[Samba] Removing a domain controller help needed

Daniele Dario d.dario76 at gmail.com
Fri Oct 11 01:26:50 MDT 2013

On Fri, 2013-10-11 at 16:00 +1300, Andrew Bartlett wrote:
> On Fri, 2013-09-13 at 09:10 +0200, christophe wrote:
> > Hi, 
> > 
> > First guys, I'd like congratulate you. Samba 4 is really a cool product.
> > 
> > I have a little problem though.
> > 
> > The context:
> > 
> > I have Samba4 AD DC working perfectly on a virtual machine
> > for testing purpose I joined another Samba4 AD DC to the domain I had
> > provisioned and it worked perfectly but my second DC VM was deleted with no
> > mean to get it back.
> > 
> > I have now a problem on my first DC as the second DC still shows up in the
> > RSAT console,  NTDSUTIL, DNS and also samba-tool drs showrepl.
> > it seems to be impossible to delete it completely.
> > 
> > 
> > I know if I were on a windows DC I'd simply have gone for forced deletion
> > then metadata cleanup.
> > but I don't have a windows DC.
> > 
> > Is there a way I can permanently remove all connection to my disappeared
> > second DC form the AD just using  the tools provides with samba 4?
> Can you use the ADUC tools to do it? 
> Yes, we are aware this isn't ideal, and patches to samba-tool are
> welcome. 
> > Other question:
> > 
> > I use ISC-DHCP-SERVER with SAMBA_Internal DNS.
> > 
> > Is there a way to have it updating records?
> > >From the DNS console, it seems I can't allow for unsecure updates
> Currently this is controlled from the smb.conf, not DNS console. 
> But unsecure updates are a really bad idea.  Other folks have done this
> with GSS-TSIG and an external script, and it would be really neat to
> also support shared-key TSIG, but that requires work.  Patches are very
> welcome (the shared 128 bit key can be stored in or generated from the
> unicodePwd). 
> Andrew Bartlett

I post this to samba list:

As Cristophe, I'm trying to find a way to get records updated and I
found this "howto"
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ but I'm not able to get it working properly.
Mainly the script would find the old record, delete it and add the new
one but as stated in my comment on the blog it fails due to TSIG
error/TKEY is unacceptable.

The last comment on the blog says:

Just an hint for someone else who stumbles across the same problem, if
you’re using Samba 4 as an AD DC, then kinit with the keytab created in
the script instructions above won’t work as samba4 doesn’t seem to like
the encryption type. Use
-e arcfour-hmac-md5 with the addent command instead.

The first script posted on the blog states

# keytab can be generated using
# $ ktutil
# ktutil: addent -password -p dhcpduser at EXAMPLE.COM -k 1 -e
# Password for dhcpduser at EXAMPLE.COM:
# ktutil: wkt dhcpduser.keytab
# ktutil: quit

but next changes in 

Using samba AD DC I used
# keytab can be generated using the Samba4 tool:
# samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab

and klist -k dhcpduser.keytab -e shows
Keytab name: WRFILE:/etc/dhcp/dhcpduser.keytab
KVNO Principal
   1 dhcpduser at SAITEL.LOC (DES cbc mode with CRC-32) 
   1 dhcpduser at SAITEL.LOC (DES cbc mode with RSA-MD5) 
   1 dhcpduser at SAITEL.LOC (ArcFour with HMAC/md5) 

so it seems that the keytab contains the arcfour-hmac-md5 encription

Can someone put some light on this?


More information about the samba mailing list