I've run the debug on the company AD-DC server here.
A good example for an AD-DC setup with Bind9_DLZ.
And remember, most is on/from wiki.samba.org
Im running this. ( Debian Stretch as AD-DC )
This server started as a wheezy server and is upgraded to stretch, and soon to
buster.
The base of below shown results of the debug script, is this setup.
https://github.com/thctlo/samba4/blob/master/howtos/
If you follow these howtos your setup will be much better.
Use that and below also to adjust you settings.
P.s above is based on jessie and samba 4.5.x, small adjustments might be needed.
Collected config --- 2019-07-16-14:51 -----------
Hostname: dc1
DNS Domain: internal.dnsdomain.tld
FQDN: dc1.internal.dnsdomain.tld
ipaddress: 192.168.1.1
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost localhost.localdomain
192.168.1.1 dc1.internal.dnsdomain.tld dc1
-----------
Checking file: /etc/resolv.conf
# DC 1 is the first resolver for both DC's.
search internal.dnsdomain.tld
nameserver 192.168.1.1
nameserver 192.168.1.2
# Fallback for internet if both (samba-ad-dc) are down.
#nameserver 8.8.8.8
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
; ticket_lifetime = 24h
; ccache_type = 4
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
log level = 0
workgroup = BAZRTD
realm = YOUR.REALM.TLD
netbios name = DC1
server role = active directory domain controller
server services = -dns -spoolss
interfaces = 192.168.1.1 127.0.0.1
bind interfaces only = yes
# Dont forget to set the idmap_ldb on ALL DC's if you use it
idmap_ldb:use rfc2307 = yes
# expand groups is default set to 0,
# My setup needs a minimal of 2, preffered 4. But the higher the number,
the slower your samba.
#winbind expand groups = 1
# Since we cant use : winbind nss info = rfc2307 : on the DC's.
template shell = /bin/bash
template homedir = /home/users/%U
# disable printing completely, when set empty no error log messages.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# disable usershares creating, when set empty no error in the logs.
usershare path
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/dc1.key.pem
tls certfile = /etc/ssl/local/certs/dc1.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
# Select what you need here.
# ldap server require strong auth = yes
# ldap server require strong auth = allow_sasl_over_tls
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# acl_xattr:ignore system acls = yes # optional, i have these enabled.
[netlogon]
path = /home/samba/sysvol/internal.dnsdomain.tld/scripts
read only = No
# acl_xattr:ignore system acls = yes # optional, i have these enabled.
# comment on acl_xattr:ignore system acls = yes
# why not use it, you get better ACL's and only windows pc's use these.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
// Defined ACL Begin
acl thisserverip {
192.168.1.1;
};
acl all-networks {
192.168.1.0/24; 10.1.0.0/16;
};
// Defined ACL End
options {
directory "/var/cache/bind";
version "0.0.7";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// XenoSite DNS servers + google DNS
forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
//=======================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation no;
auth-nxdomain yes;
listen-on-v6 { "none"; };
listen-on port 53 { "thisserverip"; 127.0.0.1; };
notify no;
empty-zones-enable no;
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
// Beware, samba 4.8 and lower.
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
// Beware, samba 4.9 and up.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9
then you need to change this manualy
include "/var/lib/samba/bind-dns/named.conf";
// handy to have and ready to enable
//include "/etc/bind/named.conf.logging"
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 15 zone(s) found
.... i removed some here.
pszZoneName : internal.dnsdomain.tld
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld
pszZoneName : 1.168.192
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld
pszZoneName : _msdcs.internal.dnsdomain.tld
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.internal.dnsdomain.tld
Samba DNS zone list Automated check :
-----------
zone : internal.dnsdomain.tld ok, no Bind flat-files found
-----------
zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64
Access control list utilities
ii attr 1:2.4.47-2+b2 amd64
Utilities for manipulating filesystem extended attributes
ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64
Internet Domain Name Server
ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64
Version of 'host' bundled with BIND 9.X
ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libacl1-dev 2.2.52-3+b1 amd64
Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2+b2 amd64
Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64
Extended attribute static libraries and headers
ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
Samba nameservice integration plugins
ii libpam-krb5:amd64 4.7-4 amd64
PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
Samba winbind client library
ii python-samba 2:4.10.6+nmu-1.1deb9~1 amd64
Python bindings for Samba
ii python3-xattr 0.9.1-1 amd64
module for manipulating filesystem extended attributes - Python 3
ii samba 2:4.10.6+nmu-1.1deb9~1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.10.6+nmu-1.1deb9~1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.10.6+nmu-1.1deb9~1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.10.6+nmu-1.1deb9~1 amd64
command-line SMB/CIFS clients for Unix
ii ssh-krb5 1:7.4p1-10+deb9u6 all
secure shell client and server (transitional package)
ii winbind 2:4.10.6+nmu-1.1deb9~1 amd64
service to resolve user and group information from Windows NT servers
ii xattr 0.9.1-1 amd64
tool for manipulating filesystem extended attributes
-----------
>
> Virtually what I found, an out of date Samba AD DC, that was
> wrongly set
> up in the first place. I would demote DC2 and then fix DC1 before
> joining a new second DC (with a different name)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hi all, I'm simply overwhelmed with both the speed and quality of responses. I wish all mailing lists and forums were like this! I'm going to follow your suggestions and try to follow the template below. My choice of new DC will probably be 4.9.5 on buster. What steps would you recommend to unlink my broken 4.0.9 -> 4.5.16 replication before shutting down 4.5.16? Is it sufficient to follow this: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC ? I'm just? being extra cautious and double checking. Thanks, Adam On 16/07/19 14:11, L.P.H. van Belle via samba wrote:> Hai Rowland, > > Yes, agree here, better correct DC1, then join new. > > So i'll post this, its focused on Debian servers, but usable for any other. > I've run the debug on the company AD-DC server here. > > A good example for an AD-DC setup with Bind9_DLZ. > And remember, most is on/from wiki.samba.org > > Im running this. ( Debian Stretch as AD-DC ) > > This server started as a wheezy server and is upgraded to stretch, and soon to buster. > The base of below shown results of the debug script, is this setup. > > https://github.com/thctlo/samba4/blob/master/howtos/ > If you follow these howtos your setup will be much better. > Use that and below also to adjust you settings. > P.s above is based on jessie and samba 4.5.x, small adjustments might be needed. > > > Collected config --- 2019-07-16-14:51 ----------- > > Hostname: dc1 > DNS Domain: internal.dnsdomain.tld > FQDN: dc1.internal.dnsdomain.tld > ipaddress: 192.168.1.1 > > ----------- > > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 9 (stretch)" > NAME="Debian GNU/Linux" > VERSION_ID="9" > VERSION="9 (stretch)" > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 9.9 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 > link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0 > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost localhost.localdomain > 192.168.1.1 dc1.internal.dnsdomain.tld dc1 > > ----------- > > Checking file: /etc/resolv.conf > # DC 1 is the first resolver for both DC's. > search internal.dnsdomain.tld > nameserver 192.168.1.1 > nameserver 192.168.1.2 > # Fallback for internet if both (samba-ad-dc) are down. > #nameserver 8.8.8.8 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = YOUR.REALM.TLD > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > ; ticket_lifetime = 24h > ; ccache_type = 4 > > ; for Windows 2003 > ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > ; for Windows 2008 with AES > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > > log level = 0 > > workgroup = BAZRTD > realm = YOUR.REALM.TLD > netbios name = DC1 > > server role = active directory domain controller > server services = -dns -spoolss > > interfaces = 192.168.1.1 127.0.0.1 > bind interfaces only = yes > > # Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > # expand groups is default set to 0, > # My setup needs a minimal of 2, preffered 4. But the higher the number, the slower your samba. > #winbind expand groups = 1 > > # Since we cant use : winbind nss info = rfc2307 : on the DC's. > template shell = /bin/bash > template homedir = /home/users/%U > > # disable printing completely, when set empty no error log messages. > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # disable usershares creating, when set empty no error in the logs. > usershare path > > # Add and Update TLS Key > tls enabled = yes > tls keyfile = /etc/ssl/local/private/dc1.key.pem > tls certfile = /etc/ssl/local/certs/dc1.cert.pem > tls cafile = /etc/ssl/certs/company-ca.pem > > # Select what you need here. > # ldap server require strong auth = yes > # ldap server require strong auth = allow_sasl_over_tls > ldap server require strong auth = no > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > # acl_xattr:ignore system acls = yes # optional, i have these enabled. > > [netlogon] > path = /home/samba/sysvol/internal.dnsdomain.tld/scripts > read only = No > # acl_xattr:ignore system acls = yes # optional, i have these enabled. > > # comment on acl_xattr:ignore system acls = yes > # why not use it, you get better ACL's and only windows pc's use these. > > > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > // Defined ACL Begin > acl thisserverip { > 192.168.1.1; > }; > acl all-networks { > 192.168.1.0/24; 10.1.0.0/16; > }; > // Defined ACL End > > options { > directory "/var/cache/bind"; > version "0.0.7"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses replacing > // the all-0's placeholder. > > // XenoSite DNS servers + google DNS > forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; }; > > //=======================================================================> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See https://www.isc.org/bind-keys > //=======================================================================> dnssec-validation no; > auth-nxdomain yes; > listen-on-v6 { "none"; }; > listen-on port 53 { "thisserverip"; 127.0.0.1; }; > notify no; > empty-zones-enable no; > > // Add any subnets or hosts you want to allow to use this DNS server > allow-query { "all-networks"; 127.0.0.1/32; }; > // Add any subnets or hosts you want to allow to use recursive queries > allow-recursion { "all-networks"; 127.0.0.1/32; }; > > // https://wiki.samba.org/index.php/Dns-backend_bind > // DNS dynamic updates via Kerberos (optional, but recommended) > // Beware, samba 4.8 and lower. > //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > // Beware, samba 4.9 and up. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > }; > > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > // adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy > include "/var/lib/samba/bind-dns/named.conf"; > > // handy to have and ready to enable > //include "/etc/bind/named.conf.logging" > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 15 zone(s) found > > .... i removed some here. > > pszZoneName : internal.dnsdomain.tld > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld > > pszZoneName : 1.168.192 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld > > pszZoneName : _msdcs.internal.dnsdomain.tld > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.internal.dnsdomain.tld > > Samba DNS zone list Automated check : > ----------- > zone : internal.dnsdomain.tld ok, no Bind flat-files found > ----------- > zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found > ----------- > > Installed packages: > ii acl 2.2.52-3+b1 amd64 Access control list utilities > ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes > ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Internet Domain Name Server > ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Version of 'host' bundled with BIND 9.X > ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Utilities for BIND > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos > ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library > ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers > ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library > ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers > ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library > ii libnss-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba nameservice integration plugins > ii libpam-krb5:amd64 4.7-4 amd64 PAM module for MIT Kerberos > ii libpam-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Windows domain authentication integration plugin > ii libsmbclient:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 shared library for communication with SMB/CIFS servers > ii libwbclient0:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba winbind client library > ii python-samba 2:4.10.6+nmu-1.1deb9~1 amd64 Python bindings for Samba > ii python3-xattr 0.9.1-1 amd64 module for manipulating filesystem extended attributes - Python 3 > ii samba 2:4.10.6+nmu-1.1deb9~1 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.10.6+nmu-1.1deb9~1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.10.6+nmu-1.1deb9~1 amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba core libraries > ii samba-vfs-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Virtual FileSystem plugins > ii smbclient 2:4.10.6+nmu-1.1deb9~1 amd64 command-line SMB/CIFS clients for Unix > ii ssh-krb5 1:7.4p1-10+deb9u6 all secure shell client and server (transitional package) > ii winbind 2:4.10.6+nmu-1.1deb9~1 amd64 service to resolve user and group information from Windows NT servers > ii xattr 0.9.1-1 amd64 tool for manipulating filesystem extended attributes > > ----------- > > > > >> Virtually what I found, an out of date Samba AD DC, that was >> wrongly set >> up in the first place. I would demote DC2 and then fix DC1 before >> joining a new second DC (with a different name) >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >