[Samba] Unable to contact RPC server on a new DC

Luis Peromarta lperoma at icloud.com
Tue Nov 7 17:47:21 UTC 2023 

LP
On Nov 7, 2023 at 18:06 +0100, Andrey Repin via samba <samba at lists.samba.org>, wrote:
>
>
> AD DC configuration:
>
> # Global parameters
> [global]
> auto services = homes
> client ldap sasl wrapping = sign
> dns forwarder = 192.168.1.12
> dos charset = CP866
> logging = systemd
> log level = 1
> netbios name = DC2
> panic action = /usr/share/samba/panic-action %d
> printcap name = /dev/null
> realm = ADS.DARKDRAGON.LAN
> server role = active directory domain controller
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = Yes
> tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = DARKDRAGON
> idmap config darkdragon : unix_nss_info = yes
> idmap config darkdragon : unix_primary_group = yes
> idmap config darkdragon : range = 2048-131071
> idmap config darkdragon : schema_mode = rfc2307
> idmap config darkdragon : backend = ad
> idmap config * : range = 1024-2047
> idmap config * : schema_mode = rfc2307
> idmap config * : backend = tdb
> idmap_ldb : use rfc2307 = Yes
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
>


• You should not use idmap declarations in a DC. Domain Controllers use idmap.ldb for id-mapping, which is only used on a DC.
• If using ‘ad' idmap in the AD, you should only use this on the DC:


idmap_ldb:use rfc2307  = yes

• You don’t need all the winbind lines neither.
• I think your workgroup name should be ADS, not DARKDRAGON.
• Your templates declarations are the default for non-ad idmapping. Login shell and Unix home directory path can be stored in the RFC2307 attributes when using ‘ad’ idmap.


 I’d start with a simpler configuration like this:

# Global parameters
[global]
	dns forwarder = 192.168.1.12
	netbios name = DC2
	realm = ADS.DARKDRAGON.LAN
	server role = active directory domain controller
	workgroup = ADS
	idmap_ldb:use rfc2307  = yes


[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/mad.mater.int/scripts
	read only = No


Regards,
LP

More information about the samba mailing list