> I think all is clean fine.You "think"..?? .. You must verify this ! Asumption is the mother of all fuckups an old boss of me always said.. And he is right. Run : samba-tool fsmo show And verify both servers. https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record And go through : https://wiki.samba.org/index.php/Active_Directory_Sites#Setting_up_a_new_Site Sorry, but im pretty sure your problem is in this area.. And you can only fix it by verifying it all. Its not 1 problem your haveing. Its 2 or 3 at the same time.. One problem is the cause of the other problems. Like, this part. (your latest mail) samba-tool drs replicate DC1 DC2 dc=samdom,dc=example,dc=com --full-sync ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Will never work if you dont check and fixed the objectGUID . Mail before that one : host -t CNAME d5faff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com I hope its more clear now where to look first. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 11 september 2020 11:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with sysrepl > > I have try "list". without suggess. > > I think all is clean fine. > after rejoin the sync connection in (Default-First-Site-Name) from dc2 > to dc1 is missing and i still geht this error: > > Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 > 11:04:14.336276, 0] > ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) > Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: Failed > to bind to > uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:193.137.1.135[49152,seal,krb5,target_hostname=d5f > aff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com,target_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-> ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133]> NT_STATUS_UNSUCCESSFUL > > On 11.09.20 10:28, L.P.H. van Belle via samba wrote: > > > > DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID > needs to be corrected first. > > > > Then, reboot, things should sync. > > Then, correct IP in resolv.conf. > > > > If this goes wrong, you and up with 2 zones on both server > that are off sync. > > I had this ones.. And yes, its always fixable. > > > > In worst cased, down DC2 again. > > Sieze FSMO roles to DC1. > > Clean AD and DNS, (and dont forget to clean sites) > > All needs to be checked before a re-join. > > > > The order in this fix attempt is most important. > > Dont rush it, take the time to clean the AD and DNS. > > > > Not needed to re-install DC2, its basilcy. > > > > Cleanup /var/lib/samba (and subfolders.) > > Cleanup /var/cache/samba (and subfolders.) > > Resolv.conf to DC1 IP first, join, reboot. > > Resolv.conf to DC2 IP first > > Down samba DC2, > > copy Idmap DC1 to DC2 > > Start samba DC2 > > > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland penny via samba > >> Verzonden: vrijdag 11 september 2020 10:18 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Problems with sysrepl > >> > >> On 11/09/2020 09:00, basti via samba wrote: > >>> Hello, > >>> > >>> after demote and rejoun my dc2 i have problems with replication. > >>> First of all some srv records on dc1 are missing, on dc2 > >> they are exist. > >>> > >>> > >>> > >> Start by ensuring that the nameserver in /etc/resolv.conf on > >> dc2 points to its own ipaddress, then reboot. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
I have check, the cleanup !! I have nothing found about dc2 or the objectGUID in LDAP using ldapvi. fsom are on dc1 The cname /dns etc i have check multiple times. A, CNAME, objectGUID records are done. SRV records like LDAP etc. are not. On 11.09.20 11:29, L.P.H. van Belle via samba wrote:>> I think all is clean fine. > You "think"..?? .. You must verify this ! > > Asumption is the mother of all fuckups an old boss of me always said.. > And he is right. > > Run : samba-tool fsmo show > > And verify both servers. > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record > > > And go through : > https://wiki.samba.org/index.php/Active_Directory_Sites#Setting_up_a_new_Site > > Sorry, but im pretty sure your problem is in this area.. > And you can only fix it by verifying it all. > > Its not 1 problem your haveing. > Its 2 or 3 at the same time.. > One problem is the cause of the other problems. > > Like, this part. (your latest mail) > > samba-tool drs replicate DC1 DC2 dc=samdom,dc=example,dc=com > --full-sync > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568, > in run > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > Will never work if you dont check and fixed the objectGUID . > > Mail before that one : > > host -t CNAME d5faff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com > > I hope its more clear now where to look first. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> basti via samba >> Verzonden: vrijdag 11 september 2020 11:09 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Problems with sysrepl >> >> I have try "list". without suggess. >> >> I think all is clean fine. >> after rejoin the sync connection in (Default-First-Site-Name) from dc2 >> to dc1 is missing and i still geht this error: >> >> Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 >> 11:04:14.336276, 0] >> ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) >> Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: Failed >> to bind to >> uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for >> ncacn_ip_tcp:193.137.1.135[49152,seal,krb5,target_hostname=d5f >> aff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com,ta > rget_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-> ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133] >> NT_STATUS_UNSUCCESSFUL >> >> On 11.09.20 10:28, L.P.H. van Belle via samba wrote: >>> >>> DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID >> needs to be corrected first. >>> >>> Then, reboot, things should sync. >>> Then, correct IP in resolv.conf. >>> >>> If this goes wrong, you and up with 2 zones on both server >> that are off sync. >>> I had this ones.. And yes, its always fixable. >>> >>> In worst cased, down DC2 again. >>> Sieze FSMO roles to DC1. >>> Clean AD and DNS, (and dont forget to clean sites) >>> All needs to be checked before a re-join. >>> >>> The order in this fix attempt is most important. >>> Dont rush it, take the time to clean the AD and DNS. >>> >>> Not needed to re-install DC2, its basilcy. >>> >>> Cleanup /var/lib/samba (and subfolders.) >>> Cleanup /var/cache/samba (and subfolders.) >>> Resolv.conf to DC1 IP first, join, reboot. >>> Resolv.conf to DC2 IP first >>> Down samba DC2, >>> copy Idmap DC1 to DC2 >>> Start samba DC2 >>> >>> >>> Greetz, >>> >>> Louis >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Rowland penny via samba >>>> Verzonden: vrijdag 11 september 2020 10:18 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Problems with sysrepl >>>> >>>> On 11/09/2020 09:00, basti via samba wrote: >>>>> Hello, >>>>> >>>>> after demote and rejoun my dc2 i have problems with replication. >>>>> First of all some srv records on dc1 are missing, on dc2 >>>> they are exist. >>>>> >>>>> >>>>> >>>> Start by ensuring that the nameserver in /etc/resolv.conf on >>>> dc2 points to its own ipaddress, then reboot. >>>> >>>> Rowland >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
Get this, https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Run it, anonymize it and post it. For both AD-DC's. I want to see a full check on the base setup of the server. If you dont mind ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 11 september 2020 11:44 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with sysrepl > > I have check, the cleanup !! I have nothing found about dc2 or the > objectGUID in LDAP using ldapvi. > > fsom are on dc1 > > The cname /dns etc i have check multiple times. > > A, CNAME, objectGUID records are done. > SRV records like LDAP etc. are not. > > On 11.09.20 11:29, L.P.H. van Belle via samba wrote: > >> I think all is clean fine. > > You "think"..?? .. You must verify this ! > > > > Asumption is the mother of all fuckups an old boss of me > always said.. > > And he is right. > > > > Run : samba-tool fsmo show > > > > And verify both servers. > > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_D > NS_Record#The_objectGUID_CNAME_Record > > > > > > And go through : > > > https://wiki.samba.org/index.php/Active_Directory_Sites#Settin > g_up_a_new_Site > > > > Sorry, but im pretty sure your problem is in this area.. > > And you can only fix it by verifying it all. > > > > Its not 1 problem your haveing. > > Its 2 or 3 at the same time.. > > One problem is the cause of the other problems. > > > > Like, this part. (your latest mail) > > > > samba-tool drs replicate DC1 DC2 dc=samdom,dc=example,dc=com > > --full-sync > > ERROR(<class 'samba.drs_utils.drsException'>): > DsReplicaSync failed - > > drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568, > > in run > > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > > source_dsa_guid, NC, req_options) > > File > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88, > > in sendDsReplicaSync > > raise drsException("DsReplicaSync failed %s" % estr) > > > > Will never work if you dont check and fixed the objectGUID . > > > > Mail before that one : > > > > host -t CNAME > d5faff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com > > > > I hope its more clear now where to look first. > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> basti via samba > >> Verzonden: vrijdag 11 september 2020 11:09 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Problems with sysrepl > >> > >> I have try "list". without suggess. > >> > >> I think all is clean fine. > >> after rejoin the sync connection in > (Default-First-Site-Name) from dc2 > >> to dc1 is missing and i still geht this error: > >> > >> Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 > >> 11:04:14.336276, 0] > >> ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) > >> Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: Failed > >> to bind to > >> uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > >> ncacn_ip_tcp:193.137.1.135[49152,seal,krb5,target_hostname=d5f > >> aff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com,ta > > > rget_principal=GC/dc2.samdom.example.com/samdom.example.com,ab > stract_syntax=e3514235-4b06-11d1-> > ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133] > >> NT_STATUS_UNSUCCESSFUL > >> > >> On 11.09.20 10:28, L.P.H. van Belle via samba wrote: > >>> > >>> DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID > >> needs to be corrected first. > >>> > >>> Then, reboot, things should sync. > >>> Then, correct IP in resolv.conf. > >>> > >>> If this goes wrong, you and up with 2 zones on both server > >> that are off sync. > >>> I had this ones.. And yes, its always fixable. > >>> > >>> In worst cased, down DC2 again. > >>> Sieze FSMO roles to DC1. > >>> Clean AD and DNS, (and dont forget to clean sites) > >>> All needs to be checked before a re-join. > >>> > >>> The order in this fix attempt is most important. > >>> Dont rush it, take the time to clean the AD and DNS. > >>> > >>> Not needed to re-install DC2, its basilcy. > >>> > >>> Cleanup /var/lib/samba (and subfolders.) > >>> Cleanup /var/cache/samba (and subfolders.) > >>> Resolv.conf to DC1 IP first, join, reboot. > >>> Resolv.conf to DC2 IP first > >>> Down samba DC2, > >>> copy Idmap DC1 to DC2 > >>> Start samba DC2 > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >>>> Rowland penny via samba > >>>> Verzonden: vrijdag 11 september 2020 10:18 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] Problems with sysrepl > >>>> > >>>> On 11/09/2020 09:00, basti via samba wrote: > >>>>> Hello, > >>>>> > >>>>> after demote and rejoun my dc2 i have problems with replication. > >>>>> First of all some srv records on dc1 are missing, on dc2 > >>>> they are exist. > >>>>> > >>>>> > >>>>> > >>>> Start by ensuring that the nameserver in /etc/resolv.conf on > >>>> dc2 points to its own ipaddress, then reboot. > >>>> > >>>> Rowland > >>>> > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >>> > >>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
root at dc1:~# cat /tmp/samba-debug-info.txt
Collected config --- 2020-09-11-12:35 -----------
Hostname: dc1
DNS Domain: samdom.example.com
FQDN: dc1.samdom.example.com
ipaddress: 193.137.1.133
-----------
Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok,
sample output:
Server: 193.137.1.133
Address: 193.137.1.133#53
_kerberos._tcp.samdom.example.com service = 0 100 88 dc1.samdom.example.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:43:08:92 brd ff:ff:ff:ff:ff:ff
inet 193.137.1.133/24 brd 193.137.1.255 scope global ens3
inet6 fe80::5054:ff:fe43:892/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.137.1.133 dc1.samdom.example.com dc1
193.137.1.135 dc2.samdom.example.com dc2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 193.137.1.133
search samdom.example.com
search net
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SAMDOM.EXAMPLE.COM = {
kdc = DC1.SAMDOM.EXAMPLE:COM
admin_server = DC1.SAMDOM.EXAMPLE.COM
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = SAMDOM.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = NET
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# Debug logging information
log level = 1
log file = /var/log/samba/log.M%
max log size = 50
debug timestamp = yes
# to connect via ldapvi
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = Yes
write list = root,Administrator, at Domain Admins
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
write list = root,Administrator, at Domain Admins
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
# samba bind_dlz
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//======================================================================= // If
BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation auto;
listen-on-v6 { any; };
// samba
// see /var/lib/samba/bind-dns/named.txt
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
// category cname { null; };
};
zone "fsoc.de" {
type forward;
forwarders { 192.28.103.20; 62.156.190.20; };
forward only;
};
zone "fhd-mobil.de" {
type forward;
forwarders { 192.28.103.20; 62.156.190.20; };
forward only;
};
# abcpartner hat probleme mit dnssec //sf 2019-06-26
zone "abcpartner.de" {
type forward;
forwarders { 192.28.103.20; 62.156.190.20; };
forward only;
};
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : 1.137.193.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : _msdcs.samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.samdom.example.com
Samba DNS zone list Automated check :
zone : samdom.example.com ok, no Bind flat-files found
-----------
zone : 1.137.193.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.example.com ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii bind9 1:9.11.5.P4+dfsg-5.1 amd64
Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64
DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
-----------
root at dc1:~#
root at dc2:~# cat /tmp/samba-debug-info.txt
Collected config --- 2020-09-11-12:45 -----------
Hostname: dc2
DNS Domain: samdom.example.com
FQDN: dc2.samdom.example.com
ipaddress: 193.137.1.135
-----------
Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok,
sample output:
Server: 193.137.1.133
Address: 193.137.1.133#53
_kerberos._tcp.samdom.example.com service = 0 100 88 dc1.samdom.example.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.5 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:ad:91:42 brd ff:ff:ff:ff:ff:ff
inet 193.137.1.135/24 brd 193.137.1.255 scope global enp1s0
inet6 fe80::5054:ff:fead:9142/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.137.1.133 dc1.samdom.example.com dc1
193.137.1.135 dc2.samdom.example.com dc2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 193.137.1.133
search samdom.example.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SAMDOM.EXAMPLE.COM = {
kdc = dc1.samdom.example.com
admin_server = dc1.samdom.example.com
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC2
realm = SAMDOM.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = NET
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# Debug logging information
log level = 1
log file = /var/log/samba/log.M%
max log size = 50
debug timestamp = yes
# to connect via ldapvi
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = Yes
write list = root,Administrator, at Domain Admins
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
write list = root,Administrator, at Domain Admins
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//======================================================================= // If
BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
listen-on-v6 { any; };
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : 1.137.193.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : _msdcs.samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.samdom.example.com
Samba DNS zone list Automated check :
zone : samdom.example.com ok, no Bind flat-files found
-----------
zone : 1.137.193.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.example.com ok, no Bind flat-files found
-----------
Installed packages:
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
-----------
root at dc2:~#
dc2 cant resolve _kerberos._tcp when use local dns on dc2.
i have fully reinstall debian on dc2. but error still esists.
any join with
samba-tool domain join samdom.example.com DC -U"NET\administrator"
--dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'
--server=dc1.samdom.example.com
i have no idea whats wrong here
On 11.09.20 11:55, L.P.H. van Belle via samba wrote:> Get this,
>
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Run it, anonymize it and post it.
> For both AD-DC's.
>
> I want to see a full check on the base setup of the server.
> If you dont mind ;-)
>
> Greetz,
>
> Louis
>
See below, i added comments. Few things are bit off. Make the changes first on DC2. reboot after. ! With DC1 as first nameserver in resolv.conf After reboot. Check with/read : https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End But go throught comments below first.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 11 september 2020 12:52 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with sysrepl > > root at dc1:~# cat /tmp/samba-debug-info.txt > Collected config --- 2020-09-11-12:35 ----------- > > Hostname: dc1 > DNS Domain: samdom.example.com > FQDN: dc1.samdom.example.com > ipaddress: 193.137.1.133 > > ----------- > > Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, > sample output: > Server: 193.137.1.133 > Address: 193.137.1.133#53 > > _kerberos._tcp.samdom.example.com service = 0 100 88 > dc1.samdom.example.com. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.2 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 52:54:00:43:08:92 brd ff:ff:ff:ff:ff:ff > inet 193.137.1.133/24 brd 193.137.1.255 scope global ens3 > inet6 fe80::5054:ff:fe43:892/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > 193.137.1.133 dc1.samdom.example.com dc1 > 193.137.1.135 dc2.samdom.example.com dc2 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > nameserver 193.137.1.133 > search samdom.example.com > search net >Change search to : search samdom.example.com # primary dnsdomain always first. # net (as seen in smb.conf, not needed, remove it. )> ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > SAMDOM.EXAMPLE.COM = { > kdc = DC1.SAMDOM.EXAMPLE:COM > admin_server = DC1.SAMDOM.EXAMPLE.COM > }Remove the "realms" part. No needed.> > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd > group: files systemdIf you need (ssh) login on the AD-DC you might want to change that to. passwd: files winbind systemd group: files winbind systemd> shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = DC1 > realm = SAMDOM.EXAMPLE.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = NET > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > # Debug logging information > log level = 1 > log file = /var/log/samba/log.M% > max log size = 50 > debug timestamp = yes > > # to connect via ldapvi > ldap server require strong auth = no > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = Yes > write list = root,Administrator, at Domain AdminsRemove : write list = root,Administrator, at Domain Admins See: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> > [sysvol] > path = /var/lib/samba/sysvol > read only = Yes > write list = root,Administrator, at Domain Admins# same as above. Best is not to mix POSIX and windows ACLs.> > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS > server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > // structure of BIND configuration files in Debian, *BEFORE* > you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > # samba bind_dlz > include "/var/lib/samba/bind-dns/named.conf"; > > -----------#the link to read: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End> > Checking file: /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to > allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the > addresses replacing > // the all-0's placeholder. > > // forwarders { > // 0.0.0.0; > // };#Add to both name.conf.options in options. auth-nxdomain yes; // Added Per Debian buster. // due to : resolver: info: resolver priming query complete // https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42 minimal-responses yes; // security: warning: client 127.0.0.1#47583: RFC 1918 response from Internet for xx.xx.xx.xx.in-addr.arpa empty-zones-enable no;> > > //===========================================================> ===========> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > > //===========================================================> ===========> dnssec-validation auto; > > listen-on-v6 { any; }; > > // samba > // see /var/lib/samba/bind-dns/named.txt > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > // reduce log verbosity on issues outside our control > logging { > category lame-servers { null; }; > // category cname { null; }; > }; > > zone "fsoc.de" { > type forward; > forwarders { 192.28.103.20; 62.156.190.20; }; > forward only; > }; > > zone "fhd-mobil.de" { > type forward; > forwarders { 192.28.103.20; 62.156.190.20; }; > forward only; > }; > > # abcpartner hat probleme mit dnssec //sf 2019-06-26 > zone "abcpartner.de" { > type forward; > forwarders { 192.28.103.20; 62.156.190.20; }; > forward only; > }; > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 3 zone(s) found > > pszZoneName : samdom.example.com > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT > DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.example.com > > pszZoneName : 1.137.193.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT > DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.example.com > > pszZoneName : _msdcs.samdom.example.com > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT > DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.samdom.example.com > > Samba DNS zone list Automated check : > zone : samdom.example.com ok, no Bind flat-files found > ----------- > zone : 1.137.193.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : _msdcs.samdom.example.com ok, no Bind flat-files found > ----------- > > Installed packages: > ii acl 2.2.53-4 amd64 > access control list - utilitiesMissing attr package.> ii bind9 1:9.11.5.P4+dfsg-5.1 amd64 > Internet Domain Name Server > ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64 > DNS lookup utility (deprecated) > ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64 > Utilities for BIND > ii krb5-config 2.6 all > Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3 all > internationalization support for MIT Kerberos > ii krb5-user 1.17-3 amd64 > basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.53-4 amd64 > access control list - shared library > ii libattr1:amd64 1:2.4.48-4 amd64 > extended attribute handling - shared library > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64 > BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.17-3 amd64 > MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.17-3 amd64 > MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-3 amd64 > MIT Kerberos runtime libraries - Support library > ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > shared library for communication with SMB/CIFS servers > ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba winbind client library > ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 > Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 > SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1 all > common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba Directory Services Database > ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba core libraries > ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba Virtual FileSystem plugins > ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 > command-line SMB/CIFS clients for Unix > ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 > service to resolve user and group information from > Windows NT servers > > ----------- > root at dc1:~# > > > root at dc2:~# cat /tmp/samba-debug-info.txt > Collected config --- 2020-09-11-12:45 ----------- > > Hostname: dc2 > DNS Domain: samdom.example.com > FQDN: dc2.samdom.example.com > ipaddress: 193.137.1.135 > > ----------- > > Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, > sample output: > Server: 193.137.1.133 > Address: 193.137.1.133#53 > > _kerberos._tcp.samdom.example.com service = 0 100 88 > dc1.samdom.example.com. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.5 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 52:54:00:ad:91:42 brd ff:ff:ff:ff:ff:ff > inet 193.137.1.135/24 brd 193.137.1.255 scope global enp1s0 > inet6 fe80::5054:ff:fead:9142/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > 193.137.1.133 dc1.samdom.example.com dc1 > 193.137.1.135 dc2.samdom.example.com dc2 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > nameserver 193.137.1.133 > search samdom.example.com > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > SAMDOM.EXAMPLE.COM = { > kdc = dc1.samdom.example.com > admin_server = dc1.samdom.example.com > }Same here, remove the realms part.> > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd > group: files systemd#same, see above> shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = DC2 > realm = SAMDOM.EXAMPLE.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = NET > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > # Debug logging information > log level = 1 > log file = /var/log/samba/log.M% > max log size = 50 > debug timestamp = yes > > # to connect via ldapvi > ldap server require strong auth = no > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = Yes > write list = root,Administrator, at Domain Admins > > [sysvol] > path = /var/lib/samba/sysvol > read only = Yes > write list = root,Administrator, at Domain Admins > > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS > server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > // structure of BIND configuration files in Debian, *BEFORE* > you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/bind-dns/named.conf"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to > allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the > addresses replacing > // the all-0's placeholder. > > // forwarders { > // 0.0.0.0; > // }; > > > //===========================================================> ===========> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > > //===========================================================> ===========> dnssec-validation auto; > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > listen-on-v6 { any; }; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 3 zone(s) found > > pszZoneName : samdom.example.com > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT > DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.example.com > > pszZoneName : 1.137.193.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT > DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.example.com > > pszZoneName : _msdcs.samdom.example.com > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT > DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.samdom.example.com > > Samba DNS zone list Automated check : > zone : samdom.example.com ok, no Bind flat-files found > ----------- > zone : 1.137.193.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : _msdcs.samdom.example.com ok, no Bind flat-files found > ----------- > > Installed packages: > ii attr 1:2.4.48-4 amd64 > utilities for manipulating filesystem extended attributes > ii bind9 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64 > Internet Domain Name Server > ii bind9-host 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64 > DNS lookup utility (deprecated) > ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64 > Utilities for BIND > ii krb5-config 2.6 all > Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3 all > internationalization support for MIT Kerberos > ii krb5-user 1.17-3 amd64 > basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.53-4 amd64 > access control list - shared library > ii libattr1:amd64 1:2.4.48-4 amd64 > extended attribute handling - shared library > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64 > BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.17-3 amd64 > MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.17-3 amd64 > MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-3 amd64 > MIT Kerberos runtime libraries - Support library > ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba winbind client library > ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 > Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 > SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1 all > common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba Directory Services Database > ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba core libraries > ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 > Samba Virtual FileSystem plugins > ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 > service to resolve user and group information from > Windows NT servers > > ----------- > root at dc2:~# > > > dc2 cant resolve _kerberos._tcp when use local dns on dc2. > i have fully reinstall debian on dc2. but error still esists. > > any join with > > samba-tool domain join samdom.example.com DC -U"NET\administrator" > --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes' > --server=dc1.samdom.example.com > > i have no idea whats wrong here > > On 11.09.20 11:55, L.P.H. van Belle via samba wrote: > > Get this, > > > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh > > Run it, anonymize it and post it. > > For both AD-DC's. > > > > I want to see a full check on the base setup of the server. > > If you dont mind ;-) > > > > Greetz, > > > > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >