Am 22.07.19 um 10:39 schrieb Stefan G. Weichinger via samba:> Am 20.07.19 um 11:54 schrieb Joachim Lindenberg via samba: >> I figured it out myself. The kerberos configuration on the old dc cobra was bad ? no clue why it worked at all until yesterday. >> >> After fixing it, testing with kinit, and restarting the dc processes it resumed replication. > > pls show how you fixed it > > I assume I face something similar > > >my 2 DCs seem to be out of sync for DNS I demoted and rejoined, and still see: ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pilsbacher.at pre01svdeb03.pilsbacher.at 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pilsbacher.at pre01svdeb03.pilsbacher.at 389 (add) Successfully obtained Kerberos ticket to DNS/pre01svdeb03.pilsbacher.at as PRE01SVDEB03$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pilsbacher.at. 900 IN SRV 0 100 389 pre01svdeb03.pilsbacher.at. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 28 entries - how can I fix that? I think this leads to my issues with pulling GPOs etc
Hi Stefan,> pls show how you fixed itSee https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos for the test. My fix was to take the one generated on the newer DC also to the older one. Joachim
Am 22.07.19 um 11:15 schrieb Stefan G. Weichinger via samba:> ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > Failed update of 28 entries > > > - > > how can I fix that? > > I think this leads to my issues with pulling GPOs etcvarious issues, long day ... the DC2 also lists stuff like: Jul 22 17:48:00 pre01svdeb03 samba[7666]: task[dcesrv][7666]: [2019/07/22 17:48:00.491913, 0] ../source4/rpc_server/drsuapi/writespn.c:238(dcesrv_drsuapi_DsWriteAccountSpn) Jul 22 17:48:00 pre01svdeb03 samba[7666]: task[dcesrv][7666]: Failed to modify SPNs on CN=SCHNABEL-PC,OU=mydomain-Computer,DC=mydomain,DC=at: acl: spn validation failed for spn[TERMSRV/SCHNABEL-PC.mydomain.at] uac[0x1000] account[SCHNABEL-PC$] hostname[SCHNABEL-PC.BUERO] nbname[BUERO] ntds[(null)] forest[mydomain.at] domain[mydomain.at] Jul 22 17:48:00 pre01svdeb03 samba[7666]: task[dcesrv][7666]: Jul 22 19:15:30 pre01svdeb03 samba[7666]: task[dcesrv][7666]: [2019/07/22 19:15:30.321809, 0] ../source4/rpc_server/drsuapi/writespn.c:238(dcesrv_drsuapi_DsWriteAccountSpn) Jul 22 19:15:30 pre01svdeb03 samba[7666]: task[dcesrv][7666]: Failed to modify SPNs on CN=PC-2016-03,OU=mydomain-Computer,DC=mydomain,DC=at: acl: spn validation failed for spn[TERMSRV/PC-2016-03.mydomain.at] uac[0x1000] account[PC-2016-03$] hostname[PC-2016-03.BUERO] nbname[BUERO] ntds[(null)] forest[mydomain.at] domain[mydomain.at] Jul 22 19:15:30 pre01svdeb03 samba[7666]: task[dcesrv][7666]: Could someone point me to some helpful info here? It's 2 DCs with samba-4.9.11, Debian 9.9
You copied the certificate file?? Am 22. Juli 2019 12:46:34 MESZ schrieb Joachim Lindenberg <samba at lindenberg.one>:>Hi Stefan, >> pls show how you fixed it >See >https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos >for the test. My fix was to take the one generated on the newer DC also >to the older one. >Joachim-- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
On 22/07/2019 22:18, Stefan G. Weichinger via samba wrote:> > various issues, long day ... > > > the DC2 also lists stuff like: > > > Failed to modify SPNs on CN=PC-2016-03,OU=mydomain-Computer,DC=mydomain,DC=at: > acl: spn validation failed for spn[TERMSRV/PC-2016-03.mydomain.at] > account[PC-2016-03$] hostname[PC-2016-03.BUERO]Why is your account name (sAMAccountName) different from the hostname ?> > > > > Could someone point me to some helpful info here? > > It's 2 DCs with samba-4.9.11, Debian 9.9Why are you using a version that hasn't been released yet in production ? Rowland
On 23/07/2019 09:00, L.P.H. van Belle wrote:> Good morning Rowland. > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: dinsdag 23 juli 2019 9:15 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] replication stuck? >> >> On 22/07/2019 22:18, Stefan G. Weichinger via samba wrote: >>> various issues, long day ... >>> >>> >>> the DC2 also lists stuff like: >>> >>> >>> Failed to modify SPNs on >> CN=PC-2016-03,OU=mydomain-Computer,DC=mydomain,DC=at: >>> acl: spn validation failed for spn[TERMSRV/PC-2016-03.mydomain.at] >>> account[PC-2016-03$] hostname[PC-2016-03.BUERO] >> Why is your account name (sAMAccountName) different from the hostname ? > He is hitting the "renamed" pc bug. > I mailed it privatly to test the check4named.sh script.I gave up on that script, there is absolutely no way to tell where the rename was done.> >>> >>> >>> Could someone point me to some helpful info here? >>> >>> It's 2 DCs with samba-4.9.11, Debian 9.9 >> Why are you using a version that hasn't been released yet in production ? > What do you mean with this? > There is nothing wrong as far i know with 4.9.11 on Debian 9(.9) > Or im i missing things here.No, I had a senior moment, I read it as 4.11.0, must get some new glasses LOL Rowland> > Sorry im so much off list currently, im very buzzy with new servers. > I must finish these before my new voip system arrives.. > But soom im more on the list again. > > Greetz, > > Louis >
Am 23.07.19 um 10:08 schrieb Rowland penny via samba:>>> Why is your account name (sAMAccountName) different from the hostname ? >> He is hitting the "renamed" pc bug.see!? ;-)>> I mailed it privatly to test the check4named.sh script. > I gave up on that script, there is absolutely no way to tell where the > rename was done.ah, ok ...>>>> It's 2 DCs with samba-4.9.11, Debian 9.9 >>> Why are you using a version that hasn't been released yet in >>> production ? >> What do you mean with this? >> There is nothing wrong as far i know with 4.9.11 on Debian 9(.9) >> Or im i missing things here. > > No, I had a senior moment, I read it as 4.11.0, must get some new > glasses LOL;-)