Hi all, I'm simply overwhelmed with both the speed and quality of responses. I wish all mailing lists and forums were like this! I'm going to follow your suggestions and try to follow the template below. My choice of new DC will probably be 4.9.5 on buster. What steps would you recommend to unlink my broken 4.0.9 -> 4.5.16 replication before shutting down 4.5.16? Is it sufficient to follow this: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC ? I'm just? being extra cautious and double checking. Thanks, Adam On 16/07/19 14:11, L.P.H. van Belle via samba wrote:> Hai Rowland, > > Yes, agree here, better correct DC1, then join new. > > So i'll post this, its focused on Debian servers, but usable for any other. > I've run the debug on the company AD-DC server here. > > A good example for an AD-DC setup with Bind9_DLZ. > And remember, most is on/from wiki.samba.org > > Im running this. ( Debian Stretch as AD-DC ) > > This server started as a wheezy server and is upgraded to stretch, and soon to buster. > The base of below shown results of the debug script, is this setup. > > https://github.com/thctlo/samba4/blob/master/howtos/ > If you follow these howtos your setup will be much better. > Use that and below also to adjust you settings. > P.s above is based on jessie and samba 4.5.x, small adjustments might be needed. > > > Collected config --- 2019-07-16-14:51 ----------- > > Hostname: dc1 > DNS Domain: internal.dnsdomain.tld > FQDN: dc1.internal.dnsdomain.tld > ipaddress: 192.168.1.1 > > ----------- > > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 9 (stretch)" > NAME="Debian GNU/Linux" > VERSION_ID="9" > VERSION="9 (stretch)" > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 9.9 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 > link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0 > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost localhost.localdomain > 192.168.1.1 dc1.internal.dnsdomain.tld dc1 > > ----------- > > Checking file: /etc/resolv.conf > # DC 1 is the first resolver for both DC's. > search internal.dnsdomain.tld > nameserver 192.168.1.1 > nameserver 192.168.1.2 > # Fallback for internet if both (samba-ad-dc) are down. > #nameserver 8.8.8.8 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = YOUR.REALM.TLD > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > ; ticket_lifetime = 24h > ; ccache_type = 4 > > ; for Windows 2003 > ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > ; for Windows 2008 with AES > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > > log level = 0 > > workgroup = BAZRTD > realm = YOUR.REALM.TLD > netbios name = DC1 > > server role = active directory domain controller > server services = -dns -spoolss > > interfaces = 192.168.1.1 127.0.0.1 > bind interfaces only = yes > > # Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > # expand groups is default set to 0, > # My setup needs a minimal of 2, preffered 4. But the higher the number, the slower your samba. > #winbind expand groups = 1 > > # Since we cant use : winbind nss info = rfc2307 : on the DC's. > template shell = /bin/bash > template homedir = /home/users/%U > > # disable printing completely, when set empty no error log messages. > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # disable usershares creating, when set empty no error in the logs. > usershare path > > # Add and Update TLS Key > tls enabled = yes > tls keyfile = /etc/ssl/local/private/dc1.key.pem > tls certfile = /etc/ssl/local/certs/dc1.cert.pem > tls cafile = /etc/ssl/certs/company-ca.pem > > # Select what you need here. > # ldap server require strong auth = yes > # ldap server require strong auth = allow_sasl_over_tls > ldap server require strong auth = no > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > # acl_xattr:ignore system acls = yes # optional, i have these enabled. > > [netlogon] > path = /home/samba/sysvol/internal.dnsdomain.tld/scripts > read only = No > # acl_xattr:ignore system acls = yes # optional, i have these enabled. > > # comment on acl_xattr:ignore system acls = yes > # why not use it, you get better ACL's and only windows pc's use these. > > > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > // Defined ACL Begin > acl thisserverip { > 192.168.1.1; > }; > acl all-networks { > 192.168.1.0/24; 10.1.0.0/16; > }; > // Defined ACL End > > options { > directory "/var/cache/bind"; > version "0.0.7"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses replacing > // the all-0's placeholder. > > // XenoSite DNS servers + google DNS > forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; }; > > //=======================================================================> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See https://www.isc.org/bind-keys > //=======================================================================> dnssec-validation no; > auth-nxdomain yes; > listen-on-v6 { "none"; }; > listen-on port 53 { "thisserverip"; 127.0.0.1; }; > notify no; > empty-zones-enable no; > > // Add any subnets or hosts you want to allow to use this DNS server > allow-query { "all-networks"; 127.0.0.1/32; }; > // Add any subnets or hosts you want to allow to use recursive queries > allow-recursion { "all-networks"; 127.0.0.1/32; }; > > // https://wiki.samba.org/index.php/Dns-backend_bind > // DNS dynamic updates via Kerberos (optional, but recommended) > // Beware, samba 4.8 and lower. > //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > // Beware, samba 4.9 and up. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > }; > > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > // adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy > include "/var/lib/samba/bind-dns/named.conf"; > > // handy to have and ready to enable > //include "/etc/bind/named.conf.logging" > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 15 zone(s) found > > .... i removed some here. > > pszZoneName : internal.dnsdomain.tld > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld > > pszZoneName : 1.168.192 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld > > pszZoneName : _msdcs.internal.dnsdomain.tld > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.internal.dnsdomain.tld > > Samba DNS zone list Automated check : > ----------- > zone : internal.dnsdomain.tld ok, no Bind flat-files found > ----------- > zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found > ----------- > > Installed packages: > ii acl 2.2.52-3+b1 amd64 Access control list utilities > ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes > ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Internet Domain Name Server > ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Version of 'host' bundled with BIND 9.X > ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Utilities for BIND > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos > ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library > ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers > ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library > ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers > ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library > ii libnss-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba nameservice integration plugins > ii libpam-krb5:amd64 4.7-4 amd64 PAM module for MIT Kerberos > ii libpam-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Windows domain authentication integration plugin > ii libsmbclient:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 shared library for communication with SMB/CIFS servers > ii libwbclient0:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba winbind client library > ii python-samba 2:4.10.6+nmu-1.1deb9~1 amd64 Python bindings for Samba > ii python3-xattr 0.9.1-1 amd64 module for manipulating filesystem extended attributes - Python 3 > ii samba 2:4.10.6+nmu-1.1deb9~1 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.10.6+nmu-1.1deb9~1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.10.6+nmu-1.1deb9~1 amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba core libraries > ii samba-vfs-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Virtual FileSystem plugins > ii smbclient 2:4.10.6+nmu-1.1deb9~1 amd64 command-line SMB/CIFS clients for Unix > ii ssh-krb5 1:7.4p1-10+deb9u6 all secure shell client and server (transitional package) > ii winbind 2:4.10.6+nmu-1.1deb9~1 amd64 service to resolve user and group information from Windows NT servers > ii xattr 0.9.1-1 amd64 tool for manipulating filesystem extended attributes > > ----------- > > > > >> Virtually what I found, an out of date Samba AD DC, that was >> wrongly set >> up in the first place. I would demote DC2 and then fix DC1 before >> joining a new second DC (with a different name) >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
On 16/07/2019 15:19, Adam Weremczuk via samba wrote:> Hi all, > > I'm simply overwhelmed with both the speed and quality of responses. > > I wish all mailing lists and forums were like this! > > I'm going to follow your suggestions and try to follow the template > below. > > My choice of new DC will probably be 4.9.5 on buster. > > What steps would you recommend to unlink my broken 4.0.9 -> 4.5.16 > replication before shutting down 4.5.16? > > Is it sufficient to follow this: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC ? > > I'm just? being extra cautious and double checking.You (because of your Samba version) can only demote the DC on the DC itself, so just follow the info at the top of the page. Can I also introduce you to a repo that will ultimately give you the latest version of Samba: http://apt.van-belle.nl/ I would fix DC1, then create a new DC running Debian stretch (this will give you Samba 4.5.16), join this to your old DC and once it is working correctly, transfer the FSMO roles to it and demote DC1. Upgrade stretch to buster (make sure to back everything up) then start to use Louis's repo. Rowland
On 16/07/19 15:38, Rowland penny via samba wrote:> I would fix DC1, then create a new DC running Debian stretch (this > will give you Samba 4.5.16), join this to your old DC and once it is > working correctly, transfer the FSMO roles to it and demote DC1. > Upgrade stretch to buster (make sure to back everything up) then start > to use Louis's repo.Anything wrong with starting with 4.9.5 on buster followed by a (potential) further upgrade to the absolute latest Samba?
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam > Weremczuk via samba > Verzonden: dinsdag 16 juli 2019 16:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] messy replication > > On 16/07/19 15:38, Rowland penny via samba wrote: > > > I would fix DC1, then create a new DC running Debian stretch (this > > will give you Samba 4.5.16), join this to your old DC and > once it is > > working correctly, transfer the FSMO roles to it and demote DC1. > > Upgrade stretch to buster (make sure to back everything up) > then start > > to use Louis's repo. > > Anything wrong with starting with 4.9.5 on buster followed by a > (potential) further upgrade to the absolute latest Samba?There is nothing wrong with the official Debian package, except you will miss important bugfixes, and these are included in the lastest builds on my repo. What you can do. 1) search for latest wheezy packages of samba. The wheezy old old older backport had 4.1.x 2) build youself. Needed: https://github.com/thctlo/samba-wheezy This shows all the packages you need, from a fellow list user Achim. That brings you to 4.6.7, correct all needed smb.conf settings and less is better.. Then setup upgrade to jessie, now you can upgrade to 4.7 through my repo. Then upgrade to stretch, you upgrade to 4.8.x. through my repo. Now upgrade to buster and upgrade to 4.9.5 Im my optionion the safest upgrade path. I dont recommend upgrading from wheezy to buster, use the steps in between. In you case, i would fix DC1 so it runs perfect, then add a new version and move fsmo roles. So far, Greetz, Louis
On 16/07/19 15:38, Rowland penny via samba wrote:> > You (because of your Samba version) can only demote the DC on the DC > itself, so just follow the info at the top of the page.Hello again, I'm trying to follow instructions for demoting: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC I don't think I need to transfer FSMO roles since both controllers own them: dc1:/# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk RidAllocationMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk PdcEmulationMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk DomainNamingMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk SchemaMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk dc2:/# samba-tool fsmo show Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes ldb_wrap open of secrets.ldb SchemaMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk InfrastructureMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk RidAllocationMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk PdcEmulationMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk DomainNamingMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk Demoting attempt fails as below: root at dc2 /# samba-tool domain demote -UAdministrator Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 netmask=255.255.252.0 added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 netmask=255.255.252.0 Using dc1.example.co.uk as partner server for the demotion Using binding ncacn_ip_tcp:dc1.example.co.uk[,seal] Mapped to DCERPC endpoint 135 added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 netmask=255.255.252.0 added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 netmask=255.255.252.0 resolve_lmhosts: Attempting lmhosts lookup for name dc1.example.co.uk<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory Mapped to DCERPC endpoint 1024 added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 netmask=255.255.252.0 added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 netmask=255.255.252.0 resolve_lmhosts: Attempting lmhosts lookup for name dc1.example.co.uk<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory Password for [EXAMPLE\Administrator]: Received smb_krb5 packet of length 281 Received smb_krb5 packet of length 181 Deactivating inbound replication Asking partner server dc1.example.co.uk to synchronize from us Error while replicating out last local changes from 'CN=Schema,CN=Configuration,DC=example,DC=co,DC=uk' for demotion, re-enabling inbound replication ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync for partition 'CN=Schema,CN=Configuration,DC=example,DC=co,DC=uk' - (87, 'WERR_INVALID_PARAM') ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 787, in run ??? drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) It looks like dc2 fails to sync data to dc1 because replication is broken but I don't care about any data currently on dc2. I just need to cut the ties safely i.e. dc1 should remain operational. Make dc1 aware it's now on its own and obliterate dc2. What's the best way to "force" demotion in this case? Thanks, Adam