durwin at mgtsciences.com
2020-Feb-27 19:56 UTC
[Samba] User names not replicating to secondary DC
> > DC1 smb.conf > > winbind use default domain = true > > winbind offline logon = false > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > > The above lines have no place in a DC smb.conf or are defaultsCommented them out.> > Change the following files as shown:Done.> > ==> DC0 /etc/resolv.conf > > nameserver 172.23.93.25 > search msi.mydomain.com > ==> > DC1 /etc/resolv.conf > > nameserver 172.23.93.3 > search msi.mydomain.com > ==> > DC0 /etc/hosts > 127.0.0.1 localhost > 172.23.93.25 dc0.msi.mydomain.com dc0 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhosts > ==> > DC1 /etc/hosts > 127.0.0.1 localhost > 172.23.93.26 dc1.msi.mydomain.com dc1 > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ==> > Why are you using the internal dns server on one DC and Bind9 on theother ? I am very familiar with configuring Named on Fedora. I thought it would be just as easy on Ubuntu. After discovering the files were in different places and so many more being 'included', I decided to use internal on the second one. I believe there is a command to switch over to internal, correct?> > Can you post the named.conf files from the one that is running Bind9.named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; named.conf.options acl "trusted" { 172.23.93.0/24; 192.168.4.0/24; 10.8.3.0/24; 10.8.2.0/24; 127.0.0.1; localnets; localhost; }; options { directory "/var/cache/bind"; notify no; empty-zones-enable no; allow-query { trusted;}; allow-recursion { trusted;}; forwarders { 172.23.93.3; }; allow-transfer { trusted;}; allow-update { trusted;}; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; listen-on-v6 { none; }; listen-on port 53 { 172.23.93.25; 127.0.0.1; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; named.conf.local include "/var/lib/samba/bind-dns/named.conf"; /var/lib/samba/bind-dns/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; # For BIND 9.11.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; }; /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; The command 'samba-tool drs showrepl' shows zero failures. That was the attachments I thought went out on first email.> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
On 27/02/2020 19:56, durwin at mgtsciences.com wrote:> > > Why are you using the internal dns server on one DC and Bind9 on the > other ? > I am very familiar with configuring Named on Fedora. ?I thought it > would be > just as easy on Ubuntu. ?After discovering the files were in different > places > and so many more being 'included', I decided to use internal on the > second > one. ?I believe there is a command to switch over to internal, correct?There is, samba_upgradedns, but in your case, I would suggest you upgrade the internal dns to bind9. Every DC is authoritative for the dns domain, there are no slaves. this means that your forwarders must be outside the AD dns domain. Try this /etc/bind/named.conf.options: acl "trusted" { ??????? 172.23.93.0/24; ??????? 127.0.0.1; }; options { ??????? directory "/var/cache/bind"; ??????? notify no; ??????? empty-zones-enable no; ??????? allow-query { trusted;}; ??????? allow-recursion { trusted;}; ??????? forwarders { 8.8.8.8; }; ??????? allow-transfer { none;}; ??????? dnssec-validation no; ??????? dnssec-enable no; ??????? dnssec-lookaside no; ??????? listen-on-v6 { none; }; ??????? listen-on port 53 { 172.23.93.25; 127.0.0.1; }; ??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; Rowland
durwin at mgtsciences.com
2020-Feb-28 15:19 UTC
[Samba] User names not replicating to secondary DC
> > > > > Why are you using the internal dns server on one DC and Bind9 on the> > other ? > > I am very familiar with configuring Named on Fedora. I thought it > > would be > > just as easy on Ubuntu. After discovering the files were in different> > places > > and so many more being 'included', I decided to use internal on the > > second > > one. I believe there is a command to switch over to internal,correct?> > There is, samba_upgradedns, but in your case, I would suggest you > upgrade the internal dns to bind9. Every DC is authoritative for the dns> domain, there are no slaves. this means that your forwarders must be > outside the AD dns domain. > > Try this /etc/bind/named.conf.options: > > acl "trusted" { > 172.23.93.0/24; > 127.0.0.1; > }; > > options { > directory "/var/cache/bind"; > notify no; > empty-zones-enable no; > allow-query { trusted;}; > allow-recursion { trusted;}; > forwarders { 8.8.8.8; }; > allow-transfer { none;}; > dnssec-validation no; > dnssec-enable no; > dnssec-lookaside no; > listen-on-v6 { none; }; > listen-on port 53 { 172.23.93.25; 127.0.0.1; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > };I made these changes as well as converting dc1 to bind_dlz. Still on replication of new user to secondary DC. Here is output from 'samba-tool drs showrepl' Ubuntu18.04> samba-tool drs showrepl Default-First-Site-Name\DC1 DSA Options: 0x00000001 DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084 DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a ==== INBOUND NEIGHBORS === CN=Configuration,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful 0 consecutive failure(s). Last success @ Fri Feb 28 08:09:58 2020 MST CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful 0 consecutive failure(s). Last success @ Fri Feb 28 08:10:00 2020 MST DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful 0 consecutive failure(s). Last success @ Fri Feb 28 08:10:01 2020 MST DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful 0 consecutive failure(s). Last success @ Fri Feb 28 08:09:55 2020 MST DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful 0 consecutive failure(s). Last success @ Fri Feb 28 08:11:10 2020 MST ==== OUTBOUND NEIGHBORS === CN=Configuration,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com Default-First-Site-Name\DC0 via RPC DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece Enabled : TRUE Server DNS name : dc0.msi.mydomain.com Server DN name : CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=msi,DC=mydomain,DC=com TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Can you run this script on both DC's. https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh Anonimize where needed but keep thing like. You.dom.tld like that, dont change that to example.tld. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Durwin via samba > Verzonden: vrijdag 28 februari 2020 16:19 > Aan: Rowland penny > CC: sambalist; samba > Onderwerp: Re: [Samba] User names not replicating to secondary DC > > > > > > > > Why are you using the internal dns server on one DC and > Bind9 on the > > > > other ? > > > I am very familiar with configuring Named on Fedora. I > thought it > > > would be > > > just as easy on Ubuntu. After discovering the files were > in different > > > > places > > > and so many more being 'included', I decided to use > internal on the > > > second > > > one. I believe there is a command to switch over to internal, > correct? > > > > There is, samba_upgradedns, but in your case, I would suggest you > > upgrade the internal dns to bind9. Every DC is > authoritative for the dns > > > domain, there are no slaves. this means that your > forwarders must be > > outside the AD dns domain. > > > > Try this /etc/bind/named.conf.options: > > > > acl "trusted" { > > 172.23.93.0/24; > > 127.0.0.1; > > }; > > > > options { > > directory "/var/cache/bind"; > > notify no; > > empty-zones-enable no; > > allow-query { trusted;}; > > allow-recursion { trusted;}; > > forwarders { 8.8.8.8; }; > > allow-transfer { none;}; > > dnssec-validation no; > > dnssec-enable no; > > dnssec-lookaside no; > > listen-on-v6 { none; }; > > listen-on port 53 { 172.23.93.25; 127.0.0.1; }; > > > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > }; > > I made these changes as well as converting dc1 to bind_dlz. > Still on replication of new user to secondary DC. > > Here is output from 'samba-tool drs showrepl' > > Ubuntu18.04> samba-tool drs showrepl > Default-First-Site-Name\DC1 > DSA Options: 0x00000001 > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084 > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a > > ==== INBOUND NEIGHBORS ===> > CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:09:58 2020 MST > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:10:00 2020 MST > > DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:10:01 2020 MST > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:09:55 2020 MST > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:11:10 2020 MST > > ==== OUTBOUND NEIGHBORS ===> > CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > ==== KCC CONNECTION OBJECTS ===> > Connection -- > Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece > Enabled : TRUE > Server DNS name : dc0.msi.mydomain.com > Server DN name : CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=msi,DC=mydomain,DC=com> TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! > > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > This email message and any attachments are for the sole use of the > intended recipient(s) and may contain proprietary and/or confidential > information which may be privileged or otherwise protected from > disclosure. Any unauthorized review, use, disclosure or > distribution is > prohibited. If you are not the intended recipient(s), please > contact the > sender by reply email and destroy the original message and > any copies of > the message as well as any attachments to the original message. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >