[Samba-it] problemi di replica WERR_DS_DRA_ACCESS_DENIED
Giuseppe Arvati
giuseppe.arvati at gmail.com
Mon Nov 26 17:19:42 UTC 2018
Il 26/11/2018 15:23, Daniele Piccoli ha scritto:
> On 23/11/2018 14:47, Giuseppe Arvati wrote:
>> Il 23/11/2018 11:14, Daniele Piccoli ha scritto:
>>> Il 23/11/2018 10:59, Giuseppe Arvati ha scritto:
>>>>>
>>>>> _______________________________________________
>>>>> samba-it mailing list
>>>>> samba-it at lists.samba.org
>>>>> http://lists.samba.org/cgi-bin/mailman/listinfo/samba-it
>>>>>
>>>>
>>>> sembra tutto ok
>>>>
>>>>
>>>> [root at dc1ucp ~]# host -t A dc1ucp.apam-ad.apam.it.
>>>> dc1ucp.apam-ad.apam.it has address 10.2.2.12
>>>> [root at dc1ucp ~]# host -t A dc1piopp.apam-ad.apam.it.
>>>> dc1piopp.apam-ad.apam.it has address 10.1.1.4
>>>> [root at dc1ucp ~]# host -t A apamfs2.apam-ad.apam.it.
>>>> apamfs2.apam-ad.apam.it has address 10.1.1.2
>>>> [root at dc1ucp ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
>>>> '(invocationId=*)
>>>> ' --cross-ncs objectguid
>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>> # record 1
>>>> dn: CN=NTDS
>>>> Settings,CN=DC1UCP,CN=Servers,CN=uff-ucp-mn,CN=Sites,CN=Configuratio
>>>>
>>>> n,DC=apam-ad,DC=apam,DC=it
>>>> objectGUID: 3d8598b8-1c3d-4509-b775-d7e1d33c2546
>>>>
>>>> # record 2
>>>> dn: CN=NTDS
>>>> Settings,CN=DC1PIOPP,CN=Servers,CN=apamsede,CN=Sites,CN=Configuratio
>>>>
>>>> n,DC=apam-ad,DC=apam,DC=it
>>>> objectGUID: 1abf9afd-8882-48a0-8be1-1bd6ebd63898
>>>>
>>>> # record 3
>>>> dn: CN=NTDS
>>>> Settings,CN=APAMFS2,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration
>>>>
>>>> ,DC=apam-ad,DC=apam,DC=it
>>>> objectGUID: fa93022c-b204-4f74-bc44-176ab767cf54
>>>>
>>>> # returned 3 records
>>>> # 3 entries
>>>> # 0 referrals
>>>> [root at dc1ucp ~]# host -t CNAME
>>>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it.
>>>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it is an alias
>>>> for apamfs2.apam-ad.apam.it.
>>>> [root at dc1ucp ~]# host -t CNAME
>>>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it.
>>>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it is an alias
>>>> for dc1piopp.apam-ad.apam.it.
>>>> [root at dc1ucp ~]# host -t CNAME
>>>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it.
>>>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it is an alias
>>>> for DC1UCP.apam-ad.apam.it.
>>>
>>> Ok, hai fatto le stesse verifiche anche sui DC del sito 1?
>>>
>> no !!
>>
>> fatto subito il controllo sul sito1 e sembra tutto ok
>> sito1 ( apamsede)
>> dc1piopp
>>
>> [root at dc1piopp ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
>> '(invocationId =*)
>>
>> ' --cross-n cs objectguid
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> # record 1
>> dn: CN=NTDS
>> Settings,CN=DC1UCP,CN=Servers,CN=uff-ucp-mn,CN=Sites,CN=Configuratio
>> n,DC=apam-ad,DC=apam,DC=it
>> objectGUID: 3d8598b8-1c3d-4509-b775-d7e1d33c2546
>>
>> # record 2
>> dn: CN=NTDS
>> Settings,CN=DC1PIOPP,CN=Servers,CN=apamsede,CN=Sites,CN=Configuratio
>> n,DC=apam-ad,DC=apam,DC=it
>> objectGUID: 1abf9afd-8882-48a0-8be1-1bd6ebd63898
>>
>> # record 3
>> dn: CN=NTDS
>> Settings,CN=APAMFS2,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration
>> ,DC=apam-ad,DC=apam,DC=it
>> objectGUID: fa93022c-b204-4f74-bc44-176ab767cf54
>>
>> # returned 3 records
>> # 3 entries
>> # 0 referrals
>> [root at dc1piopp ~]# host -t CNAME
>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it.
>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it is an alias
>> for apamfs2.apam-ad.apam.it.
>> [root at dc1piopp ~]# host -t CNAME
>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it.
>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it is an alias
>> for dc1piopp.apam-ad.apam.it.
>> [root at dc1piopp ~]# host -t CNAME
>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it.
>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it is an alias
>> for DC1UCP.apam-ad.apam.it.
>> [root at dc1piopp ~]# host -t A dc1ucp.apam-ad.apam.it.
>> dc1ucp.apam-ad.apam.it has address 10.2.2.12
>> [root at dc1piopp ~]# host -t A dc1piopp.apam-ad.apam.it.
>> dc1piopp.apam-ad.apam.it has address 10.1.1.4
>> [root at dc1piopp ~]# host -t A apamfs2.apam-ad.apam.it.
>> apamfs2.apam-ad.apam.it has address 10.1.1.2
>>
>>
>> apamfs2
>>
>> [root at apamfs2 ~]# host -t A dc1ucp.apam-ad.apam.it.
>> dc1ucp.apam-ad.apam.it has address 10.2.2.12
>> [root at apamfs2 ~]# host -t A dc1piopp.apam-ad.apam.it.
>> dc1piopp.apam-ad.apam.it has address 10.1.1.4
>> [root at apamfs2 ~]# host -t A apamfs2.apam-ad.apam.it.
>> apamfs2.apam-ad.apam.it has address 10.1.1.2
>>
>> [root at apamfs2 ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
>> '(invocationId=*)
>> ' --cross-ncs objectguid
>> # record 1
>> dn: CN=NTDS
>> Settings,CN=DC1UCP,CN=Servers,CN=uff-ucp-mn,CN=Sites,CN=Configuration,DC=apam-ad,DC=apam,DC=it
>>
>> objectGUID: 3d8598b8-1c3d-4509-b775-d7e1d33c2546
>>
>> # record 2
>> dn: CN=NTDS
>> Settings,CN=DC1PIOPP,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration,DC=apam-ad,DC=apam,DC=it
>>
>> objectGUID: 1abf9afd-8882-48a0-8be1-1bd6ebd63898
>>
>> # record 3
>> dn: CN=NTDS
>> Settings,CN=APAMFS2,CN=Servers,CN=apamsede,CN=Sites,CN=Configuration,DC=apam-ad,DC=apam,DC=it
>>
>> objectGUID: fa93022c-b204-4f74-bc44-176ab767cf54
>>
>> # returned 3 records
>> # 3 entries
>> # 0 referrals
>> [root at apamfs2 ~]# host -t CNAME
>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it.
>> fa93022c-b204-4f74-bc44-176ab767cf54._msdcs.apam-ad.apam.it is an alias
>> for apamfs2.apam-ad.apam.it.
>> [root at apamfs2 ~]# host -t CNAME
>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it.
>> 1abf9afd-8882-48a0-8be1-1bd6ebd63898._msdcs.apam-ad.apam.it is an alias
>> for dc1piopp.apam-ad.apam.it.
>> [root at apamfs2 ~]# host -t CNAME
>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it.
>> 3d8598b8-1c3d-4509-b775-d7e1d33c2546._msdcs.apam-ad.apam.it is an alias
>> for DC1UCP.apam-ad.apam.it.
>> [root at apamfs2 ~]# ^C
>>
>> Sembra tutto ok come nel sito 2
>
> Si, sembra di si.
>
> Hai provato a vedere se ci sono differenze negli alberi ldap dei DC?
>
> samba-tool ldapcmp ldap://srv-dc1 ldap://srv-dc2 -Uadministrator
> --filter=CN,DC,member CONFIGURATION -v
>
> Ovviamente vanno sostituiti i nomi dei DC con i propri
>
>>
>> Giuseppe
>>
>
> Daniele
>
> _______________________________________________
> samba-it mailing list
> samba-it at lists.samba.org
> http://lists.samba.org/cgi-bin/mailman/listinfo/samba-it
>
Grazie a tutti per il supporto
visto che il server non è ancora attivo proverò
a rifarlo. Farò ( appena ho tempo ):
-una demote,
-sego via tutto
-install della 4.7.11
-poi di nuovo il join al dominio
e vediamo cosa succede
a questo punto trovare il problema mi sembra
più complicato di rifare il server
che ne dite ?
grazie
More information about the samba-it
mailing list