[Samba] Unable to contact RPC server on a new DC
Rowland Penny
rpenny at samba.org
Sun Jun 11 14:49:29 UTC 2023
On 11/06/2023 12:39, Andrey Repin via samba wrote:
> Hello Andrew Bartlett,
>
> Friday, June 9, 2023, 11:25:01 PM, you wrote:
>
>> On Thu, 2023-06-08 at 13:41 +0300, Andrey Repin via samba wrote:
>>> Greetings, All!
>>>
>>> I've added a new DC to the working AD, transferred FSMO roles
>>> (checked, all 7
>>> are ok') and (supposedly) correctly demoted the old DC.
>>>
>>> SchemaMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
>>> InfrastructureMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S
>>> RidAllocationMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Si
>>> PdcEmulationMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sit
>>> DomainNamingMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sit
>>> DomainDnsZonesMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S
>>> ForestDnsZonesMasterRole owner: CN=NTDS
>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S
>>>
>>> Now, I'm unable to connect to the domain using RSAT - the error is
>>> "RPC server
>>> unavailable".
>
>> The obvious question arises: What is in the logs? Are there any clues
>> in the network trace?
>
> Since I don't know what to look for, I'd be very appreciative about any
> specific pointers.
> The only prevalent message in the logs is that it is unable to resolve SID's,
> which is, to my naive understanding, is highly confusing, since these are
> Samba's own SID's, and LDAP is up and running like nothing happened.
>
> [2023/06/11 13:56:01.409003, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
> Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1124) in user token to >
> [2023/06/11 13:56:01.410291, 0] ../../libcli/security/security_token.c:56(security_token_debug)
> Security token SIDs (8):
> SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1124
> SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515
> SID[ 2]: S-1-1-0
> SID[ 3]: S-1-5-2
> SID[ 4]: S-1-5-11
> SID[ 5]: S-1-5-64-10
> SID[ 6]: S-1-5-32-554
> SID[ 7]: S-1-5-32-545
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
>
> $ ldapsearch -H ldaps://dc2.ads.darkdragon.lan -b 'DC=ads,DC=darkdragon,DC=lan' '(&(objectclass=person)(objectSid=S-1-5-21-2269650170-3990761244-2407083512-1124))'
>
> # pubserver64, Computers, ads.darkdragon.lan
> dn: CN=pubserver64,CN=Computers,DC=ads,DC=darkdragon,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: pubserver64
> instanceType: 4
> whenCreated: 20180218050559.0Z
> uSNCreated: 3347
> name: pubserver64
> objectGUID:: AlKWo+jS8U6NIw1KIFprXg==
> userAccountControl: 69632
> codePage: 0
> countryCode: 0
> primaryGroupID: 515
> objectSid:: AQUAAAAAAAUVAAAA+hxIhxwv3u34LXmPZAQAAA==
> accountExpires: 9223372036854775807
> sAMAccountName: pubserver64$
> sAMAccountType: 805306369
> dNSHostName: pubserver64.ads.darkdragon.lan
> servicePrincipalName: HOST/PUBSERVER64
> servicePrincipalName: HOST/pubserver64.ads.darkdragon.lan
> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ads,DC=darkdragon,DC
> =lan
> isCriticalSystemObject: FALSE
> pwdLastSet: 133276099410000000
> lastLogonTimestamp: 133306092688283500
> whenChanged: 20230607110108.0Z
> uSNChanged: 4520
> lastLogon: 133309569525625780
> logonCount: 531667
> distinguishedName: CN=pubserver64,CN=Computers,DC=ads,DC=darkdragon,DC=lan
>
> Which looks identical comparing to sam.ldb from DC1 backup.
>
>> I don't see any concerns in the smb.conf you post later in the thread,
>> so the normal process is to check the logs, and if no clues at that
>> point turn up the logs until there are clues.
>
> The problem is, I followed the standard operation to the letter, and get the
> results that are far from understandable.
> Either the wiki is lacking necessary steps to perform, or setup is somewhat
> off.
> You said you see no suspicious settings, so I presume the setup is okay at
> least on the first glance.
> So, are the wiki off by a mile then? What is the exact procedure to demote the
> PDC?
> How can I confirm that there are no traces back to the old DC left in the
> database?
> I'm not demanding fast answers, mind you, all I need ATM is some help with
> diagnostics. Some specific help, not just a "look in the logs" kind.
>
>
It easy to explain why SID
S-1-5-21-2269650170-3990761244-2407083512-1124
isn't getting converted into a 'user token' aka UID.
This is because it is a computer, you haven't given it a uidNumber
attribute and you are using the idmap 'ad' backend
Are you getting these errors from users that are not also computers ?
Rowland
More information about the samba
mailing list