samba - May 2022 - Active Directory Domain Corruption.

On 5/31/22 10:19, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
>> On 5/31/22 09:47, Rowland Penny via samba wrote:
>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
>>>
>>>> The DC Did have the FSMO Roles, but I tried  to demote the DC
and
>>>> rejoin
>>>> it. The DC Won't Demote normally. It will refuse to
transfer
>>>> roles.
>>>> a
>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
>>>> still
>>>> has them when it does not.
>>>>
>>>> I also tried the  Demote as a Dead DC procedure. That worked
but
>>>> after
>>>> Re-join the original DC was still corrupt.
>>> You shouldn't have re-joined the DC, you should have
re-installed
>>> it,
>>> preferably with a new name.
>>>
>>>> lpcfg_do_global_parameter: WARNING: The "domain
logons" option is
>>>> deprecated
>>>> Loaded services file OK.
>>>> Weak crypto is allowed
>>>>
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> # Global parameters
>>>> [global]
>>>>           domain logons = Yes
>>>>           domain master = Yes
>>>>           ntlm auth = ntlmv1-permitted
>>>>           os level = 40
>>>>           passdb backend = samba_dsdb
>>>>           preferred master = Yes
>>>>           realm = PUKEY
>>>>           server min protocol = NT1
>>>>           server role = active directory domain controller
>>>>           server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
>>>> drepl,
>>>> winbind, ntp_signd, kcc
>>>>           tls cafile = tls/ca.crt
>>>>           tls certfile = tls/olympia.pukey.crt
>>>>           tls keyfile = tls/olympia.pukey.key
>>>>           winbind nss info = rfc2307
>>>>           workgroup = PUKEY-NT
>>>>           rpc_server:tcpip = no
>>>>           rpc_daemon:spoolssd = embedded
>>>>           rpc_server:spoolss = embedded
>>>>           rpc_server:winreg = embedded
>>>>           rpc_server:ntsvcs = embedded
>>>>           rpc_server:eventlog = embedded
>>>>           rpc_server:srvsvc = embedded
>>>>           rpc_server:svcctl = embedded
>>>>           rpc_server:default = external
>>>>           winbindd:use external pipes = true
>>>>           idmap_ldb:use rfc2307 = yes
>>>>           idmap config * : backend = tdb
>>>>           map archive = No
>>>>           vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>>           path = /var/lib/samba/sysvol/pukey/scripts
>>>>           read only = No
>>>>
>>>>
>>>> [sysvol]
>>>>           path = /var/lib/samba/sysvol
>>>>           read only = No
>>>>
>>> I suggest you move all the shares to a Unix domain member.
>>>
>>> I also suggest you remove these lines:
>>>
>>>           domain logons = Yes
>>>           domain master = Yes
>>>           preferred master = Yes
>>>           winbind nss info = rfc2307
>>>           os level = 40
>>>
>>> They is no point to them on a Samba AD DC.
>>>
>>> Why do you have these lines:
>>>
>>>           ntlm auth = ntlmv1-permitted
>>>           server min protocol = NT1
>>>
>>> Do you really need them ?
>>>
>>> Finally, what happened to 'dnsupdate' from the 'server
services'
>>> line ?
>>>
>>> Rowland
>>>
>>>
>>>
>> I use a normal Bind Server for DNS,
> But you still need 'dnsupdate' in the 'server services'
line, it has
> nothing to do with Bind9.
>
>>           ntlm auth = ntlmv1-permitted
>>           server min protocol = NT1
>>
>> These are there so that Ghost Commander on Android works.
>> I have a secondary smb.conf that is configured for an NT Domain that
>> just is for running NMB so Ghost Commander on Android sees a Browse
>> list.
> I suggest you use a Unix domain member for 'Ghost Commander'
>
>> It's outside the scope of this problem. Samba doesn't really
update
>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
>> from working. I just use flat Zone Files.
> Take Bind9 out of the chroot, this is quite possibly one of your main
> problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> deprecated and could be removed at any time. Active directory
> absolutely requires good DNS.
>
> Rowland
>
>
>
Currently its set to None, and DNS is working. That's not the issue for 
the other two DCs. I don't know how to take Bind out of it's chroot on 
OpenSuse.

This is not a DNS problem anyway. If it were the other two DCs wouldn't 
be working.

Hi,
Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via
samba:
> On 5/31/22 10:19, Rowland Penny via samba wrote:
> > On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
> >> On 5/31/22 09:47, Rowland Penny via samba wrote:
> >>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba
wrote:
> >>>> The DC Did have the FSMO Roles, but I tried  to demote the
DC and
> >>>> rejoin
> >>>> it. The DC Won't Demote normally. It will refuse to
transfer
> >>>> roles.
> >>>> a
> >>>> Secondary DC has Seized the roles, nut the Primary DC
thinks it
> >>>> still
> >>>> has them when it does not.
> >>>> 
> >>>> I also tried the  Demote as a Dead DC procedure. That
worked but
> >>>> after
> >>>> Re-join the original DC was still corrupt.
> >>> 
> >>> You shouldn't have re-joined the DC, you should have
re-installed
> >>> it,
> >>> preferably with a new name.
> >>> 
> >>>> lpcfg_do_global_parameter: WARNING: The "domain
logons" option is
> >>>> deprecated
> >>>> Loaded services file OK.
> >>>> Weak crypto is allowed
> >>>> 
> >>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
> >>>> 
> >>>> # Global parameters
> >>>> [global]
> >>>> 
> >>>>           domain logons = Yes
> >>>>           domain master = Yes
> >>>>           ntlm auth = ntlmv1-permitted
> >>>>           os level = 40
> >>>>           passdb backend = samba_dsdb
> >>>>           preferred master = Yes
> >>>>           realm = PUKEY
> >>>>           server min protocol = NT1
> >>>>           server role = active directory domain controller
> >>>>           server services = s3fs, rpc, wrepl, ldap, cldap,
kdc,
> >>>> 
> >>>> drepl,
> >>>> winbind, ntp_signd, kcc
> >>>> 
> >>>>           tls cafile = tls/ca.crt
> >>>>           tls certfile = tls/olympia.pukey.crt
> >>>>           tls keyfile = tls/olympia.pukey.key
> >>>>           winbind nss info = rfc2307
> >>>>           workgroup = PUKEY-NT
> >>>>           rpc_server:tcpip = no
> >>>>           rpc_daemon:spoolssd = embedded
> >>>>           rpc_server:spoolss = embedded
> >>>>           rpc_server:winreg = embedded
> >>>>           rpc_server:ntsvcs = embedded
> >>>>           rpc_server:eventlog = embedded
> >>>>           rpc_server:srvsvc = embedded
> >>>>           rpc_server:svcctl = embedded
> >>>>           rpc_server:default = external
> >>>>           winbindd:use external pipes = true
> >>>>           idmap_ldb:use rfc2307 = yes
> >>>>           idmap config * : backend = tdb
> >>>>           map archive = No
> >>>>           vfs objects = dfs_samba4 acl_xattr
> >>>> 
> >>>> [netlogon]
> >>>> 
> >>>>           path = /var/lib/samba/sysvol/pukey/scripts
> >>>>           read only = No
> >>>> 
> >>>> [sysvol]
> >>>> 
> >>>>           path = /var/lib/samba/sysvol
> >>>>           read only = No
> >>> 
> >>> I suggest you move all the shares to a Unix domain member.
> >>> 
> >>> I also suggest you remove these lines:
> >>>           domain logons = Yes
> >>>           domain master = Yes
> >>>           preferred master = Yes
> >>>           winbind nss info = rfc2307
> >>>           os level = 40
> >>> 
> >>> They is no point to them on a Samba AD DC.
> >>> 
> >>> Why do you have these lines:
> >>>           ntlm auth = ntlmv1-permitted
> >>>           server min protocol = NT1
> >>> 
> >>> Do you really need them ?
> >>> 
> >>> Finally, what happened to 'dnsupdate' from the
'server services'
> >>> line ?
> >>> 
> >>> Rowland
> >> 
> >> I use a normal Bind Server for DNS,
> > 
> > But you still need 'dnsupdate' in the 'server
services' line, it has
> > nothing to do with Bind9.
> > 
> >>           ntlm auth = ntlmv1-permitted
> >>           server min protocol = NT1
> >> 
> >> These are there so that Ghost Commander on Android works.
> >> I have a secondary smb.conf that is configured for an NT Domain
that
> >> just is for running NMB so Ghost Commander on Android sees a
Browse
> >> list.
> > 
> > I suggest you use a Unix domain member for 'Ghost Commander'
> > 
> >> It's outside the scope of this problem. Samba doesn't
really update
> >> Bind right now. Bind runs in a Chroot and that prevents the Bind
DLZ
> >> from working. I just use flat Zone Files.
> > 
> > Take Bind9 out of the chroot, this is quite possibly one of your main
> > problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> > deprecated and could be removed at any time. Active directory
> > absolutely requires good DNS.
> > 
> > Rowland
> 
> Currently its set to None, and DNS is working. That's not the issue for
> the other two DCs. I don't know how to take Bind out of it's chroot
on
> OpenSuse.
> 
Its in
/etc/sysconfig/named
#NAMED_RUN_CHROOTED="no"
> This is not a DNS problem anyway. If it were the other two DCs wouldn't
> be working.
If i understand right, your DCs are running on openSUSE?
This is normaly "mit-kerberos-based"
Don`t know, if this also a problem in your case

Markus