El 10/10/19 a les 21:07, Rowland penny via samba ha escrit:>> > It works in a similar way to how I update dns records and I have similar > records in AD and they replicate.Oh, but they do. Until the replication chokes on those deleted records. Never happened until September 25 (though I realized only today when a manually added host resolved erratically).> > Can you post your dhcpd.conf and smb.confSure ========== dhcpd.conf ddns-update-style none; option domain-name "samba.wetron.es"; option domain-name-servers 192.168.90.2, 192.168.90.5; option netbios-name-servers 192.168.90.2, 192.168.90.5; option netbios-dd-server 192.168.90.2, 192.168.90.5; option time-servers 192.168.90.2, 192.168.90.5; option routers 192.168.1.1; option wpad code 252 = text; option wpad "http://wpad/proxy.pac\n"; option subnet-mask 255.255.255.0; default-lease-time 86400; #un d?a max-lease-time 86400; #un d?a authoritative; log-facility local7; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.101 192.168.1.250; on commit { set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address)); set ClientIP = binary-to-ascii(10, 8, ".", leased-address); set ClientName = pick-first-value(option host-name, host-decl-name, config-option host-name, noname); execute("/etc/dhcp/update.sh", "add", ClientIP, ClientName); } on release { #ClientIP y ClientName estan asociado al lease execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); } on expiry { #ClientIP y ClientName estan asociado al lease execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); } } ===== smb.conf (the other dc is the same, apart from the name) # Global parameters [global] workgroup = WETRON realm = SAMBA.WETRON.ES netbios name = DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes tls enabled = yes tls keyfile = /var/lib/samba/private/tls/dc1.samba.wetron.es.key tls certfile = /var/lib/samba/private/tls/dc1.samba.wetron.es.crt tls cafile = /var/lib/samba/private/tls/wetron.crt dns forwarder = 192.168.90.29 # todos estos parametros no sirven en el DC, que solo mira # idmap_ldp:use rfc2307 #dedicated keytab file = /etc/krb5.keytab #kerberos method = secrets and keytab #idmap config *:backend = tdb #idmap config *:range = 60001-69999 #idmap config WETRON:backend = ad #idmap config WETRON:schema_mode = rfc2307 #idmap config WETRON:range = 490-60000 #idmap config WETRON:default = yes #winbind nss info = rfc2307 #winbind trusted domains only = no #winbind use default domain = yes # enum users/group parece que funciona winbind enum users = yes winbind enum groups = yes template homedir = /net/storage01/mnt/pool1/usuarios/%U template shell = /bin/false printing = bsd printcap name = /dev/null disable spoolss = yes ldap server require strong auth = allow_sasl_over_tls allow insecure wide links = yes # para radius - a partir de 4.7 se puede cambiar el yes por # mschapv2-and-ntlmv2-only ntlm auth = yes [netlogon] path = /var/lib/samba/sysvol/samba.wetron.es/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No wide links = Yes -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 10/10/2019 20:35, Luca Olivetti via samba wrote:> El 10/10/19 a les 21:07, Rowland penny via samba ha escrit: > >>> >> It works in a similar way to how I update dns records and I have >> similar records in AD and they replicate. > > Oh, but they do. Until the replication chokes on those deleted records.I think you misunderstood what I tried to say, I have the deleted records in AD and they replicate without problem.> Never happened until September 25 (though I realized only today when a > manually added host resolved erratically). > >> >> Can you post your dhcpd.conf and smb.conf > > Sure > > ========== dhcpd.conf > ddns-update-style none; > option domain-name "samba.wetron.es"; > option domain-name-servers 192.168.90.2, 192.168.90.5; > option netbios-name-servers 192.168.90.2, 192.168.90.5; > option netbios-dd-server 192.168.90.2, 192.168.90.5; > option time-servers 192.168.90.2, 192.168.90.5; > option routers 192.168.1.1; > option wpad code 252 = text; > option wpad "http://wpad/proxy.pac\n"; > option subnet-mask 255.255.255.0; > > default-lease-time 86400; #un d?a > max-lease-time 86400; #un d?a > > authoritative; > > log-facility local7; > > subnet 192.168.1.0 netmask 255.255.255.0 {Hmm, I take it that 192.168.90.2 and 192.168.90.5 are your DCs, so why are your clients in the '192.168.1.0/24' subnet ?> > ? range 192.168.1.101 192.168.1.250; > ? on commit { > ??? set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", > leased-address)); > ??? set ClientIP = binary-to-ascii(10, 8, ".", leased-address); > ??? set ClientName = pick-first-value(option host-name, > host-decl-name, config-option host-name, noname); > ??? execute("/etc/dhcp/update.sh", "add", ClientIP, ClientName); > ? } > > ? on release { > ??? #ClientIP y ClientName estan asociado al lease > ??? execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); > ? } > > ??? on expiry { > ??? #ClientIP y ClientName estan asociado al lease > ??? execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); > ? }How does it know which IP & Name to delete ?> > } > > ===== smb.conf (the other dc is the same, apart from the name) > > # Global parameters > [global] > ??????? workgroup = WETRON > ??????? realm = SAMBA.WETRON.ES > ??????? netbios name = DC1 > ??????? server role = active directory domain controller > ??????? idmap_ldb:use rfc2307 = yes > > ??????? tls enabled = yes > ??????? tls keyfile = /var/lib/samba/private/tls/dc1.samba.wetron.es.key > ??????? tls certfile = /var/lib/samba/private/tls/dc1.samba.wetron.es.crt > ??????? tls cafile = /var/lib/samba/private/tls/wetron.crt > > ??????? dns forwarder = 192.168.90.29 > ??????? # todos estos parametros no sirven en el DC, que solo mira > ??????? # idmap_ldp:use rfc2307 > ??????? #dedicated? keytab file = /etc/krb5.keytab > ??????? #kerberos method = secrets and keytab > ??????? #idmap config *:backend = tdb > ??????? #idmap config *:range = 60001-69999 > ??????? #idmap config WETRON:backend = ad > ??????? #idmap config WETRON:schema_mode = rfc2307 > ??????? #idmap config WETRON:range = 490-60000 > ??????? #idmap config WETRON:default = yes > > ??????? #winbind nss info = rfc2307 > ??????? #winbind trusted domains only = no > ??????? #winbind use default domain = yes > > ??????? # enum users/group parece que funciona > > ??????? winbind enum users = yes > ??????? winbind enum groups = yes > > ??????? template homedir = /net/storage01/mnt/pool1/usuarios/%U > ??????? template shell = /bin/false > > ??????? printing = bsd > ??????? printcap name = /dev/null > ??????? disable spoolss = yes > > ??????? ldap server require strong auth = allow_sasl_over_tls > > ??????? allow insecure wide links = yes > > ??????? # para radius - a partir de 4.7 se puede cambiar el yes por > ??????? # mschapv2-and-ntlmv2-only > > ??????? ntlm auth = yes > > [netlogon] > ??????? path = /var/lib/samba/sysvol/samba.wetron.es/scripts > ??????? read only = No > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > ??????? wide links = YesWhy do you need 'wide links' in sysvol ? Rowland
El 10/10/19 a les 22:05, Rowland penny via samba ha escrit:>> >> subnet 192.168.1.0 netmask 255.255.255.0 { > Hmm, I take it that 192.168.90.2 and 192.168.90.5 are your DCs, so why > are your clients in the '192.168.1.0/24' subnet ?because I keep the servers in a different subnet/vlan than the clients>> ? range 192.168.1.101 192.168.1.250; >> ? on commit { >> ??? set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", >> leased-address)); >> ??? set ClientIP = binary-to-ascii(10, 8, ".", leased-address); >> ??? set ClientName = pick-first-value(option host-name, >> host-decl-name, config-option host-name, noname); >> ??? execute("/etc/dhcp/update.sh", "add", ClientIP, ClientName); >> ? } >> >> ? on release { >> ??? #ClientIP y ClientName estan asociado al lease >> ??? execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); >> ? } >> >> ??? on expiry { >> ??? #ClientIP y ClientName estan asociado al lease >> ??? execute("/etc/dhcp/update.sh", "delete", ClientIP, ClientName); >> ? } > How does it know which IP & Name to delete ?It's registered in the lease with the "set ClientIP" and "set ClientName" in the "on commit" clause>> [sysvol] >> ??????? path = /var/lib/samba/sysvol >> ??????? read only = No >> ??????? wide links = Yes > > Why do you need 'wide links' in sysvol ?I knew you would ask ;-) Because up until a few weeks ago we had a netapp filer where there was a share for software installation (via domain policies) *but* the client machines had endless problems accessing that share with the machine account. OTOH no client had problem accessing sysvol on the dc. I kept those shares so I could easily copy the software to install and nfs mount that same directory on the DCs and symlink it inside sysvol. Now we don't use netapp anymore (good riddance!) but I still keep the same layout: if it ain't broke don't fix it ;-) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007