I've summerized a bit.. And i saw Rowland also answered already. Below is anonimized, but it shows, 2 completely different server setups. I really suggest you setup your AD-DC's the same. To summ up. DC1 Samba is running as an AD DC but 'winbindd' is NOT running. You running SSSD on the AD-DC, which is not supported. Your using a really out-dated OS.. The hosts is not correct : 127.0.0.1 localhost.localdomain localhost Better 127.0.0.1 localhost localhost.localdomain resolv.conf is not correctly setup, sidenote, its possible, but not needed. nsswitch.conf reffers to sss not winbind Which is not supported. Smb.conf.. realm = USE-CAPS-FOR-KERBEROSDOMAINS You did not remove the base settings of a stand alone server. kdc:service ticket lifetime = 24 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 168 Are beter if set in krb5.conf And AD-DC domain server, with guest ok = yes ? By default no guest is allowed. Shares with to long names might give problems. Bind9 auth-nxdomain yes; # because this server is autoritive for this dnsdomain name. tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; Verify if bind still has access to that file. # packages. Still Lenny and Squeeze left overs. All and all.. Hmm, well, thats a lot of time to fix this. Next DC2. Debian 9.5 , out dated, should be 9.9. Hosts Remove : 127.0.1.1 domain-controller /etc/nsswitch.conf No setup, possible, but often not wanted. Smb.conf A good to bad setting shown in realm= winbind use default domain = true Where this is not working on the AD-DC's. The kdc: entries to be removed. 2x ldap server require strong auth = no This server used internal DNS the other BIND9_DLZ> -----Oorspronkelijk bericht----- > Van: Adam Weremczuk [mailto:adamw at matrixscience.com] > Verzonden: dinsdag 16 juli 2019 14:03 > Aan: L.P.H. van Belle; Rowland penny > Onderwerp: Re: [Samba] messy replication > > Hi Louis and Rowland, > > Thank you for a prompt reply. > > I'm ok with skipping anonimisation as long as the files are > only share > with you and maybe a small audience of other trusted Samba gurus. >.... Removed ..> Both diagnostic log files attached. > > Thanks, > Adam > > > On 16/07/19 12:38, L.P.H. van Belle via samba wrote: > > Can you run this on both your DC's > > > > wget > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh> > bash samba-collect-debug-info.sh > > > > As im seeing multiple "invalid parameter" message, we need > to see more of the setup. > > Anonimize the output if needed. > > > > Run this on both DC's : touch /etc/samba/lmhosts > > And that lmhosts message is gone. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam > >> Weremczuk via samba > >> Verzonden: dinsdag 16 juli 2019 13:30 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] messy replication > >> > >> Hi all, > >> > >> I have an old dc (4.0.9). Let's call it dc1. > >> I also have a new one (4.5.16) which I'm planning to > switch to. Let's > >> call it dc2. > >> > >> After initial set up of dc2 I initialised replication and > >> things looked > >> ok for a couple of weeks. > >> Recently I've managed to mess it up. Possibly by editing > >> users and DNS > >> records. Or copying Kerberos cache and trying to use it > elsewhere for > >> DHCP with DDNS. > >> > >> I can connect to DNS with Windows domain tool fine and can see both > >> domain controllers. > >> > >> Active Directory Users and Computers fails intermittently > >> (not always) with: > >> > >> "Naming information cannot be located because: > >> The user name or password is incorrect. > >> Contact your system administrator to verify that your domain > >> is properly > >> configured and is currently online" > >> > >> Another symptom is network drives not being automatically > >> mounted with > >> group policy (similar authentication error). > >> They can be mounted manually though. > >> Users can log in and computers can quit and rejoin the domain. > >> So the situation is not dramatic yet. > >> > >> Errors from samba-tool (output abbreviated). > >> > >> *dc1:* samba-tool drs showrepl > >> > >> ==== INBOUND NEIGHBORS ===> >> > >> DC=DomainDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=ForestDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=my_domain_name > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1474 consecutive failure(s) > >> > >> DC=Schema > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> DC=Configuration > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 1463 consecutive failure(s) > >> > >> ==== OUTBOUND NEIGHBORS ===> >> > >> DC=DomainDnsZones > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 26 consecutive failure(s) > >> > >> DC=ForestDnsZones > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> DC=my_domain_name > >> Last attempt failed, result 87 (WERR_INVALID_PARAM) > >> 26 consecutive failure(s) > >> > >> DC=Schema > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> DC=Configuration > >> Last attempt @ NTTIME(0) was successful > >> 0 consecutive failure(s) > >> > >> *dc2:* All the sections above show success but I can see some > >> other errors: > >> > >> resolve_lmhosts: Attempting lmhosts lookup for name > >> dc2.my_domain_name<0x20> > >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > >> Error was No > >> such file or directory > >> > >> Server ldap/dc2.my_domain_name at my_domain_name is not > >> registered with our > >> KDC:? Miscellaneous failure (see text): Server > >> (ldap/dc2.my_domain_name at my_domain_name) unknown > >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > >> NT_STATUS_INVALID_PARAMETER > >> > >> *dc1: *samba-tool dbcheck > >> > >> Checking 466 objects > >> ERROR: orphaned backlink attribute 'memberOf' in CN=... > >> Not removing orphaned backlink member > >> > >> ERROR: incorrect DN string component for member in object CN=... > >> Not fixing incorrect string version of DN > >> > >> ERROR: orphaned backlink attribute 'memberOf' in CN=... > >> Not removing orphaned backlink member > >> > >> Please use --fix to fix these errors > >> Checked 466 objects (86 errors) > >> > >> *dc2:* samba-tool dbcheck > >> > >> Processing section "[netlogon]" > >> Processing section "[sysvol]" > >> pm_process() returned Yes > >> Checking 466 objects > >> Checked 466 objects (0 errors) > >> > >> I don't care about any data on dc2. I'm happy to purge it > and re-run > >> replication if it makes my issue go away. > >> > >> But I do care a lot about dc1 since it's live and was working > >> fine not > >> long ago. > >> > >> What's the likely root cause of my problems? > >> > >> How to fix it safely without risking things getting worse? > >> > >> Is it safe to run "samba-tool dbcheck --fix" on dc1? > >> > >> Any other hints? > >> > >> Thanks, > >> Adam > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > >
On 16/07/2019 13:49, L.P.H. van Belle via samba wrote:> I've summerized a bit.. > And i saw Rowland also answered already. > Below is anonimized, but it shows, 2 completely different server setups. > I really suggest you setup your AD-DC's the same. > > To summ up. > > DC1 > > Samba is running as an AD DC but 'winbindd' is NOT running. > You running SSSD on the AD-DC, which is not supported. > Your using a really out-dated OS.. > > The hosts is not correct : > 127.0.0.1 localhost.localdomain localhost > Better > 127.0.0.1 localhost localhost.localdomain > > > resolv.conf is not correctly setup, sidenote, its possible, but not needed. > nsswitch.conf reffers to sss not winbind > Which is not supported. > > Smb.conf.. > realm = USE-CAPS-FOR-KERBEROSDOMAINS > > You did not remove the base settings of a stand alone server. > kdc:service ticket lifetime = 24 > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 168 > > Are beter if set in krb5.conf > > And AD-DC domain server, with guest ok = yes ? > By default no guest is allowed. > > Shares with to long names might give problems. > > > Bind9 > auth-nxdomain yes; # because this server is autoritive for this dnsdomain name. > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > Verify if bind still has access to that file. > > # packages. > Still Lenny and Squeeze left overs. > > All and all.. Hmm, well, thats a lot of time to fix this. > > Next DC2. > Debian 9.5 , out dated, should be 9.9. > > Hosts > Remove : 127.0.1.1 domain-controller > > /etc/nsswitch.conf > No setup, possible, but often not wanted. > > Smb.conf > A good to bad setting shown in realm> > winbind use default domain = true > Where this is not working on the AD-DC's. > > The kdc: entries to be removed. > > 2x ldap server require strong auth = no > > This server used internal DNS the other BIND9_DLZVirtually what I found, an out of date Samba AD DC, that was wrongly set up in the first place. I would demote DC2 and then fix DC1 before joining a new second DC (with a different name) Rowland
Hai Rowland, Yes, agree here, better correct DC1, then join new. So i'll post this, its focused on Debian servers, but usable for any other. I've run the debug on the company AD-DC server here. A good example for an AD-DC setup with Bind9_DLZ. And remember, most is on/from wiki.samba.org Im running this. ( Debian Stretch as AD-DC ) This server started as a wheezy server and is upgraded to stretch, and soon to buster. The base of below shown results of the debug script, is this setup. https://github.com/thctlo/samba4/blob/master/howtos/ If you follow these howtos your setup will be much better. Use that and below also to adjust you settings. P.s above is based on jessie and samba 4.5.x, small adjustments might be needed. Collected config --- 2019-07-16-14:51 ----------- Hostname: dc1 DNS Domain: internal.dnsdomain.tld FQDN: dc1.internal.dnsdomain.tld ipaddress: 192.168.1.1 ----------- Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 9.9 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0 ----------- Checking file: /etc/hosts 127.0.0.1 localhost localhost.localdomain 192.168.1.1 dc1.internal.dnsdomain.tld dc1 ----------- Checking file: /etc/resolv.conf # DC 1 is the first resolver for both DC's. search internal.dnsdomain.tld nameserver 192.168.1.1 nameserver 192.168.1.2 # Fallback for internet if both (samba-ad-dc) are down. #nameserver 8.8.8.8 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true ; ticket_lifetime = 24h ; ccache_type = 4 ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] log level = 0 workgroup = BAZRTD realm = YOUR.REALM.TLD netbios name = DC1 server role = active directory domain controller server services = -dns -spoolss interfaces = 192.168.1.1 127.0.0.1 bind interfaces only = yes # Dont forget to set the idmap_ldb on ALL DC's if you use it idmap_ldb:use rfc2307 = yes # expand groups is default set to 0, # My setup needs a minimal of 2, preffered 4. But the higher the number, the slower your samba. #winbind expand groups = 1 # Since we cant use : winbind nss info = rfc2307 : on the DC's. template shell = /bin/bash template homedir = /home/users/%U # disable printing completely, when set empty no error log messages. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # disable usershares creating, when set empty no error in the logs. usershare path # Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/local/private/dc1.key.pem tls certfile = /etc/ssl/local/certs/dc1.cert.pem tls cafile = /etc/ssl/certs/company-ca.pem # Select what you need here. # ldap server require strong auth = yes # ldap server require strong auth = allow_sasl_over_tls ldap server require strong auth = no [sysvol] path = /var/lib/samba/sysvol read only = No # acl_xattr:ignore system acls = yes # optional, i have these enabled. [netlogon] path = /home/samba/sysvol/internal.dnsdomain.tld/scripts read only = No # acl_xattr:ignore system acls = yes # optional, i have these enabled. # comment on acl_xattr:ignore system acls = yes # why not use it, you get better ACL's and only windows pc's use these. ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options // Defined ACL Begin acl thisserverip { 192.168.1.1; }; acl all-networks { 192.168.1.0/24; 10.1.0.0/16; }; // Defined ACL End options { directory "/var/cache/bind"; version "0.0.7"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // XenoSite DNS servers + google DNS forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation no; auth-nxdomain yes; listen-on-v6 { "none"; }; listen-on port 53 { "thisserverip"; 127.0.0.1; }; notify no; empty-zones-enable no; // Add any subnets or hosts you want to allow to use this DNS server allow-query { "all-networks"; 127.0.0.1/32; }; // Add any subnets or hosts you want to allow to use recursive queries allow-recursion { "all-networks"; 127.0.0.1/32; }; // https://wiki.samba.org/index.php/Dns-backend_bind // DNS dynamic updates via Kerberos (optional, but recommended) // Beware, samba 4.8 and lower. //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // Beware, samba 4.9 and up. tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy include "/var/lib/samba/bind-dns/named.conf"; // handy to have and ready to enable //include "/etc/bind/named.conf.logging" ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list: 15 zone(s) found .... i removed some here. pszZoneName : internal.dnsdomain.tld Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld pszZoneName : 1.168.192 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld pszZoneName : _msdcs.internal.dnsdomain.tld Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.internal.dnsdomain.tld Samba DNS zone list Automated check : ----------- zone : internal.dnsdomain.tld ok, no Bind flat-files found ----------- zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found ----------- zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found ----------- Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Internet Domain Name Server ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Version of 'host' bundled with BIND 9.X ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Utilities for BIND ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 BIND9 Shared Library used by BIND ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.7-4 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba winbind client library ii python-samba 2:4.10.6+nmu-1.1deb9~1 amd64 Python bindings for Samba ii python3-xattr 0.9.1-1 amd64 module for manipulating filesystem extended attributes - Python 3 ii samba 2:4.10.6+nmu-1.1deb9~1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.10.6+nmu-1.1deb9~1 all common files used by both the Samba server and client ii samba-common-bin 2:4.10.6+nmu-1.1deb9~1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.10.6+nmu-1.1deb9~1 amd64 command-line SMB/CIFS clients for Unix ii ssh-krb5 1:7.4p1-10+deb9u6 all secure shell client and server (transitional package) ii winbind 2:4.10.6+nmu-1.1deb9~1 amd64 service to resolve user and group information from Windows NT servers ii xattr 0.9.1-1 amd64 tool for manipulating filesystem extended attributes -----------> > Virtually what I found, an out of date Samba AD DC, that was > wrongly set > up in the first place. I would demote DC2 and then fix DC1 before > joining a new second DC (with a different name) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi all, I'm simply overwhelmed with both the speed and quality of responses. I wish all mailing lists and forums were like this! I'm going to follow your suggestions and try to follow the template below. My choice of new DC will probably be 4.9.5 on buster. What steps would you recommend to unlink my broken 4.0.9 -> 4.5.16 replication before shutting down 4.5.16? Is it sufficient to follow this: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC ? I'm just? being extra cautious and double checking. Thanks, Adam On 16/07/19 14:11, L.P.H. van Belle via samba wrote:> Hai Rowland, > > Yes, agree here, better correct DC1, then join new. > > So i'll post this, its focused on Debian servers, but usable for any other. > I've run the debug on the company AD-DC server here. > > A good example for an AD-DC setup with Bind9_DLZ. > And remember, most is on/from wiki.samba.org > > Im running this. ( Debian Stretch as AD-DC ) > > This server started as a wheezy server and is upgraded to stretch, and soon to buster. > The base of below shown results of the debug script, is this setup. > > https://github.com/thctlo/samba4/blob/master/howtos/ > If you follow these howtos your setup will be much better. > Use that and below also to adjust you settings. > P.s above is based on jessie and samba 4.5.x, small adjustments might be needed. > > > Collected config --- 2019-07-16-14:51 ----------- > > Hostname: dc1 > DNS Domain: internal.dnsdomain.tld > FQDN: dc1.internal.dnsdomain.tld > ipaddress: 192.168.1.1 > > ----------- > > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 9 (stretch)" > NAME="Debian GNU/Linux" > VERSION_ID="9" > VERSION="9 (stretch)" > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 9.9 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 > link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0 > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost localhost.localdomain > 192.168.1.1 dc1.internal.dnsdomain.tld dc1 > > ----------- > > Checking file: /etc/resolv.conf > # DC 1 is the first resolver for both DC's. > search internal.dnsdomain.tld > nameserver 192.168.1.1 > nameserver 192.168.1.2 > # Fallback for internet if both (samba-ad-dc) are down. > #nameserver 8.8.8.8 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = YOUR.REALM.TLD > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > ; ticket_lifetime = 24h > ; ccache_type = 4 > > ; for Windows 2003 > ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > ; for Windows 2008 with AES > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > > log level = 0 > > workgroup = BAZRTD > realm = YOUR.REALM.TLD > netbios name = DC1 > > server role = active directory domain controller > server services = -dns -spoolss > > interfaces = 192.168.1.1 127.0.0.1 > bind interfaces only = yes > > # Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > # expand groups is default set to 0, > # My setup needs a minimal of 2, preffered 4. But the higher the number, the slower your samba. > #winbind expand groups = 1 > > # Since we cant use : winbind nss info = rfc2307 : on the DC's. > template shell = /bin/bash > template homedir = /home/users/%U > > # disable printing completely, when set empty no error log messages. > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # disable usershares creating, when set empty no error in the logs. > usershare path > > # Add and Update TLS Key > tls enabled = yes > tls keyfile = /etc/ssl/local/private/dc1.key.pem > tls certfile = /etc/ssl/local/certs/dc1.cert.pem > tls cafile = /etc/ssl/certs/company-ca.pem > > # Select what you need here. > # ldap server require strong auth = yes > # ldap server require strong auth = allow_sasl_over_tls > ldap server require strong auth = no > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > # acl_xattr:ignore system acls = yes # optional, i have these enabled. > > [netlogon] > path = /home/samba/sysvol/internal.dnsdomain.tld/scripts > read only = No > # acl_xattr:ignore system acls = yes # optional, i have these enabled. > > # comment on acl_xattr:ignore system acls = yes > # why not use it, you get better ACL's and only windows pc's use these. > > > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > // Defined ACL Begin > acl thisserverip { > 192.168.1.1; > }; > acl all-networks { > 192.168.1.0/24; 10.1.0.0/16; > }; > // Defined ACL End > > options { > directory "/var/cache/bind"; > version "0.0.7"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses replacing > // the all-0's placeholder. > > // XenoSite DNS servers + google DNS > forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; }; > > //=======================================================================> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See https://www.isc.org/bind-keys > //=======================================================================> dnssec-validation no; > auth-nxdomain yes; > listen-on-v6 { "none"; }; > listen-on port 53 { "thisserverip"; 127.0.0.1; }; > notify no; > empty-zones-enable no; > > // Add any subnets or hosts you want to allow to use this DNS server > allow-query { "all-networks"; 127.0.0.1/32; }; > // Add any subnets or hosts you want to allow to use recursive queries > allow-recursion { "all-networks"; 127.0.0.1/32; }; > > // https://wiki.samba.org/index.php/Dns-backend_bind > // DNS dynamic updates via Kerberos (optional, but recommended) > // Beware, samba 4.8 and lower. > //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > // Beware, samba 4.9 and up. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > }; > > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > // adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy > include "/var/lib/samba/bind-dns/named.conf"; > > // handy to have and ready to enable > //include "/etc/bind/named.conf.logging" > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 15 zone(s) found > > .... i removed some here. > > pszZoneName : internal.dnsdomain.tld > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld > > pszZoneName : 1.168.192 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld > > pszZoneName : _msdcs.internal.dnsdomain.tld > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.internal.dnsdomain.tld > > Samba DNS zone list Automated check : > ----------- > zone : internal.dnsdomain.tld ok, no Bind flat-files found > ----------- > zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found > ----------- > > Installed packages: > ii acl 2.2.52-3+b1 amd64 Access control list utilities > ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes > ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Internet Domain Name Server > ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Version of 'host' bundled with BIND 9.X > ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Utilities for BIND > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos > ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library > ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers > ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library > ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers > ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library > ii libnss-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba nameservice integration plugins > ii libpam-krb5:amd64 4.7-4 amd64 PAM module for MIT Kerberos > ii libpam-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Windows domain authentication integration plugin > ii libsmbclient:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 shared library for communication with SMB/CIFS servers > ii libwbclient0:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba winbind client library > ii python-samba 2:4.10.6+nmu-1.1deb9~1 amd64 Python bindings for Samba > ii python3-xattr 0.9.1-1 amd64 module for manipulating filesystem extended attributes - Python 3 > ii samba 2:4.10.6+nmu-1.1deb9~1 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.10.6+nmu-1.1deb9~1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.10.6+nmu-1.1deb9~1 amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba core libraries > ii samba-vfs-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Virtual FileSystem plugins > ii smbclient 2:4.10.6+nmu-1.1deb9~1 amd64 command-line SMB/CIFS clients for Unix > ii ssh-krb5 1:7.4p1-10+deb9u6 all secure shell client and server (transitional package) > ii winbind 2:4.10.6+nmu-1.1deb9~1 amd64 service to resolve user and group information from Windows NT servers > ii xattr 0.9.1-1 amd64 tool for manipulating filesystem extended attributes > > ----------- > > > > >> Virtually what I found, an out of date Samba AD DC, that was >> wrongly set >> up in the first place. I would demote DC2 and then fix DC1 before >> joining a new second DC (with a different name) >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >