Stefan G. Weichinger
2022-Nov-24 13:28 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 24.11.22 um 13:54 schrieb Stefan G. Weichinger via samba:> Am 24.11.22 um 13:25 schrieb Stefan G. Weichinger via samba: > >> Maybe someone points me at a way to fix this DSA-GUID issue or so. > > If I understand this correctly, that wrong GUID might explain, why > demoting doesn't work from the broken DC: > > the final replication before the demote won't work either, right? > > So it seems to me that this DC somehow has an identity issue ;-)Maybe one of you already knows what is wrong. Let me add this (sorry for the long thread): * replication seems to work "manually": # samba-tool drs replicate adc1 adc2 CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld --full-sync Replicate from adc2 to adc1 was successful. * but "samba-tool drs showrepl" looks different on the 2 DCs: root at adc2:/var/log/samba# samba-tool drs showrepl Default-First-Site-Name\ADC2 DSA Options: 0x00000001 DSA object GUID: bea518ef-fa1e-4b5a-9dd7-cb5a2c2d052d DSA invocationId: 89f8a446-6b07-49c6-a05d-b0f890a41508 ==== INBOUND NEIGHBORS === DC=ForestDnsZones,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:22:30 2022 CET failed, result 31 (WERR_GEN_FAILURE) 26 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:22:31 2022 CET failed, result 31 (WERR_GEN_FAILURE) 26 consecutive failure(s). Last success @ NTTIME(0) DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:22:31 2022 CET failed, result 31 (WERR_GEN_FAILURE) 26 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:22:31 2022 CET failed, result 31 (WERR_GEN_FAILURE) 26 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:22:32 2022 CET failed, result 31 (WERR_GEN_FAILURE) 26 consecutive failure(s). Last success @ NTTIME(0) ==== OUTBOUND NEIGHBORS === DC=ForestDnsZones,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:27:02 2022 CET failed, result 31 (WERR_GEN_FAILURE) 32 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:27:02 2022 CET failed, result 31 (WERR_GEN_FAILURE) 32 consecutive failure(s). Last success @ NTTIME(0) DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:27:02 2022 CET failed, result 31 (WERR_GEN_FAILURE) 32 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:27:02 2022 CET failed, result 31 (WERR_GEN_FAILURE) 18 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC1 via RPC DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 Last attempt @ Thu Nov 24 14:27:02 2022 CET failed, result 31 (WERR_GEN_FAILURE) 32 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: b63aed9f-c407-4dd2-9dd0-90255cb9a32d Enabled : TRUE Server DNS name : adc1.arbeitsgruppe.my.tld Server DN name : CN=NTDS Settings,CN=ADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! root at adc1:/var/log/samba# samba-tool drs showrepl Default-First-Site-Name\ADC1 DSA Options: 0x00000001 DSA object GUID: 2ea0c6cd-cc15-4db7-8fe3-378491fc08e8 DSA invocationId: 61c675b8-52df-4f2d-9ed6-b47c3ef013c1 ==== INBOUND NEIGHBORS === DC=ForestDnsZones,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC2 via RPC DSA object GUID: bea518ef-fa1e-4b5a-9dd7-cb5a2c2d052d Last attempt @ Thu Nov 24 14:24:23 2022 CET was successful 0 consecutive failure(s). Last success @ Thu Nov 24 14:24:23 2022 CET DC=DomainDnsZones,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC2 via RPC DSA object GUID: bea518ef-fa1e-4b5a-9dd7-cb5a2c2d052d Last attempt @ Thu Nov 24 14:24:23 2022 CET was successful 0 consecutive failure(s). Last success @ Thu Nov 24 14:24:23 2022 CET DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC2 via RPC DSA object GUID: bea518ef-fa1e-4b5a-9dd7-cb5a2c2d052d Last attempt @ Thu Nov 24 14:24:23 2022 CET was successful 0 consecutive failure(s). Last success @ Thu Nov 24 14:24:23 2022 CET CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC2 via RPC DSA object GUID: bea518ef-fa1e-4b5a-9dd7-cb5a2c2d052d Last attempt @ Thu Nov 24 14:25:34 2022 CET was successful 0 consecutive failure(s). Last success @ Thu Nov 24 14:25:34 2022 CET CN=Schema,CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld Default-First-Site-Name\ADC2 via RPC DSA object GUID: bea518ef-fa1e-4b5a-9dd7-cb5a2c2d052d Last attempt @ Thu Nov 24 14:24:23 2022 CET was successful 0 consecutive failure(s). Last success @ Thu Nov 24 14:24:23 2022 CET ==== OUTBOUND NEIGHBORS === ==== KCC CONNECTION OBJECTS === Connection -- Connection name: d655acc8-9316-4912-8619-59e7d4a31490 Enabled : TRUE Server DNS name : adc2.arbeitsgruppe.my.tld Server DN name : CN=NTDS Settings,CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=arbeitsgruppe,DC=my,DC=tld TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
Stefan G. Weichinger
2022-Nov-24 16:17 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
found https://www.spinics.net/lists/samba/msg162375.html - "samba-tool spn list adc1$" looks different on adc1 and adc2, while for adc2$ it looks the same -> root at adc1:~# samba-tool spn list adc1$ adc1$ User CN=ADC1,OU=Domain Controllers,DC=arbeitsgruppe,DC=my,DC=tld has the following servicePrincipalName: HOST/ADC1 HOST/adc1.arbeitsgruppe.my.tld GC/adc1.arbeitsgruppe.my.tld/arbeitsgruppe.my.tld E3514235-4B06-11D1-AB04-00C04FC2DCD2/2ea0c6cd-cc15-4db7-8fe3-378491fc08e8/arbeitsgruppe.my.tld HOST/adc1.arbeitsgruppe.my.tld/ARBEITSGRUPPE ldap/adc1.arbeitsgruppe.my.tld/ARBEITSGRUPPE ldap/adc1.arbeitsgruppe.my.tld HOST/adc1.arbeitsgruppe.my.tld/arbeitsgruppe.my.tld ldap/adc1.arbeitsgruppe.my.tld/arbeitsgruppe.my.tld ldap/2ea0c6cd-cc15-4db7-8fe3-378491fc08e8._msdcs.arbeitsgruppe.my.tld ldap/ADC1 RestrictedKrbHost/ADC1 RestrictedKrbHost/adc1.arbeitsgruppe.my.tld ldap/adc1.arbeitsgruppe.my.tld/DomainDnsZones.arbeitsgruppe.my.tld ldap/adc1.arbeitsgruppe.my.tld/ForestDnsZones.arbeitsgruppe.my.tld root at adc2:~# samba-tool spn list adc1$ adc1$ User CN=ADC1,OU=Domain Controllers,DC=arbeitsgruppe,DC=my,DC=tld has the following servicePrincipalName: HOST/ADC1 HOST/adc1.arbeitsgruppe.my.tld GC/adc1.arbeitsgruppe.my.tld/arbeitsgruppe.my.tld E3514235-4B06-11D1-AB04-00C04FC2DCD2/2ea0c6cd-cc15-4db7-8fe3-378491fc08e8/arbeitsgruppe.my.tld - maybe I should demote adc1 again, then check for spn and remove, if it exists, then rejoin ... ?