samba - Jun 2023 - Unable to contact RPC server on a new DC

On 09/06/2023 18:11, Andrey Repin via samba wrote:
> Greetings, Rowland Penny via samba!
>> OK, you have these lines on the DC:
> 
>>           winbind nss info = rfc2307
>>           winbind use default domain = Yes
>>           idmap config darkdragon : unix_nss_info = yes
>>           idmap config darkdragon : unix_primary_group = yes
>>           idmap config darkdragon : range = 2048-131071
>>           idmap config darkdragon : schema_mode = rfc2307
>>           idmap config darkdragon : backend = ad
>>           idmap config * : range = 1024-2047
>>           idmap config * : schema_mode = rfc2307
>>           idmap config * : backend = tdb
> 
>> Why ? They do nothing on a DC.
> 
>> Why do you have 'auto services = homes' without actually having
a 'homes' share ?
> 
>> Turning to the Unix domain member, why are you using SMBv1 aka
'NT1', the DC isn't
> 
> Because DC1 used it. Consider it a legacy. Why would Win7 (RSAT) do not
> connect? THAT is the main question.
If you do not require SMBv1, then I suggest you remove it.
> 
>> Why do you have a netlogon share on the Unix domain member ?
> 
> An oversight, I presume. (it's the baremetal host, on which I ran some
> experiments in the past)
A Unix domain member never used a netlogon share, they are meant to be 
only on a DC (AD or PDC).
> 
>> Why are you using Wins ? AD does not use Wins, it uses DNS.
> 
> I tried to normalize network discovery. I?'s VERY slow ATM. Minutes to
get a
> list of hosts in a workgroup.
I take it by 'network discovery' you mean dns, rather than the
'Network
Discovery' service that has replaced 'Network Browsing' on Windows.

If you dns is slow, you need to find out why, I take it that you are 
using the DC's as the nameservers for your domain clients.
> 
>> Why do you have this line: 'idmap config * : schema_mode =
rfc2307'
> 
> Why not?
Because it isn't required and it this first time that I have seen it in 
that context, being used with the default domain.
> 
>> Finally, you have the 'winbind enum' lines set to yes on both
machines,
> 
> I tried to normalize network discovery. See above.
Setting those can actually slow things down and there aren't required 
for AD to work, 'getent passwd USERNAME' will always show a users data.
> 
>> this should only be done for testing purposes, Samba will quite
correctly without the lines.
> 
> If these settings are irrelevant for their respective placement, you could
> have just stated that instead of an extensive questioning.
I have to ask questions, to try and understand why you are setting 
things in the way you are doing. That is my only reason to ask 
questions, to get answers, so I can then formulate a way out of your 
problem.
> I appreciate your attention, though. I'll meditate on these settings
again,
> once the system is up and running.
> 
>> When you created your new DC, did you sync Sysvol and idmap.ldb from
the existing DC ?
> 
> Shouldn't that be done naturally when DC joined the domain/when roles
were
> claimed? Sysvol is nearly empty though. I did not go far enough to create
any
> custom rules for this domain. Yet.
> Also, why this is not mentioned on the wiki?
When you provision a new domain, the first domain gets everything set 
up. When you join another DC, the main database is replicated, but 
Sysvol and idmap.ldb aren't. Samba, at present, has no method to sync 
Sysvol automatically, so you have to do it manually. The join creates a 
base idmap.ldb , but this works exactly the same as the first DC, ID's 
are allocated mostly on a 'first come' basis, this means the users and 
groups on separate DC's can and will get different ID's, so you need to 
sync idmap.ldb between DC's, usually from the DC that has the 
PDC_Emulator FSMO role.
I thought this was all mentioned in the wiki.

Rowland

Hello Rowland Penny,

Friday, June 9, 2023, 8:51:25 PM, you wrote:
> On 09/06/2023 18:11, Andrey Repin via samba wrote:
>> Greetings, Rowland Penny via samba!
>>> OK, you have these lines on the DC:
>>>           winbind nss info = rfc2307
>>>           winbind use default domain = Yes
>>>           idmap config darkdragon : unix_nss_info = yes
>>>           idmap config darkdragon : unix_primary_group = yes
>>>           idmap config darkdragon : range = 2048-131071
>>>           idmap config darkdragon : schema_mode = rfc2307
>>>           idmap config darkdragon : backend = ad
>>>           idmap config * : range = 1024-2047
>>>           idmap config * : schema_mode = rfc2307
>>>           idmap config * : backend = tdb
>>> Why ? They do nothing on a DC.
>>> Why do you have 'auto services = homes' without actually
having a 'homes' share ?
>>> Turning to the Unix domain member, why are you using SMBv1 aka
'NT1', the DC isn't
>> Because DC1 used it. Consider it a legacy. Why would Win7 (RSAT) do not
>> connect? THAT is the main question.
> If you do not require SMBv1, then I suggest you remove it.
>>> Why do you have a netlogon share on the Unix domain member ?
>> An oversight, I presume. (it's the baremetal host, on which I ran
some
>> experiments in the past)
> A Unix domain member never used a netlogon share, they are meant to be only
> on a DC (AD or PDC).
If that does not affect DC behavior, it is irrelevant to the problem.
>>> Why are you using Wins ? AD does not use Wins, it uses DNS.
>> I tried to normalize network discovery. I?'s VERY slow ATM. Minutes
to
>> get a list of hosts in a workgroup.
> I take it by 'network discovery' you mean dns, rather than the
'Network
> Discovery' service that has replaced 'Network Browsing' on
Windows.
I mean netbios workgroup listing.
> If you dns is slow, you need to find out why, I take it that you are using
> the DC's as the nameservers for your domain clients.
Not related to DNS at all.
>>> Why do you have this line: 'idmap config * : schema_mode =
rfc2307'
>> Why not?
> Because it isn't required and it this first time that I have seen it in
> that context, being used with the default domain.
I followed the guide where domain was set up like that. And it worked for me
for over a decade. I guess it is either harmless or a default used internally.
>>> Finally, you have the 'winbind enum' lines set to yes on
both machines,
>> I tried to normalize network discovery. See above.
> Setting those can actually slow things down and there aren't required
for
> AD to work, 'getent passwd USERNAME' will always show a users data.
>>> this should only be done for testing purposes, Samba will quite
correctly without the lines.
>> If these settings are irrelevant for their respective placement, you
could
>> have just stated that instead of an extensive questioning.
> I have to ask questions, to try and understand why you are setting things
> in the way you are doing. That is my only reason to ask questions, to get
> answers, so I can then formulate a way out of your problem.
>> I appreciate your attention, though. I'll meditate on these
settings again,
>> once the system is up and running.
>>> When you created your new DC, did you sync Sysvol and idmap.ldb
from the existing DC ?
>> Shouldn't that be done naturally when DC joined the domain/when
roles were
>> claimed? Sysvol is nearly empty though. I did not go far enough to
create any
>> custom rules for this domain. Yet.
>> Also, why this is not mentioned on the wiki?
> When you provision a new domain, the first domain gets everything set up.
> When you join another DC, the main database is replicated, but Sysvol and
> idmap.ldb aren't. Samba, at present, has no method to sync Sysvol
> automatically, so you have to do it manually. The join creates a base
> idmap.ldb , but this works exactly the same as the first DC, ID's are
> allocated mostly on a 'first come' basis, this means the users and
groups on
> separate DC's can and will get different ID's, so you need to sync
idmap.ldb
> between DC's, usually from the DC that has the PDC_Emulator FSMO role.
> I thought this was all mentioned in the wiki.
Shouldn't this be taken from LDAP, since I use WINBIND mappings?


-- 
Best regards,
Andrey Repin