[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

Alex Crow acrow at integrafin.co.uk
Sun Aug 14 22:17:57 UTC 2016 


On 14/08/16 22:14, Rowland Penny via samba wrote:
> On Sun, 14 Aug 2016 21:52:43 +0100
> Alex Crow via samba <samba at lists.samba.org> wrote:
>
>>> I am fairly sure this is your problem, it should be able to find the
>>> KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts
>>> and /etc/resolv.conf ?
>> With the BIND server not running, and this krb5.conf:
>>
>> [libdefaults]
>>         default_realm = SAMBA.IFA.NET
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>> ~                           
>>
>> samba_dnsupdate cannot find the KDC. Even if I add:
>>
>> [realms]
>>     SAMBA4.IFA.NET {
>>     kdc= 172.31.0.10
>> }
>>
> Well, I don't think you can find the KDC if the DNS server isn't
> running, you could try changing 'dns_lookup_kdc = true' to false 
I think I tried that, but I'm not 100% sure. I tried a lot of things to
get back on track.

>
>> it still complains about not finding a KDC and does not complete.
>>
>> Oddly if I can use the output to figure out the DNS entries I need to
>> add, so I thought "ah, cool, I'll use samba-tool dns" to add them back
>> in. To my great surprise, when I try to add each entry that
>> samba_dnsupdate says is missing, samba-tool tells me it already
>> exists!!
> OK, try running:
>
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs
> --show-binary
>
> replace nano with your favourite editor and
> '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb.
>
> You should now be able to search the entire AD and see if your entries
> do exist.

I did had a quick look with ldbedit before this last email. There were
indeed a number of DNS nodes but perhaps as I didn't use "

--show-binary

"

I was missing something.

Cheers

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

More information about the samba mailing list