thr3ads.net - samba - [Samba] Fwd: No DNS/Kerberos after DC OS upgrade [Mar 2025]

If this information is useful, please help other people find it:
Share via:

Nicolas Canonne

2025-Mar-30 07:32 UTC

[Samba] Fwd: No DNS/Kerberos after DC OS upgrade

Le 30/03/2025 ? 18:04, Nicolas Canonne via samba a
?crit?:> Hello Rowland and thanks for the reply !
>
> I simply used :
>
> sudo do-release-upgrade
>
> Samba on the 2 DC is well updated to 4.19.5 (I posted the logs 
> starting from 4.15.13 trying to show the upgrade process)
>
>> @dc1:~$ samba -V
>> Version 4.19.5-Ubuntu
>
>> @dc2:~$ samba -V
>> Version 4.19.5-Ubuntu
>
> Nicolas Canonne
>
> Electronico
> NEW-CALEDONIA (South Pacific)
>
> Le 30/03/2025 ? 17:48, Rowland Penny via samba a ?crit?:
>> On Sun, 30 Mar 2025 17:35:12 +1100
>> Nicolas Canonne via samba <samba at lists.samba.org> wrote:
>>
>>> Hi again,
>>>
>>> Had to remove log as email was to big (more than 128K) and rejected
>>>
>>> Nicolas
>>>
>>> -------- Message transf?r? --------
>>> Sujet?:???? Re: No DNS/Kerberos after DC OS upgrade
>>> Date?:???? Sun, 30 Mar 2025 16:00:57 +1100
>>> De?:???? Nicolas Canonne <me at electronico.nc>
>>> Pour?:???? samba at lists.samba.org
>>>
>>>
>>>
>>>
>> You say that you have upgraded DC1 from 4.15.13 to 4.19.5, but from
>> your logs there is this:
>>
>> [2025/03/30 10:05:52.445395,? 0] ../../source3/smbd/server.c:1734(main)
>> ? smbd version 4.15.13-Ubuntu started.
>>
>> That (along with other things in the logs) suggests to me that the
>> upgrade hasn't worked, how did you upgrade ?
>>
>> Rowland
>>
>Sorry for top posting (haven't used mailing list for a while)

It seems that DC2 is now the main DC :
> @dc1:~$ sudo net ads lookup
> Information for Domain Controller: 10.10.20.4
>
> Response Type: LOGON_SAM_LOGON_RESPONSE_EX
> GUID: e53f608d-1eee-4e2c-8fec-e570450cf59c
> Flags:
> ??? Is a PDC:?????????????????????????????????? no
> ??? Is a GC of the forest:????????????????????? yes
> ??? Is an LDAP server:????????????????????????? yes
> ??? Supports DS:??????????????????????????????? yes
> ??? Is running a KDC:?????????????????????????? yes
> ??? Is running time services:?????????????????? yes
> ??? Is the closest DC:????????????????????????? yes
> ??? Is writable:??????????????????????????????? yes
> ??? Has a hardware clock:?????????????????????? yes
> ??? Is a non-domain NC serviced by LDAP server: no
> ??? Is NT6 DC that has some secrets:??????????? no
> ??? Is NT6 DC that has all secrets:???????????? yes
> ??? Runs Active Directory Web Services:???????? no
> ??? Runs on Windows 2012 or later:????????????? no
> ??? Runs on Windows 2012R2 or later:??????????? no
> ??? Runs on Windows 2016 or later:????????????? no
> ??? Has a DNS name:???????????????????????????? no
> ??? Is a default NC:??????????????????????????? no
> ??? Is the forest root:???????????????????????? no
> Forest: smb.rdk.nc
> Domain: smb.rdk.nc
> Domain Controller: dc2.smb.rdk.nc
> Pre-Win2k Domain: SMB
> Pre-Win2k Hostname: DC2
> Server Site Name: Default-First-Site-Name
> Client Site Name: Default-First-Site-Name
> NT Version: 5
> LMNT Token: ffff
> LM20 Token: ffff
> @dc2:~$ sudo net ads lookup
> Information for Domain Controller: 10.10.20.4
>
> Response Type: LOGON_SAM_LOGON_RESPONSE_EX
> GUID: e53f608d-1eee-4e2c-8fec-e570450cf59c
> Flags:
> ??? Is a PDC:?????????????????????????????????? no
> ??? Is a GC of the forest:????????????????????? yes
> ??? Is an LDAP server:????????????????????????? yes
> ??? Supports DS:??????????????????????????????? yes
> ??? Is running a KDC:?????????????????????????? yes
> ??? Is running time services:?????????????????? yes
> ??? Is the closest DC:????????????????????????? yes
> ??? Is writable:??????????????????????????????? yes
> ??? Has a hardware clock:?????????????????????? yes
> ??? Is a non-domain NC serviced by LDAP server: no
> ??? Is NT6 DC that has some secrets:??????????? no
> ??? Is NT6 DC that has all secrets:???????????? yes
> ??? Runs Active Directory Web Services:???????? no
> ??? Runs on Windows 2012 or later:????????????? no
> ??? Runs on Windows 2012R2 or later:??????????? no
> ??? Runs on Windows 2016 or later:????????????? no
> ??? Has a DNS name:???????????????????????????? no
> ??? Is a default NC:??????????????????????????? no
> ??? Is the forest root:???????????????????????? no
> Forest: smb.rdk.nc
> Domain: smb.rdk.nc
> Domain Controller: dc2.smb.rdk.nc
> Pre-Win2k Domain: SMB
> Pre-Win2k Hostname: DC2
> Server Site Name: Default-First-Site-Name
> Client Site Name: Default-First-Site-Name
> NT Version: 5
> LMNT Token: ffff
> LM20 Token: ffff
but FSMO role seems to still be on DC1:
> @dc1:~$ sudo samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> DomainDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> ForestDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> @dc2:~$ sudo samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> DomainDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
> ForestDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=rdk,DC=nc
Nicolas

Rowland Penny

2025-Mar-30 08:04 UTC

head link

[Samba] Fwd: No DNS/Kerberos after DC OS upgrade

On Sun, 30 Mar 2025 18:32:28 +1100
Nicolas Canonne via samba <samba at lists.samba.org> wrote:
> 
>
> >>
> >
> Sorry for top posting (haven't used mailing list for a while)
> 
> It seems that DC2 is now the main DC :
First, you do not have a 'main' DC, you just have DCs, it is just that
one of them holds the FSMO roles.

And from what you posted, it doesn't look like DC2 holds any of the
FSMO roles, it certainly doesn't hold the PDC_Emulator role.

Here is what I suggest you do:
Transfer all the FSMO roles to DC2 (seize them if you have to).
Demote DC1 and turn it off.
Install Debian 12 and use backports.
This will get you Samba 4.21.4 , 4.19.5 is EOL from the Samba point of
view.
Join this as a new DC 

Rowland

samba - Mar 2025 - Fwd: No DNS/Kerberos after DC OS upgrade

[Samba] Fwd: No DNS/Kerberos after DC OS upgrade

[Samba] Fwd: No DNS/Kerberos after DC OS upgrade