On 5/31/22 10:19, Rowland Penny via samba wrote:> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
>> On 5/31/22 09:47, Rowland Penny via samba wrote:
>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
>>>
>>>> The DC Did have the FSMO Roles, but I tried to demote the DC
and
>>>> rejoin
>>>> it. The DC Won't Demote normally. It will refuse to
transfer
>>>> roles.
>>>> a
>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
>>>> still
>>>> has them when it does not.
>>>>
>>>> I also tried the Demote as a Dead DC procedure. That worked
but
>>>> after
>>>> Re-join the original DC was still corrupt.
>>> You shouldn't have re-joined the DC, you should have
re-installed
>>> it,
>>> preferably with a new name.
>>>
>>>> lpcfg_do_global_parameter: WARNING: The "domain
logons" option is
>>>> deprecated
>>>> Loaded services file OK.
>>>> Weak crypto is allowed
>>>>
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> # Global parameters
>>>> [global]
>>>> domain logons = Yes
>>>> domain master = Yes
>>>> ntlm auth = ntlmv1-permitted
>>>> os level = 40
>>>> passdb backend = samba_dsdb
>>>> preferred master = Yes
>>>> realm = PUKEY
>>>> server min protocol = NT1
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
>>>> drepl,
>>>> winbind, ntp_signd, kcc
>>>> tls cafile = tls/ca.crt
>>>> tls certfile = tls/olympia.pukey.crt
>>>> tls keyfile = tls/olympia.pukey.key
>>>> winbind nss info = rfc2307
>>>> workgroup = PUKEY-NT
>>>> rpc_server:tcpip = no
>>>> rpc_daemon:spoolssd = embedded
>>>> rpc_server:spoolss = embedded
>>>> rpc_server:winreg = embedded
>>>> rpc_server:ntsvcs = embedded
>>>> rpc_server:eventlog = embedded
>>>> rpc_server:srvsvc = embedded
>>>> rpc_server:svcctl = embedded
>>>> rpc_server:default = external
>>>> winbindd:use external pipes = true
>>>> idmap_ldb:use rfc2307 = yes
>>>> idmap config * : backend = tdb
>>>> map archive = No
>>>> vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/pukey/scripts
>>>> read only = No
>>>>
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>
>>> I suggest you move all the shares to a Unix domain member.
>>>
>>> I also suggest you remove these lines:
>>>
>>> domain logons = Yes
>>> domain master = Yes
>>> preferred master = Yes
>>> winbind nss info = rfc2307
>>> os level = 40
>>>
>>> They is no point to them on a Samba AD DC.
>>>
>>> Why do you have these lines:
>>>
>>> ntlm auth = ntlmv1-permitted
>>> server min protocol = NT1
>>>
>>> Do you really need them ?
>>>
>>> Finally, what happened to 'dnsupdate' from the 'server
services'
>>> line ?
>>>
>>> Rowland
>>>
>>>
>>>
>> I use a normal Bind Server for DNS,
> But you still need 'dnsupdate' in the 'server services'
line, it has
> nothing to do with Bind9.
>
>> ntlm auth = ntlmv1-permitted
>> server min protocol = NT1
>>
>> These are there so that Ghost Commander on Android works.
>> I have a secondary smb.conf that is configured for an NT Domain that
>> just is for running NMB so Ghost Commander on Android sees a Browse
>> list.
> I suggest you use a Unix domain member for 'Ghost Commander'
>
>> It's outside the scope of this problem. Samba doesn't really
update
>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
>> from working. I just use flat Zone Files.
> Take Bind9 out of the chroot, this is quite possibly one of your main
> problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> deprecated and could be removed at any time. Active directory
> absolutely requires good DNS.
>
> Rowland
>
>
>
Currently its set to None, and DNS is working. That's not the issue for
the other two DCs. I don't know how to take Bind out of it's chroot on
OpenSuse.
This is not a DNS problem anyway. If it were the other two DCs wouldn't
be working.