[Samba-it] problemi di replica WERR_DS_DRA_ACCESS_DENIED
Daniele Piccoli
daniele.piccoli at riseup.net
Mon Nov 26 14:23:10 UTC 2018
On 23/11/2018 14:47, Giuseppe Arvati wrote:
> Il 23/11/2018 11:14, Daniele Piccoli ha scritto:
>> Il 23/11/2018 10:59, Giuseppe Arvati ha scritto:
>>>>
>>>> _______________________________________________
>>>> samba-it mailing list
>>>> samba-it at lists.samba.org
>>>> http://lists.samba.org/cgi-bin/mailman/listinfo/samba-it
>>>>
>>>
>>> sembra tutto ok
>>>
>>>
>>> [root at dc1ucp ~]# host -t A dc1ucp.apam-ad.apam.it.
>>> dc1ucp.apam-ad.apam.it has address 10.2.2.12
>>> [root at dc1ucp ~]# host -t A dc1piopp.apam-ad.apam.it.
>>> dc1piopp.apam-ad.apam.it has address 10.1.1.4
>>> [root at dc1ucp ~]# host -t A apamfs2.apam-ad.apam.it.
>>> apamfs2.apam-ad.apam.it has address 10.1.1.2
>>> [root at dc1ucp ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
>>> '(invocationId=*)
>>> ' --cross-ncs objectguid
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> # record 1
>>> dn: CN=NTDS
>>> Settings,CN=DC1UCP,CN=Servers,CN=uff-ucp-mn,CN=Sites,CN=Configuratio
>>>
>>> n,DC=apam-ad,DC=apam,DC=it
>>> objectGUID: 3d8598b8-1c3d-4509-b775-d7e1d33c2546
>>>
>>> # record 2
>>> dn: CN=NTDS
>>> Settings,CN=DC1PIOPP,CN=Servers,CN=apamsede,CN=Sites,CN=Configuratio
>>>
>>> n,DC=apam-ad,DC=apam,DC=it
>>> objectGUID: 1abf9afd-8882-48a0-8be1-1bd6ebd63898
>>>
>>> # record 3
>>> dn: CN=NTDS
>>> Settings,CN=APAMFS2,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration
>>>
>>> ,DC=apam-ad,DC=apam,DC=it
>>> objectGUID: fa93022c-b204-4f74-bc44-176ab767cf54
>>>
>>> # returned 3 records
>>> # 3 entries
>>> # 0 referrals
>>> [root at dc1ucp ~]# host -t CNAME
>>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it.
>>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it is an alias
>>> for apamfs2.apam-ad.apam.it.
>>> [root at dc1ucp ~]# host -t CNAME
>>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it.
>>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it is an alias
>>> for dc1piopp.apam-ad.apam.it.
>>> [root at dc1ucp ~]# host -t CNAME
>>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it.
>>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it is an alias
>>> for DC1UCP.apam-ad.apam.it.
>>
>> Ok, hai fatto le stesse verifiche anche sui DC del sito 1?
>>
> no !!
>
> fatto subito il controllo sul sito1 e sembra tutto ok
> sito1 ( apamsede)
> dc1piopp
>
> [root at dc1piopp ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
> '(invocationId =*)
>
> ' --cross-n cs objectguid
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> # record 1
> dn: CN=NTDS
> Settings,CN=DC1UCP,CN=Servers,CN=uff-ucp-mn,CN=Sites,CN=Configuratio
> n,DC=apam-ad,DC=apam,DC=it
> objectGUID: 3d8598b8-1c3d-4509-b775-d7e1d33c2546
>
> # record 2
> dn: CN=NTDS
> Settings,CN=DC1PIOPP,CN=Servers,CN=apamsede,CN=Sites,CN=Configuratio
> n,DC=apam-ad,DC=apam,DC=it
> objectGUID: 1abf9afd-8882-48a0-8be1-1bd6ebd63898
>
> # record 3
> dn: CN=NTDS
> Settings,CN=APAMFS2,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration
> ,DC=apam-ad,DC=apam,DC=it
> objectGUID: fa93022c-b204-4f74-bc44-176ab767cf54
>
> # returned 3 records
> # 3 entries
> # 0 referrals
> [root at dc1piopp ~]# host -t CNAME
> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it.
> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it is an alias
> for apamfs2.apam-ad.apam.it.
> [root at dc1piopp ~]# host -t CNAME
> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it.
> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it is an alias
> for dc1piopp.apam-ad.apam.it.
> [root at dc1piopp ~]# host -t CNAME
> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it.
> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it is an alias
> for DC1UCP.apam-ad.apam.it.
> [root at dc1piopp ~]# host -t A dc1ucp.apam-ad.apam.it.
> dc1ucp.apam-ad.apam.it has address 10.2.2.12
> [root at dc1piopp ~]# host -t A dc1piopp.apam-ad.apam.it.
> dc1piopp.apam-ad.apam.it has address 10.1.1.4
> [root at dc1piopp ~]# host -t A apamfs2.apam-ad.apam.it.
> apamfs2.apam-ad.apam.it has address 10.1.1.2
>
>
> apamfs2
>
> [root at apamfs2 ~]# host -t A dc1ucp.apam-ad.apam.it.
> dc1ucp.apam-ad.apam.it has address 10.2.2.12
> [root at apamfs2 ~]# host -t A dc1piopp.apam-ad.apam.it.
> dc1piopp.apam-ad.apam.it has address 10.1.1.4
> [root at apamfs2 ~]# host -t A apamfs2.apam-ad.apam.it.
> apamfs2.apam-ad.apam.it has address 10.1.1.2
>
> [root at apamfs2 ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
> '(invocationId=*)
> ' --cross-ncs objectguid
> # record 1
> dn: CN=NTDS
> Settings,CN=DC1UCP,CN=Servers,CN=uff-ucp-mn,CN=Sites,CN=Configuration,DC=apam-ad,DC=apam,DC=it
>
> objectGUID: 3d8598b8-1c3d-4509-b775-d7e1d33c2546
>
> # record 2
> dn: CN=NTDS
> Settings,CN=DC1PIOPP,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration,DC=apam-ad,DC=apam,DC=it
>
> objectGUID: 1abf9afd-8882-48a0-8be1-1bd6ebd63898
>
> # record 3
> dn: CN=NTDS
> Settings,CN=APAMFS2,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration,DC=apam-ad,DC=apam,DC=it
>
> objectGUID: fa93022c-b204-4f74-bc44-176ab767cf54
>
> # returned 3 records
> # 3 entries
> # 0 referrals
> [root at apamfs2 ~]# host -t CNAME
> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it.
> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it is an alias
> for apamfs2.apam-ad.apam.it.
> [root at apamfs2 ~]# host -t CNAME
> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it.
> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it is an alias
> for dc1piopp.apam-ad.apam.it.
> [root at apamfs2 ~]# host -t CNAME
> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it.
> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it is an alias
> for DC1UCP.apam-ad.apam.it.
> [root at apamfs2 ~]# ^C
>
> Sembra tutto ok come nel sito 2
Si, sembra di si.
Hai provato a vedere se ci sono differenze negli alberi ldap dei DC?
samba-tool ldapcmp ldap://srv-dc1 ldap://srv-dc2 -Uadministrator
--filter=CN,DC,member CONFIGURATION -v
Ovviamente vanno sostituiti i nomi dei DC con i propri
>
> Giuseppe
>
Daniele
More information about the samba-it
mailing list