samba - Mar 2022 - Demoting AD DC failed, now it won't start up after ldb and tdb files removed

Hi,
I put myself in a big mess today. Had trouble with my domain lately, I figured
the best way to get out of the problems on one of the DCs would be to have it
rejoin the domain afresh. So I followed the page on demoting an AD DC, except
that operation consistently failed with this kind of message:

root at meraki:/var/log/samba# samba-tool domain demote -UAdministrator
Using primarydc.*.* as partner server for the demotion
Password for [*\Administrator]:
Deactivating inbound replication
Asking partner server primarydc.*.* to synchronize from us
Error while replicating out last local changes from
'CN=Schema,CN=Configuration,DC=*,DC=*' for demotion, re-enabling inbound
replication
ERROR(<class 'samba.WERRORError'>): Error while sending a
DsReplicaSync for partition 'CN=Schema,CN=Configuration,DC=*,DC=*' -
(1225, 'WERR_CONNECTION_REFUSED')
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
789, in run
    drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)

So next thing I  figured was to start off clean by stopping samba, removing all
tdb and ldb database files and restarting it. But now it won?t come back up:

Mar 26 18:01:59 meraki samba[59940]: [2022/03/26 18:01:59.169953,  0]
../../source4/smbd/server.c:644(binary_smbd_main)
Mar 26 18:01:59 meraki samba[59940]:   samba version 4.13.13-Debian started.
Mar 26 18:01:59 meraki samba[59940]:   Copyright Andrew Tridgell and the Samba
Team 1992-2020
Mar 26 18:01:59 meraki samba[59940]: [2022/03/26 18:01:59.172605,  0]
../../lib/util/become_daemon.c:147(daemon_status)
Mar 26 18:01:59 meraki samba[59940]:   daemon_status: daemon 'samba' :
Starting process...
Mar 26 18:01:59 meraki samba[59940]: [2022/03/26 18:01:59.706424,  0]
../../lib/util/become_daemon.c:121(exit_daemon)
Mar 26 18:01:59 meraki samba[59940]:   exit_daemon: daemon failed to start:
Samba failed to prime database, error code 22
Mar 26 18:01:59 meraki systemd[1]: samba-ad-dc.service: Main process exited,
code=exited, status=1/FAILURE
Mar 26 18:01:59 meraki systemd[1]: samba-ad-dc.service: Failed with result
'exit-code'.
Mar 26 18:01:59 meraki systemd[1]: Failed to start Samba AD Daemon.

Could anyone suggest how do I get myself out of this mess that I had put myself
into? ? I have another DC that seems to be running fine at the moment, I was
hoping the one I was trying to clean up would just replicate itself off it
again, but that doesn?t seem to be the case currently?. Any help will be very
appreciated ?
Cheers,
Chris

On Sat, 2022-03-26 at 17:11 +0000, Krzysztof Kucyba?a via samba
wrote:
> 
> Could anyone suggest how do I get myself out of this mess that I had
> put myself into? ? I have another DC that seems to be running fine
> at the moment, I was hoping the one I was trying to clean up would
> just replicate itself off it again, but that doesn?t seem to be the
> case currently?. Any help will be very appreciated ?
> 
> Cheers,
You need to re-join the domain, Samba needs the database files you
removed and without them is totally lost.

That will clobber the old DC's entry in Active Directory, and because
you removed secrets.ldb/secrets.tdb the safety check won't stop you
doing the re-join. 

It should work then.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Thanks a lot Andrew, it did help... kind of.

So I managed to rejoin the domain and restart samba services. But for some
reason on the physical DC that I fixed with the help of Your instructions now
winbind seems to be a bit off (which was my original problem and reason why I
started meddling with it in the first place). Basically, the user ids and group
ids are not what they should be. The box recognizes users, but their IDs are not
what's in the database. For instance my account should be this (as depicted
on any other box correctly in the domain):

localadmin at eonia:~$ id krzysieq
uid=1000016(krzysieq) gid=20002(adults)
groups=20002(adults),20001(cansudo),20004(gdocs),20006(gaudio),20005(gphoto),20008(gstuff),20007(gvideo),20010(jirauser),20011(bitbucketuser),20012(bamboouser),3001(BUILTIN\users),3000(BUILTIN\administrators)

However, on my secondary, physical DC this same ask comes back with:
root at meraki:/etc# id krzysieq
uid=3000007(***\krzysieq) gid=100(users)
groups=100(users),3000007(***\krzysieq),3000008(***\domain
admins),3000009(***\gvideo),3000010(***\gdocs),3000011(***\gaudio),3000012(***\jirauser),3000013(***\cansudo),3000014(***\gstuff),3000015(***\gphoto),3000016(***\bamboouser),3000017(***\bitbucketuser),3000018(***\denied
rodc password replication group),3000001(***\users),3000000(***\administrators)

The Id numbers are the ones stored in samba database, I'm not sure how's
the idmapping kicking in. I masked out the domain name with *** of course. Below
are my configs, first from a domain member where everything works as it should
(eonia box in fact):
[global]
        workgroup = ***
        realm = ***.COM
        security = ADS
        winbind refresh tickets = Yes
        map acl inherit = Yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind use default domain = Yes
        bind interfaces only = Yes
        interfaces = lo enp3s0
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config ***:backend = ad
        idmap config ***:schema_mode = rfc2307
        idmap config ***:range = 10000 - 9999999
        idmap config ***:unix_nss_info = Yes
        idmap config ***:unix_primary_group = Yes
        idmap cache time = 1
        idmap negative cache time = 1
        winbind cache time = 1
        template shell = /bin/bash
        template homedir = /home/%D/%U
        username map = /etc/samba/user.map
        server string = %h server (Samba, Debian)
        log file = /var/log/samba/log.%m
        max log size = 1000
        logging = file
        panic action = /usr/share/samba/panic-action %d
        server role = standalone server
        obey pam restrictions = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = Yes
        map to guest = bad user
        vfs objects = dfs_samba4 acl_xattr recycle
        local master = no
        domain master = no
        preferred master = no
        os level = 0

And from the DC that is acting up:

# Global parameters
[global]
        dns forwarder = 192.168.1.1
        netbios name = MERAKI
        realm = ***.COM
        server role = active directory domain controller
        workgroup = ***
        idmap_ldb:user rfc2307 = Yes
        template shell = /bin/bash
        template homedir = /home/%D/%U
        unix extensions = Yes
        vfs objects = dfs_samba4 acl_xattr recycle
        local master = yes
        preferred master = yes
        domain master = yes
        os level = 255
        bind interfaces only = Yes
        interfaces = lo enp3s0

For reference, the config from the primary dc that works off a VM (winbind is
not configured there though, I don't log on to that box with domain accounts
but I do need that option on the second physical DC)

[global]
        dns forwarder = 192.168.1.1
        netbios name = PRIMARYDC
        realm = ***.COM
        server role = active directory domain controller
        workgroup = ***
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        template homedir = /home/%D/%U
        unix extensions = Yes
        vfs objects = dfs_samba4 acl_xattr recycle
        local master = yes
        preferred master = no
        domain master = no
        os level = 128

Could You point out what is wrong please? I'm a bit clueless, especially
that it all used to work fine a while back and I've not changed these
configs. Appreciate any help.
Cheers,
Chris
________________________________
Od: Andrew Bartlett <abartlet at samba.org>
Wys?ane: poniedzia?ek, 28 marca 2022 01:59
Do: Krzysztof Kucyba?a <krzysieq at hotmail.com>; samba at lists.samba.org
<samba at lists.samba.org>
Temat: Re: [Samba] Demoting AD DC failed, now it won't start up after ldb
and tdb files removed

On Sat, 2022-03-26 at 17:11 +0000, Krzysztof Kucyba?a via samba
wrote:
>
> Could anyone suggest how do I get myself out of this mess that I had
> put myself into? ? I have another DC that seems to be running fine
> at the moment, I was hoping the one I was trying to clean up would
> just replicate itself off it again, but that doesn?t seem to be the
> case currently?. Any help will be very appreciated ?
>
> Cheers,
You need to re-join the domain, Samba needs the database files you
removed and without them is totally lost.

That will clobber the old DC's entry in Active Directory, and because
you removed secrets.ldb/secrets.tdb the safety check won't stop you
doing the re-join.

It should work then.

Andrew Bartlett

--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions