I checked the FSMO and tooas are pointing to the correct DC (and only to
him), but I saw that in the DNS there were two entries for the PDC
question, I removed the wrong one (leaving only the correct DC), and he
executed the right command .
I have 18 Dcs , which is causing problems and in the new one (in this
case, what I called DC2 here)
ldbsearch -H ldap://"$(host -t SRV _ldap._tcp.pdc._msdcs."$(hostname
-d)" | awk '{print $NF}' | awk -F '.' '{print
$1}')" -P -b
"CN=Policies,CN=System,$(echo "DC=$(hostname -d)" | sed
's/\./,DC=/g')"
-s sub '(objectClass=groupPolicyContainer)' cn | grep 'cn:'
cn: {517AE483-57E6-48B1-A9D8-DD4D7039D469}
cn: {1F1D65A3-2DFD-491D-A844-D4D448520B2E}
cn: {FC942ADA-CF96-4186-8942-322E045EE018}
cn: {16071A9D-29DA-4CC5-90F8-1DC2BEE37DB1}
cn: {6140C55E-E459-4B43-9071-D4244581BB9D}
cn: {D5E1A2D1-070D-4DEB-A84F-32EFB68F8988}
cn: {A98110BB-FF15-485A-86E8-1D18FC529F82}
cn: {F100B212-EFF9-4E70-850A-411CECA54F74}
cn: {7B507AB4-3463-4BFD-A859-3A95B52D48B4}
cn: {16034E74-5F06-45EB-B778-0155BAC76EED}
cn: {31B2F340-016D-11D2-945F-00C04FB984F9}
cn: {B27F4E18-A83A-4B4C-BF95-992D17DE4356}
cn: {B59AD5F3-C408-44A8-B520-E6C2274430A0}
cn: {80C1D392-60EA-4558-BFDB-661E1128013B}
cn: {BC36848B-3A6F-4BFB-B01A-BCE61A363205}
cn: {2E488814-1084-4845-B68E-C38D60B476B8}
cn: {C5B1194F-6DE8-4970-958A-96AEFF3F2F43}
cn: {D448A7E7-22D8-4BEC-82E7-F73748AA7154}
cn: {8842F75C-A136-42F0-BFEC-04B69D638168}
cn: {889231A7-0199-4E7B-BE07-989D6095FD43}
cn: {9E661234-529F-4287-8471-AAE5C68887B4}
cn: {BBAC22FE-0437-49E5-A02A-D7D3C3CEE120}
cn: {023F6920-DB5A-42A1-9FB7-43BDA9F60E59}
cn: {2D2962FF-9D69-45F4-B2AC-7EDC19DD07B5}
cn: {46367B44-346C-422E-AFB7-0A95EF896B78}
cn: {F35825C8-B31A-4587-B3BC-962CAF1EE837}
cn: {3BD1FBA6-32C7-43FA-911B-E383A8893A6C}
cn: {99C7FA72-C4DD-4E08-BD34-82207FD6DB2C}
cn: {474579AB-E1DD-48E9-8AFA-A590FEE2DECE}
cn: {6342D129-B4C9-4155-BB98-B17435E5F396}
cn: {4B9C1BA3-CA31-4F8A-8D27-3F387ECFEB14}
cn: {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}
cn: {F2A558C2-BE27-4ED3-B672-BB9724925AF1}
cn: {7113698E-37E8-4032-A872-D837E03DA8F9}
cn: {66EC17D5-97B0-469E-B0F1-DC239240102A}
cn: {1C7ED877-F6DE-4418-B29D-3FC612CF3021}
cn: {A0C2DBB8-64CB-4339-992E-055B7E10BE60}
cn: {F5ED8DAD-6BBB-4B5B-A6F1-BE1FC33F498D}
cn: {E9862430-D0D3-46C0-88DA-DB4915942961}
cn: {BD719720-4036-41A8-9467-CF83611D59B5}
cn: {5CE3F48F-F206-4569-9A79-4EEE6A01D994}
cn: {04288E43-AF21-431C-B469-FCE404B8AACD}
cn: {4C43A8BB-1414-4D9F-9D49-F07B8DCB21B3}
cn: {A41C13B1-F655-421A-9F21-DA48E645A757}
cn: {56ADB9BA-327F-4854-A9BC-249FA777F50A}
cn: {B0D11970-E7A0-4548-B396-DF9F43814A30}
cn: {E016F5CD-C850-4C91-9E40-61F7D1651970}
cn: {8EE8ECFD-AD9F-464F-8317-69FD946D074D}
cn: {3827FE58-5B69-47FB-AC70-4D7628028413}
cn: {5DA55F19-6998-4DC5-A560-C7B9CB0A45FA}
cn: {6C53454A-25C7-4264-8300-31351E682D2E}
cn: {45DDD552-E86A-4AA0-BC02-EC077F1EA952}
cn: {E311C0A2-8F30-436B-94F0-036134C47AB1}
cn: {149AD731-C29D-41E7-B1D4-1DECA7DBED58}
cn: {6AC1786C-016F-11D2-945F-00C04FB984F9}
cn: {9D89DF4E-FFC6-4651-8E1F-97E2D4DCDB0D}
cn: {00E54E3A-386D-4880-A9E7-ED0CE4F4A237}
---
ls -ltr /usr/local/samba/var/locks/sysvol/$(hostname -d)/Policies
....
....
drwxrwx---+ 4 XXX\domain admins COTRIEL\domain admins? 4096 May 3? 2019
{2E488814-1084-4845-B68E-C38D60B476B8}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 Aug 19? 2019
{9E661234-529F-4287-8471-AAE5C68887B4}
drwxrwxr-x+ 4 XXX\domain admins COTRIEL\domain admins? 4096 Sep 4? 2019
{F35825C8-B31A-4587-B3BC-962CAF1EE837}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 Sep 4? 2019
{D448A7E7-22D8-4BEC-82E7-F73748AA7154}
drwxrwx---+ 5 root????????????????? BUILTIN\administrators 4096 Sep? 4?
2019 {E016F5CD-C850-4C91-9E40-61F7D1651970}
drwxrwx---+ 5 XXX\yusef.sad???? users????????????????? 4096 Dec 3? 2019
{99C7FA72-C4DD-4E08-BD34-82207FD6DB2C}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 Dec 5? 2019
{023F6920-DB5A-42A1-9FB7-43BDA9F60E59}
drwxrwx---+ 4 XXX\domain admins COTRIEL\domain admins? 4096 Dec 5? 2019
{80C1D392-60EA-4558-BFDB-661E1128013B}
drwxrwx---+ 5 root????????????????? BUILTIN\administrators 4096 Dec? 5?
2019 {5CE3F48F-F206-4569-9A79-4EEE6A01D994}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 Dec 5? 2019
{B59AD5F3-C408-44A8-B520-E6C2274430A0}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 Feb 24? 2020
{8842F75C-A136-42F0-BFEC-04B69D638168}
drwxrwx---+ 4 root????????????????? BUILTIN\administrators 4096 May? 7?
2020 {00E54E3A-386D-4880-A9E7-ED0CE4F4A237}
drwxrwx---+ 5 root????????????????? BUILTIN\administrators 4096 Sep 16?
2020 {45DDD552-E86A-4AA0-BC02-EC077F1EA952}
drwxrwx---+ 4 root????????????????? BUILTIN\administrators 4096 Apr 15
09:04 {E311C0A2-8F30-436B-94F0-036134C47AB1}
drwxrwx---+ 4 root????????????????? BUILTIN\administrators 4096 Apr 15
10:23 {6C53454A-25C7-4264-8300-31351E682D2E}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 May 20 15:16
{D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 May 21 16:28
{1F1D65A3-2DFD-491D-A844-D4D448520B2E}
drwxrwx---+ 5 XXX\domain admins COTRIEL\domain admins? 4096 May 24 14:55
{149AD731-C29D-41E7-B1D4-1DECA7DBED58}
Regards;
Em 25/05/2021 11:40, Rowland penny via samba escreveu:> On 25/05/2021 15:12, Carlos via samba wrote:
>> ldbsearch -H ldap://"$(host -t SRV
_ldap._tcp.pdc._msdcs."$(hostname
>> -d)" | awk '{print $NF}' | awk -F '.' '{print
$1}')" -P -b
>> "CN=Policies,CN=System,$
>> (echo "DC=$(hostname -d)" | sed 's/\./,DC=/g')"
-s sub
>> '(objectClass=groupPolicyContainer)' cn | grep 'cn:'
>> Failed to connect to ldap URL 'ldap://DC1
>> DC1' - LDAP client internal error: NT_STATUS_OBJECT_NAME_NOT_FOUND
>> Failed to connect to 'ldap://DC0
>> DC1' with backend 'ldap': LDAP client internal error:
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> Failed to connect to ldap://DC0
>> DC1 - LDAP client internal error: NT_STATUS_OBJECT_NAME_NOT_FOUND
>>
>> But i test telnet 389 in dc0 e dc1 and connection is OK.
>>
>>
>> ls /var/lib/samba/sysvol/$(hostname -d)/Policies
>>
>> But my samba is compilated(source).
>>
>> regards;
>>
>>
>>
>>
>>
>> Em 25/05/2021 10:54, Rowland penny via samba escreveu:
>>> On 25/05/2021 13:55, Carlos via samba wrote:
>>>> HI
>>>>
>>>> "I am unsure, have you given all the AD groups a gidNumber
?" I
>>>> dont understand.....
>>>
>>>
>>> Can you run these commands on a DC:
>>>
>>> sudo ldbsearch -H ldap://"$(host -t SRV
>>> _ldap._tcp.pdc._msdcs."$(hostname -d)" | awk '{print
$NF}' | awk -F
>>> '.' '{print $1}')" -P -b
"CN=Policies,CN=System,$(echo
>>> "DC=$(hostname -d)" | sed 's/\./,DC=/g')" -s
sub
>>> '(objectClass=groupPolicyContainer)' cn | grep
'cn:'
>>>
>>> sudo ls /var/lib/samba/sysvol/$(hostname -d)/Policies
>>>
>>> Do the outputs show the same GPO's ?
>>>
>>> Rowland
>>>
>>>
>>>
>>
>
> Hmm, you do seem to have problems: $(host -t SRV
> _ldap._tcp.pdc._msdcs."$(hostname -d)" | awk '{print
$NF}' | awk -F
> '.' '{print $1}') should produce the short hostname of the
DC that
> holds the PDC_Emulator FSMO role, which it does but then seem to be
> able to connect (you are running this as 'root', aren't you ?).
What
> it shouldn't do is move on to the another DC, there should only be on
> DC with the PDC_Emulator role.
>
> As for the second command, just change the '/var/lib/samba' with
the
> path to your sysvol.
>
> Rowland
>
>
>