Can you run this script on both DC's. https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh Anonimize where needed but keep thing like. You.dom.tld like that, dont change that to example.tld. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Durwin via samba > Verzonden: vrijdag 28 februari 2020 16:19 > Aan: Rowland penny > CC: sambalist; samba > Onderwerp: Re: [Samba] User names not replicating to secondary DC > > > > > > > > Why are you using the internal dns server on one DC and > Bind9 on the > > > > other ? > > > I am very familiar with configuring Named on Fedora. I > thought it > > > would be > > > just as easy on Ubuntu. After discovering the files were > in different > > > > places > > > and so many more being 'included', I decided to use > internal on the > > > second > > > one. I believe there is a command to switch over to internal, > correct? > > > > There is, samba_upgradedns, but in your case, I would suggest you > > upgrade the internal dns to bind9. Every DC is > authoritative for the dns > > > domain, there are no slaves. this means that your > forwarders must be > > outside the AD dns domain. > > > > Try this /etc/bind/named.conf.options: > > > > acl "trusted" { > > 172.23.93.0/24; > > 127.0.0.1; > > }; > > > > options { > > directory "/var/cache/bind"; > > notify no; > > empty-zones-enable no; > > allow-query { trusted;}; > > allow-recursion { trusted;}; > > forwarders { 8.8.8.8; }; > > allow-transfer { none;}; > > dnssec-validation no; > > dnssec-enable no; > > dnssec-lookaside no; > > listen-on-v6 { none; }; > > listen-on port 53 { 172.23.93.25; 127.0.0.1; }; > > > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > }; > > I made these changes as well as converting dc1 to bind_dlz. > Still on replication of new user to secondary DC. > > Here is output from 'samba-tool drs showrepl' > > Ubuntu18.04> samba-tool drs showrepl > Default-First-Site-Name\DC1 > DSA Options: 0x00000001 > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084 > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a > > ==== INBOUND NEIGHBORS ===> > CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:09:58 2020 MST > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:10:00 2020 MST > > DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:10:01 2020 MST > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:09:55 2020 MST > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful > 0 consecutive failure(s). > Last success @ Fri Feb 28 08:11:10 2020 MST > > ==== OUTBOUND NEIGHBORS ===> > CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com > Default-First-Site-Name\DC0 via RPC > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > ==== KCC CONNECTION OBJECTS ===> > Connection -- > Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece > Enabled : TRUE > Server DNS name : dc0.msi.mydomain.com > Server DN name : CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=msi,DC=mydomain,DC=com> TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! > > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > This email message and any attachments are for the sole use of the > intended recipient(s) and may contain proprietary and/or confidential > information which may be privileged or otherwise protected from > disclosure. Any unauthorized review, use, disclosure or > distribution is > prohibited. If you are not the intended recipient(s), please > contact the > sender by reply email and destroy the original message and > any copies of > the message as well as any attachments to the original message. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Found one error , see below.
do note, most look very good for the othere things.
________________________________
Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com]
Verzonden: vrijdag 28 februari 2020 16:41
Aan: L.P.H. van Belle
CC: samba at lists.samba.org; samba
Onderwerp: Re: [Samba] User names not replicating to secondary DC
> Can you run this script on both DC's.
>
> https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh
<https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh>
=== BEGIN dc0 ===
Collected config --- 2020-02-28-08:30 -----------
Hostname: dc0
DNS Domain: msi.mydomain.com
FQDN: dc0.msi.mydomain.com
ipaddress: 172.23.93.25
-----------
Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output:
Server: 172.23.93.25
Address: 172.23.93.25#53
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc0.msi.mydomain.com.
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc1.msi.mydomain.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
SUPPORT_URL="https://help.ubuntu.com/ <https://help.ubuntu.com/>
"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/
<https://bugs.launchpad.net/ubuntu/> "
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy
<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
-----------
This computer is running Ubuntu 18.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff
inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3
inet6 fe80::a00:27ff:fe88:470f/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
172.23.93.25 dc0.msi.mydomain.com dc0
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 172.23.93.25
ADD: nameserver 172.23.93.26
search msi.mydomain.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = MSI.MYDOMAIN.COM
; Note, this is added because other software may need it.
; personaly i would remove : des-cbc-crc des-cbc-md5 but for compatibility i
leave it in.
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC0
realm = MSI.MYDOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MSI
# This line was added 190710 (DFD)
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
acl "trusted" {
172.23.93.0/24;
127.0.0.1;
};
options {
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { trusted;};
allow-recursion { trusted;};
forwarders { 8.8.8.8; };
allow-transfer { none;};
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { none; };
listen-on port 53 { 172.23.93.25; 127.0.0.1; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the Samba dlopen ( Bind DLZ ) module
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : 93.23.172.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : _msdcs.msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.msi.mydomain.com
Samba DNS zone list Automated check :
zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
-----------
zone : msi.mydomain.com ok, no Bind flat-files found
-----------
zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3build1
amd64 Access control list utilities
ii attr 1:2.4.47-2build1
amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.3+dfsg-1ubuntu1.11
amd64 Internet Domain Name Server
ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11
amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11
amd64 Utilities for BIND
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-locales 1.16-2ubuntu0.1
all internationalization support for MIT Kerberos
ii krb5-user 1.16-2ubuntu0.1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3build1
amd64 Access control list shared library
ii libacl1-dev 2.2.52-3build1
amd64 Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2build1
amd64 Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2build1
amd64 Extended attribute static libraries and headers
ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11
amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.18+dfsg-0.1bionic1
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.18+dfsg-0.1bionic1
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.9.18+dfsg-0.1bionic1
amd64 Samba winbind client library
ii python-samba 2:4.9.18+dfsg-0.1bionic1
amd64 Python bindings for Samba
ii python3-attr 17.4.0-2
all Attributes without boilerplate (Python 3)
ii samba 2:4.9.18+dfsg-0.1bionic1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.18+dfsg-0.1bionic1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.18+dfsg-0.1bionic1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.18+dfsg-0.1bionic1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.18+dfsg-0.1bionic1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.18+dfsg-0.1bionic1
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.9.18+dfsg-0.1bionic1
amd64 service to resolve user and group information from Windows NT
servers
-----------
=== END dc0 ===
=== BEGIN dc1 ===
Collected config --- 2020-02-28-08:28 -----------
Hostname: dc1
DNS Domain: msi.mydomain.com
FQDN: dc1.msi.mydomain.com
ipaddress: 172.23.93.26
-----------
Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output:
Server: 172.23.93.3
Address: 172.23.93.3#53
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc0.msi.mydomain.com.
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc1.msi.mydomain.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
SUPPORT_URL="https://help.ubuntu.com/ <https://help.ubuntu.com/>
"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/
<https://bugs.launchpad.net/ubuntu/> "
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy
<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
-----------
This computer is running Ubuntu 18.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff
inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3
inet6 fe80::a00:27ff:fe3e:9b53/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
172.23.93.26 dc1.msi.mydomain.com dc1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
ADD Top: nameserver 172.23.93.26
ADD nameserver 172.23.93.25
nameserver 172.23.93.3 <<< and this is ?
search msi.mydomain.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = MSI.MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = MSI.MYDOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MSI
dns forwarder = 172.23.93.3
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
#winbind use default domain = true
#winbind offline logon = false
#winbind nss info = rfc2307
#winbind enum users = yes
#winbind enum groups = yes
# This line added 200129 DFD.
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
[netlogon]
path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
acl "trusted" {
172.23.93.0/24;
127.0.0.1;
};
options {
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { trusted;};
allow-recursion { trusted;};
forwarders { 8.8.8.8; };
allow-transfer { none;};
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { none; };
listen-on port 53 { 172.23.93.26; 127.0.0.1; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
<http://www.kb.cert.org/vuls/id/800113>
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys <https://www.isc.org/bind-keys>
//========================================================================
#dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
#listen-on-v6 { any; };
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : 93.23.172.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : _msdcs.msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.msi.mydomain.com
Samba DNS zone list Automated check :
zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
-----------
zone : msi.mydomain.com ok, no Bind flat-files found
-----------
zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3build1
amd64 Access control list utilities
ii attr 1:2.4.47-2build1
amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.3+dfsg-1ubuntu1.11
amd64 Internet Domain Name Server
ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11
amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11
amd64 Utilities for BIND
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-locales 1.16-2ubuntu0.1
all internationalization support for MIT Kerberos
ii krb5-user 1.16-2ubuntu0.1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3build1
amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2build1
amd64 Extended attribute shared library
ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11
amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Samba winbind client library
ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Python bindings for Samba
ii python3-nacl 1.1.2-1build1
amd64 Python bindings to libsodium (Python 3)
ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
all common files used by both the Samba server and client
ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Samba core libraries
ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.15
amd64 service to resolve user and group information from Windows NT
servers
-----------
=== END dc1 == >
> Anonimize where needed but keep thing like.
> You.dom.tld like that, dont change that to example.tld.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot
fraude gevonden van "lists.samba.org" mailto:samba-bounces at
lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens
> > Durwin via samba
> > Verzonden: vrijdag 28 februari 2020 16:19
> > Aan: Rowland penny
> > CC: sambalist; samba
> > Onderwerp: Re: [Samba] User names not replicating to secondary DC
> >
> > > >
> > > > > Why are you using the internal dns server on one DC
and
> > Bind9 on the
> >
> > > > other ?
> > > > I am very familiar with configuring Named on Fedora. I
> > thought it
> > > > would be
> > > > just as easy on Ubuntu. After discovering the files were
> > in different
> >
> > > > places
> > > > and so many more being 'included', I decided to use
> > internal on the
> > > > second
> > > > one. I believe there is a command to switch over to
internal,
> > correct?
> > >
> > > There is, samba_upgradedns, but in your case, I would suggest
you
> > > upgrade the internal dns to bind9. Every DC is
> > authoritative for the dns
> >
> > > domain, there are no slaves. this means that your
> > forwarders must be
> > > outside the AD dns domain.
> > >
> > > Try this /etc/bind/named.conf.options:
> > >
> > > acl "trusted" {
> > > 172.23.93.0/24;
> > > 127.0.0.1;
> > > };
> > >
> > > options {
> > > directory "/var/cache/bind";
> > > notify no;
> > > empty-zones-enable no;
> > > allow-query { trusted;};
> > > allow-recursion { trusted;};
> > > forwarders { 8.8.8.8; };
> > > allow-transfer { none;};
> > > dnssec-validation no;
> > > dnssec-enable no;
> > > dnssec-lookaside no;
> > > listen-on-v6 { none; };
> > > listen-on port 53 { 172.23.93.25; 127.0.0.1; };
> > >
> > > tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> > > };
> >
> > I made these changes as well as converting dc1 to bind_dlz.
> > Still on replication of new user to secondary DC.
> >
> > Here is output from 'samba-tool drs showrepl'
> >
> > Ubuntu18.04> samba-tool drs showrepl
> > Default-First-Site-Name\DC1
> > DSA Options: 0x00000001
> > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084
> > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a
> >
> > ==== INBOUND NEIGHBORS === > >
> > CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:09:58 2020 MST
> >
> > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:10:00 2020 MST
> >
> > DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:10:01 2020 MST
> >
> > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:09:55 2020 MST
> >
> > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:11:10 2020 MST
> >
> > ==== OUTBOUND NEIGHBORS === > >
> > CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > ==== KCC CONNECTION OBJECTS === > >
> > Connection --
> > Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece
> > Enabled : TRUE
> > Server DNS name : dc0.msi.mydomain.com
> > Server DN name : CN=NTDS
> > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> ,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > TransportType: RPC
> > options: 0x00000001
> > Warning: No NC replicated for Connection!
> >
> > >
> > > Rowland
> > >
> > >
This email message and any attachments are for the sole use of the intended
recipient(s) and may contain proprietary and/or confidential information which
may be privileged or otherwise protected from disclosure. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient(s), please contact the sender by reply email and destroy the
original message and any copies of the message as well as any attachments to the
original message.
durwin at mgtsciences.com
2020-Mar-02 18:59 UTC
[Samba] User names not replicating to secondary DC
> Can you run this script on both DC's. > > https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh=== BEGIN dc0 ==Collected config --- 2020-02-28-08:30 ----------- Hostname: dc0 DNS Domain: msi.mydomain.com FQDN: dc0.msi.mydomain.com ipaddress: 172.23.93.25 ----------- Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output: Server: 172.23.93.25 Address: 172.23.93.25#53 _kerberos._tcp.msi.mydomain.com service = 0 100 88 dc0.msi.mydomain.com. _kerberos._tcp.msi.mydomain.com service = 0 100 88 dc1.msi.mydomain.com. Samba is running as an AD DC ----------- Checking file: /etc/os-release NAME="Ubuntu" VERSION="18.04.3 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.3 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL=" https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ----------- This computer is running Ubuntu 18.04.3 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3 inet6 fe80::a00:27ff:fe88:470f/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 172.23.93.25 dc0.msi.mydomain.com dc0 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ----------- Checking file: /etc/resolv.conf # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients directly to # all known uplink DNS servers. This file lists all configured search domains. # # Third party programs must not access this file directly, but only through the # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, # replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 172.23.93.25 search msi.mydomain.com ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = MSI.MYDOMAIN.COM ; Note, this is added because other software may need it. ; personaly i would remove : des-cbc-crc des-cbc-md5 but for compatibility i leave it in. ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd group: compat systemd shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = DC0 realm = MSI.MYDOMAIN.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = MSI # This line was added 190710 (DFD) dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/msi.mydomain.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options acl "trusted" { 172.23.93.0/24; 127.0.0.1; }; options { directory "/var/cache/bind"; notify no; empty-zones-enable no; allow-query { trusted;}; allow-recursion { trusted;}; forwarders { 8.8.8.8; }; allow-transfer { none;}; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; listen-on-v6 { none; }; listen-on port 53 { 172.23.93.25; 127.0.0.1; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // adding the Samba dlopen ( Bind DLZ ) module include "/var/lib/samba/bind-dns/named.conf"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list: 3 zone(s) found pszZoneName : 93.23.172.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.msi.mydomain.com pszZoneName : msi.mydomain.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.msi.mydomain.com pszZoneName : _msdcs.msi.mydomain.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.msi.mydomain.com Samba DNS zone list Automated check : zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found ----------- zone : msi.mydomain.com ok, no Bind flat-files found ----------- zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found ----------- Installed packages: ii acl 2.2.52-3build1 amd64 Access control list utilities ii attr 1:2.4.47-2build1 amd64 Utilities for manipulating filesystem extended attributes ii bind9 1:9.11.3+dfsg-1ubuntu1.11 amd64 Internet Domain Name Server ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11 amd64 DNS lookup utility (deprecated) ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11 amd64 Utilities for BIND ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.16-2ubuntu0.1 all internationalization support for MIT Kerberos ii krb5-user 1.16-2ubuntu0.1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers ii libattr1:amd64 1:2.4.47-2build1 amd64 Extended attribute shared library ii libattr1-dev:amd64 1:2.4.47-2build1 amd64 Extended attribute static libraries and headers ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11 amd64 BIND9 Shared Library used by BIND ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba winbind client library ii python-samba 2:4.9.18+dfsg-0.1bionic1 amd64 Python bindings for Samba ii python3-attr 17.4.0-2 all Attributes without boilerplate (Python 3) ii samba 2:4.9.18+dfsg-0.1bionic1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.18+dfsg-0.1bionic1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.18+dfsg-0.1bionic1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.9.18+dfsg-0.1bionic1 amd64 service to resolve user and group information from Windows NT servers ----------- === END dc0 == === BEGIN dc1 ==Collected config --- 2020-02-28-08:28 ----------- Hostname: dc1 DNS Domain: msi.mydomain.com FQDN: dc1.msi.mydomain.com ipaddress: 172.23.93.26 ----------- Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output: Server: 172.23.93.3 Address: 172.23.93.3#53 _kerberos._tcp.msi.mydomain.com service = 0 100 88 dc0.msi.mydomain.com. _kerberos._tcp.msi.mydomain.com service = 0 100 88 dc1.msi.mydomain.com. Samba is running as an AD DC ----------- Checking file: /etc/os-release NAME="Ubuntu" VERSION="18.04.3 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.3 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL=" https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ----------- This computer is running Ubuntu 18.04.3 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3 inet6 fe80::a00:27ff:fe3e:9b53/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 172.23.93.26 dc1.msi.mydomain.com dc1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf # Generated by NetworkManager nameserver 172.23.93.3 search msi.mydomain.com ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = MSI.MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd group: compat systemd shadow: compat gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = DC1 realm = MSI.MYDOMAIN.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = MSI dns forwarder = 172.23.93.3 idmap_ldb:use rfc2307 = yes template shell = /bin/bash #winbind use default domain = true #winbind offline logon = false #winbind nss info = rfc2307 #winbind enum users = yes #winbind enum groups = yes # This line added 200129 DFD. dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool [netlogon] path = /var/lib/samba/sysvol/msi.mydomain.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options acl "trusted" { 172.23.93.0/24; 127.0.0.1; }; options { directory "/var/cache/bind"; notify no; empty-zones-enable no; allow-query { trusted;}; allow-recursion { trusted;}; forwarders { 8.8.8.8; }; allow-transfer { none;}; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; listen-on-v6 { none; }; listen-on port 53 { 172.23.93.26; 127.0.0.1; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= #dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 #listen-on-v6 { any; }; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list: 3 zone(s) found pszZoneName : 93.23.172.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.msi.mydomain.com pszZoneName : msi.mydomain.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.msi.mydomain.com pszZoneName : _msdcs.msi.mydomain.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.msi.mydomain.com Samba DNS zone list Automated check : zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found ----------- zone : msi.mydomain.com ok, no Bind flat-files found ----------- zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found ----------- Installed packages: ii acl 2.2.52-3build1 amd64 Access control list utilities ii attr 1:2.4.47-2build1 amd64 Utilities for manipulating filesystem extended attributes ii bind9 1:9.11.3+dfsg-1ubuntu1.11 amd64 Internet Domain Name Server ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11 amd64 DNS lookup utility (deprecated) ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11 amd64 Utilities for BIND ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.16-2ubuntu0.1 all internationalization support for MIT Kerberos ii krb5-user 1.16-2ubuntu0.1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library ii libattr1:amd64 1:2.4.47-2build1 amd64 Extended attribute shared library ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11 amd64 BIND9 Shared Library used by BIND ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba winbind client library ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Python bindings for Samba ii python3-nacl 1.1.2-1build1 amd64 Python bindings to libsodium (Python 3) ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 all common files used by both the Samba server and client ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba core libraries ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 service to resolve user and group information from Windows NT servers ----------- === END dc1 ==> > Anonimize where needed but keep thing like. > You.dom.tld like that, dont change that to example.tld. > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Durwin via samba > > Verzonden: vrijdag 28 februari 2020 16:19 > > Aan: Rowland penny > > CC: sambalist; samba > > Onderwerp: Re: [Samba] User names not replicating to secondary DC > > > > > > > > > > > Why are you using the internal dns server on one DC and > > Bind9 on the > > > > > > other ? > > > > I am very familiar with configuring Named on Fedora. I > > thought it > > > > would be > > > > just as easy on Ubuntu. After discovering the files were > > in different > > > > > > places > > > > and so many more being 'included', I decided to use > > internal on the > > > > second > > > > one. I believe there is a command to switch over to internal, > > correct? > > > > > > There is, samba_upgradedns, but in your case, I would suggest you > > > upgrade the internal dns to bind9. Every DC is > > authoritative for the dns > > > > > domain, there are no slaves. this means that your > > forwarders must be > > > outside the AD dns domain. > > > > > > Try this /etc/bind/named.conf.options: > > > > > > acl "trusted" { > > > 172.23.93.0/24; > > > 127.0.0.1; > > > }; > > > > > > options { > > > directory "/var/cache/bind"; > > > notify no; > > > empty-zones-enable no; > > > allow-query { trusted;}; > > > allow-recursion { trusted;}; > > > forwarders { 8.8.8.8; }; > > > allow-transfer { none;}; > > > dnssec-validation no; > > > dnssec-enable no; > > > dnssec-lookaside no; > > > listen-on-v6 { none; }; > > > listen-on port 53 { 172.23.93.25; 127.0.0.1; }; > > > > > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > > }; > > > > I made these changes as well as converting dc1 to bind_dlz. > > Still on replication of new user to secondary DC. > > > > Here is output from 'samba-tool drs showrepl' > > > > Ubuntu18.04> samba-tool drs showrepl > > Default-First-Site-Name\DC1 > > DSA Options: 0x00000001 > > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084 > > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a > > > > ==== INBOUND NEIGHBORS ===> > > > CN=Configuration,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful > > 0 consecutive failure(s). > > Last success @ Fri Feb 28 08:09:58 2020 MST > > > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful > > 0 consecutive failure(s). > > Last success @ Fri Feb 28 08:10:00 2020 MST > > > > DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful > > 0 consecutive failure(s). > > Last success @ Fri Feb 28 08:10:01 2020 MST > > > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful > > 0 consecutive failure(s). > > Last success @ Fri Feb 28 08:09:55 2020 MST > > > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful > > 0 consecutive failure(s). > > Last success @ Fri Feb 28 08:11:10 2020 MST > > > > ==== OUTBOUND NEIGHBORS ===> > > > CN=Configuration,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ NTTIME(0) was successful > > 0 consecutive failure(s). > > Last success @ NTTIME(0) > > > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ NTTIME(0) was successful > > 0 consecutive failure(s). > > Last success @ NTTIME(0) > > > > DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ NTTIME(0) was successful > > 0 consecutive failure(s). > > Last success @ NTTIME(0) > > > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ NTTIME(0) was successful > > 0 consecutive failure(s). > > Last success @ NTTIME(0) > > > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com > > Default-First-Site-Name\DC0 via RPC > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d > > Last attempt @ NTTIME(0) was successful > > 0 consecutive failure(s). > > Last success @ NTTIME(0) > > > > ==== KCC CONNECTION OBJECTS ===> > > > Connection -- > > Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece > > Enabled : TRUE > > Server DNS name : dc0.msi.mydomain.com > > Server DN name : CN=NTDS > > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites > ,CN=Configuration,DC=msi,DC=mydomain,DC=com > > TransportType: RPC > > options: 0x00000001 > > Warning: No NC replicated for Connection! > > > > > > > > Rowland > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > This email message and any attachments are for the sole use of the > > intended recipient(s) and may contain proprietary and/or confidential > > information which may be privileged or otherwise protected from > > disclosure. Any unauthorized review, use, disclosure or > > distribution is > > prohibited. If you are not the intended recipient(s), please > > contact the > > sender by reply email and destroy the original message and > > any copies of > > the message as well as any attachments to the original message. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
On 02/03/2020 18:59, Durwin via samba wrote:>> Can you run this script on both DC's.OK, dc0 seems to have the ipaddress: 172.23.93.25 ?????? dc1 seems to have the ipaddress: 172.23.93.26 So why does dc1 use 172.23.93.3 as its nameserver ? and what is 172.23.93.3 ? The /etc/krb5.conf files should be the same on both machines, I prefer this format: [libdefaults] ??????? default_realm = MSI.MYDOMAIN.COM ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true You are missing: include "/var/lib/samba/bind-dns/named.conf"; From '/etc/bind/named.conf.local' on dc1 Which leads us to this in '/etc/bind/named.conf.options' (on both DCs): tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; If you do have '/var/lib/samba/bind-dns' , then you are using the wrong dns.keytab, you should be using: /var/lib/samba/bind-dns/dns.keytab Rowland