[Samba] Provisioning new AD Domain Controller

Mark Foley mfoley at novatec-inc.com
Thu Jan 18 19:51:30 UTC 2024 

On Thu Jan 18 14:11:45 2024 Sonic <sonicsmith at gmail.com> wrote:
>
> hosts file? stale dns records?

I listed my hosts file in my first message:

127.0.0.1               localhost
192.168.1.60             mail.hprs.local mail

Since I had provisioned initially with the SAMBA_INTERNAL DNS backend, and
therefore Samba manages DNS, I thought perhaps there was a "stale dns", so I
went ahead and entered the old PW for administrator and got:

Password for [administrator at HPRS.LOCL]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:192.168.1.60[49153,sign,target_hostname=mail,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.1.60] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server mail failed with (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')

I tried again specifying the -U parameter:

# samba-tool dns zonelist mail -U administrator
Password for [HPRS\administrator]:
  2 zone(s) found

  pszZoneName                 : hprs.local
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.hprs.local

  pszZoneName                 : _msdcs.hprs.local
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.hprs.local

That apparently worked giving the correct, new hprs.local. But why did the query default to
administrator at HPRS.LOCL, and when I specified -U it used HPRS.LOCAL?

I think there is something messed up no matter what. Who knows what will bite me
if I push forward with some aspect of the DC remembering hprs.locl.

Time to wipe and reinstall Linux!

--Mark

> On Thu, Jan 18, 2024 at 2:07 PM Mark Foley via samba
> <samba at lists.samba.org> wrote:
> >
> > On Thu Jan 18 00:51:16 2024 Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > Because of issues described in thread "Joining Windows 10 Domain Member to Samba
> > > AD/DC", I'm trying to re-provision my DC with the curren/old domain name
> > > mail.hprs.local instead of the newer, more correct dc1.hprs.locl.
> > >
> > > I've followed the steps in
> > >
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> > >
> > > regarding "Only Applicable if Samba was Previously Installed". For the directory
> > > list:
> > >
> > > # smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
> > >    LOCKDIR: /var/cache/samba
> > >    STATEDIR: /var/lib/samba
> > >    CACHEDIR: /var/cache/samba
> > >    PRIVATE_DIR: /var/lib/samba/private
> > >
> > > I did 'rm -r /var/cache/samba* /var/lib/samba/*'. I then did the provision step
> > > again:
> > >
> > > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCAL --domain=HPRS \
> > >   --server-role=dc --dns-backend=SAMBA_INTERNAL --option=interfaces="lo eth0" \
> > >   --option="bind interfaces only=yes" --adminpass=pw
> > >
> > > However, when I got to the 'samba-tool dns zonelist' step, I got:
> > >
> > > Password for [administrator at HPRS.LOCL]:
> > >
> > > Notice that it is asking for the supposedly purged realm HPRS.LOCL. There must
> > > be more that needs to be removed other than just those egrep'ed directories.
> > >
> > > /etc/hosts is:
> > >
> > > 127.0.0.1               localhost
> > > 192.168.1.60             mail.hprs.local mail
> > >
> > > /etc/HOSTNAME is:
> > >
> > > mail.hprs.local
> > >
> > > The generated smb.conf is:
> > >
> > > # Global parameters
> > > [global]
> > >         bind interfaces only = Yes
> > >         dns forwarder = 192.168.1.1
> > >         interfaces = lo eth0
> > >         netbios name = MAIL
> > >         realm = HPRS.LOCAL
> > >         server role = active directory domain controller
> > >         workgroup = HPRS
> > >         idmap_ldb:use rfc2307 = yes
> > >
> > > [sysvol]
> > >         path = /var/lib/samba/sysvol
> > >         read only = No
> > >
> > > [netlogon]
> > >         path = /var/lib/samba/sysvol/hprs.local/scripts
> > >         read only = No
> > >
> > >
> > > There are no other .tdb or .ldb files on the drive.
> > >
> > > Where is this old realm name lurking, why is it associated with the
> > > Administrator and how do I purge it and any remaining such vestigal
> > > references without scratch-installing Linux?
> > >
> > > Thanks --Mark
> >
> > After again removing all .tdb and .ldb files, and grepping the whole /etc
> > directory for any files containing hprs.locl -- and not finding any -- and
> > reprovisioning again, I still get:
> >
> > # samba-tool dns zonelist mail
> > Password for [administrator at HPRS.LOCL]:
> >
> > So the previous domain name is still lurking somewhere, but not findable or
> > killable by me.
> >
> > As no one has replied to this question, I'm going to go ahead and wipe the drive
> > and reinsall Linux from scratch. That should eliminate any references to
> > HPRS.LOCL.
> >
> > --Mark
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list