samba - May 2022 - Active Directory Domain Corruption.

On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba
wrote:
> 
> > 
> The DC Did have the FSMO Roles, but I tried  to demote the DC and
> rejoin 
> it. The DC Won't Demote normally. It will refuse to transfer roles.
> a 
> Secondary DC has Seized the roles, nut the Primary DC thinks it
> still 
> has them when it does not.
> 
> I also tried the  Demote as a Dead DC procedure. That worked but
> after 
> Re-join the original DC was still corrupt.
You shouldn't have re-joined the DC, you should have re-installed it,
preferably with a new name.
> 
> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> deprecated
> Loaded services file OK.
> Weak crypto is allowed
> 
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> 
> # Global parameters
> [global]
>         domain logons = Yes
>         domain master = Yes
>         ntlm auth = ntlmv1-permitted
>         os level = 40
>         passdb backend = samba_dsdb
>         preferred master = Yes
>         realm = PUKEY
>         server min protocol = NT1
>         server role = active directory domain controller
>         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
> winbind, ntp_signd, kcc
>         tls cafile = tls/ca.crt
>         tls certfile = tls/olympia.pukey.crt
>         tls keyfile = tls/olympia.pukey.key
>         winbind nss info = rfc2307
>         workgroup = PUKEY-NT
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         vfs objects = dfs_samba4 acl_xattr
> 
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/pukey/scripts
>         read only = No
> 
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
I suggest you move all the shares to a Unix domain member.

I also suggest you remove these lines:

        domain logons = Yes
        domain master = Yes
        preferred master = Yes
        winbind nss info = rfc2307
        os level = 40

They is no point to them on a Samba AD DC.

Why do you have these lines:

        ntlm auth = ntlmv1-permitted
        server min protocol = NT1

Do you really need them ?

Finally, what happened to 'dnsupdate' from the 'server services'
line ?

Rowland

On 5/31/22 09:47, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
>
>> The DC Did have the FSMO Roles, but I tried  to demote the DC and
>> rejoin
>> it. The DC Won't Demote normally. It will refuse to transfer roles.
>> a
>> Secondary DC has Seized the roles, nut the Primary DC thinks it
>> still
>> has them when it does not.
>>
>> I also tried the  Demote as a Dead DC procedure. That worked but
>> after
>> Re-join the original DC was still corrupt.
> You shouldn't have re-joined the DC, you should have re-installed it,
> preferably with a new name.
>
>> lpcfg_do_global_parameter: WARNING: The "domain logons"
option is
>> deprecated
>> Loaded services file OK.
>> Weak crypto is allowed
>>
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> # Global parameters
>> [global]
>>          domain logons = Yes
>>          domain master = Yes
>>          ntlm auth = ntlmv1-permitted
>>          os level = 40
>>          passdb backend = samba_dsdb
>>          preferred master = Yes
>>          realm = PUKEY
>>          server min protocol = NT1
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc
>>          tls cafile = tls/ca.crt
>>          tls certfile = tls/olympia.pukey.crt
>>          tls keyfile = tls/olympia.pukey.key
>>          winbind nss info = rfc2307
>>          workgroup = PUKEY-NT
>>          rpc_server:tcpip = no
>>          rpc_daemon:spoolssd = embedded
>>          rpc_server:spoolss = embedded
>>          rpc_server:winreg = embedded
>>          rpc_server:ntsvcs = embedded
>>          rpc_server:eventlog = embedded
>>          rpc_server:srvsvc = embedded
>>          rpc_server:svcctl = embedded
>>          rpc_server:default = external
>>          winbindd:use external pipes = true
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config * : backend = tdb
>>          map archive = No
>>          vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/pukey/scripts
>>          read only = No
>>
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
> I suggest you move all the shares to a Unix domain member.
>
> I also suggest you remove these lines:
>
>          domain logons = Yes
>          domain master = Yes
>          preferred master = Yes
>          winbind nss info = rfc2307
>          os level = 40
>
> They is no point to them on a Samba AD DC.
>
> Why do you have these lines:
>
>          ntlm auth = ntlmv1-permitted
>          server min protocol = NT1
>
> Do you really need them ?
>
> Finally, what happened to 'dnsupdate' from the 'server
services' line ?
>
> Rowland
>
>
>
I use a normal Bind Server for DNS,

         ntlm auth = ntlmv1-permitted
         server min protocol = NT1

These are there so that Ghost Commander on Android works.
I have a secondary smb.conf that is configured for an NT Domain that just is for
running NMB so Ghost Commander on Android sees a Browse list.

It's outside the scope of this problem. Samba doesn't really update Bind
right now. Bind runs in a Chroot and that prevents the Bind DLZ from working. I
just use flat Zone Files.