Send this back to the list... Am Dienstag, 31. Mai 2022, 21:05:05 CEST schrieb Zombie Ryushu:> On 5/31/22 14:43, Markus Dellermann via samba wrote: > > Hi, > > > > Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via samba: > >> On 5/31/22 10:19, Rowland Penny via samba wrote: > >>> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote: > >>>> On 5/31/22 09:47, Rowland Penny via samba wrote: > >>>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote: > >>>>>> The DC Did have the FSMO Roles, but I tried to demote the DC and > >>>>>> rejoin > >>>>>> it. The DC Won't Demote normally. It will refuse to transfer > >>>>>> roles. > >>>>>> a > >>>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it > >>>>>> still > >>>>>> has them when it does not. > >>>>>> > >>>>>> I also tried the Demote as a Dead DC procedure. That worked but > >>>>>> after > >>>>>> Re-join the original DC was still corrupt. > >>>>> > >>>>> You shouldn't have re-joined the DC, you should have re-installed > >>>>> it, > >>>>> preferably with a new name. > >>>>> > >>>>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is > >>>>>> deprecated > >>>>>> Loaded services file OK. > >>>>>> Weak crypto is allowed > >>>>>> > >>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC > >>>>>> > >>>>>> # Global parameters > >>>>>> [global] > >>>>>> > >>>>>> domain logons = Yes > >>>>>> domain master = Yes > >>>>>> ntlm auth = ntlmv1-permitted > >>>>>> os level = 40 > >>>>>> passdb backend = samba_dsdb > >>>>>> preferred master = Yes > >>>>>> realm = PUKEY > >>>>>> server min protocol = NT1 > >>>>>> server role = active directory domain controller > >>>>>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, > >>>>>> > >>>>>> drepl, > >>>>>> winbind, ntp_signd, kcc > >>>>>> > >>>>>> tls cafile = tls/ca.crt > >>>>>> tls certfile = tls/olympia.pukey.crt > >>>>>> tls keyfile = tls/olympia.pukey.key > >>>>>> winbind nss info = rfc2307 > >>>>>> workgroup = PUKEY-NT > >>>>>> rpc_server:tcpip = no > >>>>>> rpc_daemon:spoolssd = embedded > >>>>>> rpc_server:spoolss = embedded > >>>>>> rpc_server:winreg = embedded > >>>>>> rpc_server:ntsvcs = embedded > >>>>>> rpc_server:eventlog = embedded > >>>>>> rpc_server:srvsvc = embedded > >>>>>> rpc_server:svcctl = embedded > >>>>>> rpc_server:default = external > >>>>>> winbindd:use external pipes = true > >>>>>> idmap_ldb:use rfc2307 = yes > >>>>>> idmap config * : backend = tdb > >>>>>> map archive = No > >>>>>> vfs objects = dfs_samba4 acl_xattr > >>>>>> > >>>>>> [netlogon] > >>>>>> > >>>>>> path = /var/lib/samba/sysvol/pukey/scripts > >>>>>> read only = No > >>>>>> > >>>>>> [sysvol] > >>>>>> > >>>>>> path = /var/lib/samba/sysvol > >>>>>> read only = No > >>>>> > >>>>> I suggest you move all the shares to a Unix domain member. > >>>>> > >>>>> I also suggest you remove these lines: > >>>>> domain logons = Yes > >>>>> domain master = Yes > >>>>> preferred master = Yes > >>>>> winbind nss info = rfc2307 > >>>>> os level = 40 > >>>>> > >>>>> They is no point to them on a Samba AD DC. > >>>>> > >>>>> Why do you have these lines: > >>>>> ntlm auth = ntlmv1-permitted > >>>>> server min protocol = NT1 > >>>>> > >>>>> Do you really need them ? > >>>>> > >>>>> Finally, what happened to 'dnsupdate' from the 'server services' > >>>>> line ? > >>>>> > >>>>> Rowland > >>>> > >>>> I use a normal Bind Server for DNS, > >>> > >>> But you still need 'dnsupdate' in the 'server services' line, it has > >>> nothing to do with Bind9. > >>> > >>>> ntlm auth = ntlmv1-permitted > >>>> server min protocol = NT1 > >>>> > >>>> These are there so that Ghost Commander on Android works. > >>>> I have a secondary smb.conf that is configured for an NT Domain that > >>>> just is for running NMB so Ghost Commander on Android sees a Browse > >>>> list. > >>> > >>> I suggest you use a Unix domain member for 'Ghost Commander' > >>> > >>>> It's outside the scope of this problem. Samba doesn't really update > >>>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ > >>>> from working. I just use flat Zone Files. > >>> > >>> Take Bind9 out of the chroot, this is quite possibly one of your main > >>> problems. Do not use flatfiles, they do not work with BIND_DLZ, are > >>> deprecated and could be removed at any time. Active directory > >>> absolutely requires good DNS. > >>> > >>> Rowland > >> > >> Currently its set to None, and DNS is working. That's not the issue for > >> the other two DCs. I don't know how to take Bind out of it's chroot on > >> OpenSuse. > > > > Its in > > /etc/sysconfig/named > > #NAMED_RUN_CHROOTED="no" > > > >> This is not a DNS problem anyway. If it were the other two DCs wouldn't > >> be working. > > > > If i understand right, your DCs are running on openSUSE? > > This is normaly "mit-kerberos-based" > > Don`t know, if this also a problem in your case > > > > Markus > > Yes, but this is a Database corruption issue, I need DNS worked on, but > lets hold off on that until things like this: > > #samba-tool dbcheck > Checking 321 objects > ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string > File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", > line 186, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py", > line 170, in run > controls=controls, attrs=attrs) > File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line > 255, in check_database > error_count += self.check_object(object.dn, requested_attrs=attrs) > File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line > 2601, in check_object > expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))Is AppArmor running and have you tried aa-logprof ? As Rowland already pointed out you should go with heimdal-kerberos on a dc and try debian e.g. with Louis Packages. ( for openSUSE I use my alternative packages from opensuse-build-server but there maybe other options like sernets samba+ ) Markus
On 6/1/22 03:51, Markus Dellermann via samba wrote:> Send this back to the list... > Am Dienstag, 31. Mai 2022, 21:05:05 CEST schrieb Zombie Ryushu: >> On 5/31/22 14:43, Markus Dellermann via samba wrote: >>> Hi, >>> >>> Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via samba: >>>> On 5/31/22 10:19, Rowland Penny via samba wrote: >>>>> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote: >>>>>> On 5/31/22 09:47, Rowland Penny via samba wrote: >>>>>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote: >>>>>>>> The DC Did have the FSMO Roles, but I tried to demote the DC and >>>>>>>> rejoin >>>>>>>> it. The DC Won't Demote normally. It will refuse to transfer >>>>>>>> roles. >>>>>>>> a >>>>>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it >>>>>>>> still >>>>>>>> has them when it does not. >>>>>>>> >>>>>>>> I also tried the Demote as a Dead DC procedure. That worked but >>>>>>>> after >>>>>>>> Re-join the original DC was still corrupt. >>>>>>> You shouldn't have re-joined the DC, you should have re-installed >>>>>>> it, >>>>>>> preferably with a new name. >>>>>>> >>>>>>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is >>>>>>>> deprecated >>>>>>>> Loaded services file OK. >>>>>>>> Weak crypto is allowed >>>>>>>> >>>>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>>>>>>> >>>>>>>> # Global parameters >>>>>>>> [global] >>>>>>>> >>>>>>>> domain logons = Yes >>>>>>>> domain master = Yes >>>>>>>> ntlm auth = ntlmv1-permitted >>>>>>>> os level = 40 >>>>>>>> passdb backend = samba_dsdb >>>>>>>> preferred master = Yes >>>>>>>> realm = PUKEY >>>>>>>> server min protocol = NT1 >>>>>>>> server role = active directory domain controller >>>>>>>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, >>>>>>>> >>>>>>>> drepl, >>>>>>>> winbind, ntp_signd, kcc >>>>>>>> >>>>>>>> tls cafile = tls/ca.crt >>>>>>>> tls certfile = tls/olympia.pukey.crt >>>>>>>> tls keyfile = tls/olympia.pukey.key >>>>>>>> winbind nss info = rfc2307 >>>>>>>> workgroup = PUKEY-NT >>>>>>>> rpc_server:tcpip = no >>>>>>>> rpc_daemon:spoolssd = embedded >>>>>>>> rpc_server:spoolss = embedded >>>>>>>> rpc_server:winreg = embedded >>>>>>>> rpc_server:ntsvcs = embedded >>>>>>>> rpc_server:eventlog = embedded >>>>>>>> rpc_server:srvsvc = embedded >>>>>>>> rpc_server:svcctl = embedded >>>>>>>> rpc_server:default = external >>>>>>>> winbindd:use external pipes = true >>>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>>> idmap config * : backend = tdb >>>>>>>> map archive = No >>>>>>>> vfs objects = dfs_samba4 acl_xattr >>>>>>>> >>>>>>>> [netlogon] >>>>>>>> >>>>>>>> path = /var/lib/samba/sysvol/pukey/scripts >>>>>>>> read only = No >>>>>>>> >>>>>>>> [sysvol] >>>>>>>> >>>>>>>> path = /var/lib/samba/sysvol >>>>>>>> read only = No >>>>>>> I suggest you move all the shares to a Unix domain member. >>>>>>> >>>>>>> I also suggest you remove these lines: >>>>>>> domain logons = Yes >>>>>>> domain master = Yes >>>>>>> preferred master = Yes >>>>>>> winbind nss info = rfc2307 >>>>>>> os level = 40 >>>>>>> >>>>>>> They is no point to them on a Samba AD DC. >>>>>>> >>>>>>> Why do you have these lines: >>>>>>> ntlm auth = ntlmv1-permitted >>>>>>> server min protocol = NT1 >>>>>>> >>>>>>> Do you really need them ? >>>>>>> >>>>>>> Finally, what happened to 'dnsupdate' from the 'server services' >>>>>>> line ? >>>>>>> >>>>>>> Rowland >>>>>> I use a normal Bind Server for DNS, >>>>> But you still need 'dnsupdate' in the 'server services' line, it has >>>>> nothing to do with Bind9. >>>>> >>>>>> ntlm auth = ntlmv1-permitted >>>>>> server min protocol = NT1 >>>>>> >>>>>> These are there so that Ghost Commander on Android works. >>>>>> I have a secondary smb.conf that is configured for an NT Domain that >>>>>> just is for running NMB so Ghost Commander on Android sees a Browse >>>>>> list. >>>>> I suggest you use a Unix domain member for 'Ghost Commander' >>>>> >>>>>> It's outside the scope of this problem. Samba doesn't really update >>>>>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ >>>>>> from working. I just use flat Zone Files. >>>>> Take Bind9 out of the chroot, this is quite possibly one of your main >>>>> problems. Do not use flatfiles, they do not work with BIND_DLZ, are >>>>> deprecated and could be removed at any time. Active directory >>>>> absolutely requires good DNS. >>>>> >>>>> Rowland >>>> Currently its set to None, and DNS is working. That's not the issue for >>>> the other two DCs. I don't know how to take Bind out of it's chroot on >>>> OpenSuse. >>> Its in >>> /etc/sysconfig/named >>> #NAMED_RUN_CHROOTED="no" >>> >>>> This is not a DNS problem anyway. If it were the other two DCs wouldn't >>>> be working. >>> If i understand right, your DCs are running on openSUSE? >>> This is normaly "mit-kerberos-based" >>> Don`t know, if this also a problem in your case >>> >>> Markus >> Yes, but this is a Database corruption issue, I need DNS worked on, but >> lets hold off on that until things like this: >> >> #samba-tool dbcheck >> Checking 321 objects >> ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string >> File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", >> line 186, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py", >> line 170, in run >> controls=controls, attrs=attrs) >> File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line >> 255, in check_database >> error_count += self.check_object(object.dn, requested_attrs=attrs) >> File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line >> 2601, in check_object >> expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn)) > Is AppArmor running and have you tried aa-logprof ? > > As Rowland already pointed out you should go with heimdal-kerberos on a dc and > try debian e.g. with Louis Packages. > ( for openSUSE I use my alternative packages from opensuse-build-server but > there maybe other options like sernets samba+ ) > > Markus > > >* apparmor.service - Load AppArmor profiles ???? Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; vendor preset: enabled) ???? Active: inactive (dead) I am not interested in switching Distributions.
On Wed, 2022-06-01 at 09:51 +0200, Markus Dellermann via samba wrote:> > Yes, but this is a Database corruption issue, I need DNS worked on, > > but > > lets hold off on that until things like this: > > #samba-tool dbcheck > > Checking 321 objects > > ERROR(<class 'ValueError'>): uncaught exception - unable to parse > > dn string > > File "/usr/lib64/python3.6/site- > > packages/samba/netcmd/__init__.py", > > line 186, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib64/python3.6/site- > > packages/samba/netcmd/dbcheck.py", > > line 170, in run > > controls=controls, attrs=attrs) > > File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", > > line > > 255, in check_database > > error_count += self.check_object(object.dn, > > requested_attrs=attrs) > > File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", > > line > > 2601, in check_object > > expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))So what is happening here is that the parent_dn, which is a string at this point, doesn't parse when written as (eg in another syntax) RDN=RDN,$parent_dn. That isn't typical, but we have had some changes in DN escaping stuff and perhaps the linearlised DN is tripping that up. Or perhaps it really is corrupt, but I doubt it. Ideally that would have been written differently, to create a new Dn() of "RDN=RDN", then done a dn.add_base() eg (only slightly tested): diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py index 449b0a7d985..077e81b2dcb 100644 --- a/python/samba/dbchecker.py +++ b/python/samba/dbchecker.py @@ -2596,7 +2596,8 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) controls += ["local_oid:%s:1" % dsdb.DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME] if parent_dn is None: parent_dn = obj.dn.parent() - expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn)) + expected_dn = ldb.Dn(self.samdb, "RDN=RDN") + expected_dn.add_base(parent_dn) expected_dn.set_component(0, obj.dn.get_rdn_name(), name_val) if obj.dn == deleted_objects_dn: At least then we wouldn't be dealing with DN escaping stuff -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions