Le 30/03/2025 ? 19:04, Rowland Penny via samba a ?crit?:> First, you do not have a 'main' DC, you just have DCs, it is just that > one of them holds the FSMO roles. > > And from what you posted, it doesn't look like DC2 holds any of the > FSMO roles, it certainly doesn't hold the PDC_Emulator role. > > Here is what I suggest you do: > Transfer all the FSMO roles to DC2 (seize them if you have to). > Demote DC1 and turn it off. > Install Debian 12 and use backports. > This will get you Samba 4.21.4 , 4.19.5 is EOL from the Samba point of > view. > Join this as a new DC > > Rowland >Rowland, The problem is that I'm on remote location, doing all things via SSH So, this Debian12 OS change is not possible before a lot of hours and whole AD is off at site it really looks like Kerberos is broken> @dc1:~$ klist > klist: No credentials cache found (filename: /tmp/krb5cc_1000) > @dc1:~$ cat /etc/krb5.conf > [libdefaults] > ??? default_realm = SMB.RDK.NC > ??? dns_lookup_realm = false > ??? dns_lookup_kdc = true > > ??? rdns = false > [realms] > SMB.RDK.NC = { > ??? default_domain = smb.rdk.nc > } > > [domain_realm] > ??? dc1 = SMB.RDK.NC> @dc2:~$ klist > klist: No credentials cache found (filename: /tmp/krb5cc_1000) > @dc2:~$ cat /etc/krb5.conf > [libdefaults] > ??? default_realm = SMB.RDK.NC > ??? dns_lookup_realm = false > ??? dns_lookup_kdc = trueMay you please try to assist a bit more ? Thanks, once more, for your help Nicolas Electronico NEW-CALEDONIA (South Pacific)
On Sun, 30 Mar 2025 19:30:03 +1100 Nicolas Canonne via samba <samba at lists.samba.org> wrote:> Le 30/03/2025 ? 19:04, Rowland Penny via samba a ?crit?: > > > First, you do not have a 'main' DC, you just have DCs, it is just > > that one of them holds the FSMO roles. > > > > And from what you posted, it doesn't look like DC2 holds any of the > > FSMO roles, it certainly doesn't hold the PDC_Emulator role. > > > > Here is what I suggest you do: > > Transfer all the FSMO roles to DC2 (seize them if you have to). > > Demote DC1 and turn it off. > > Install Debian 12 and use backports. > > This will get you Samba 4.21.4 , 4.19.5 is EOL from the Samba point > > of view. > > Join this as a new DC > > > > Rowland > > > Rowland, > > The problem is that I'm on remote location, doing all things via SSHYou are certainly remote to me, I am on the other side of the planet in the UK ;-)> > So, this Debian12 OS change is not possible before a lot of hours and > whole AD is off at siteThen replace 'use Debian 12' with 'use Ubuntu' and set up a new DC, provided that DC2 is working okay, it is your fastest way out of this problem, using Debian would be a way of getting a Samba supported version.> > it really looks like Kerberos is brokenTo me, it looks like everything is broken. If you must try to fix DC1, then first check that you have all the Samba packages installed, there were some changes recently. Rowland