[Samba] showrepl is showing a deleted connexion

[MORILLO Jordi]

> Hi Jordi,
> How is it going up there in Normandie?

Hi Denis :-) not so bad even if it's a raining day (as usual in Normandie :-) )
I will reply to your brother's mail soon, i'll  copied you in

> KCC does not remove existing outdated kcc objects by itself (or didn't, if it has been changed in more recent versions). I had a chat with Douglas about this a while back. However it should remove your repsfrom/repsto attribute, unless you messed up the thing (I did once). 
> I also had in the past repsfrom/repsto pointing to deleted NTDSDSA entries with the \0ADEL string.

Hum... so if it sould remove repsfrom/repsto attribute, there is a problem in my ldap attribute. I have to play more with samba_kcc debug options and perhaps i should have a look to source code

> Before asking samba_kcc to buildup the connexions, you have to define the sites, put the DC in the correct site, remove the site from de default_ip_link, and set up a link for each remote site to main site. 
> Actually the bridge head thing does not seem necessary to get the thing working. With such a configuration, samba_kcc does build only the necessary connexions, and by reading you post, it seems that you did it properly, so that sounds good.

Yes I've done all this things, sounds good

> If you still have spurious repsfrom/repsto, I don't know if there is another way to get rid it other than ldbedit'ing... By the way, did you check in the _msdcs DNS zone that you don't have leftover CNAME entries of your old servers?

_msdcs DNS zone is clean. Ok for playing with ldbedit but i'm always scared to hack samba'ldb directly on production. I will try to install a test environment for playing a bit more

> In order to finish the setup, be sure to setup the subnet properly in order for all windows to contact their nearest DCs. After having created the sites, double check that all the _kerberos/_ldap entries under _sites  are properly created in the DNS server (sometime, they aren't). 
> After, you can check on a windows desktop at different site that it knows on which site it is located in the windows registry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> , check the value DynamicSiteName, and on a cmd.exe check the env variable LOGONSERVER

I always check DNS entries after DC domain join, DNS are essential's parts of Active Directory engine, isn't it ? :-)
As wiki's says (https://wiki.samba.org/index.php/Active_Directory_Sites), there's also "nltest /dsgetsite" and "nltest /dsgetdc:samdom" great commands


> Another hint: if you set up a star topology where remote sites cannot see each others (especially if you have DROP/no_ip_unreachable firewall rules), then you have also to be careful that during the process of joining a new DC, the join process reads /etc/krb5.conf file and tries to contact all the DC that are >referenced, and thus if you use DNS SRV records to resolv kdc addresses, it will try to contact all the servers. 
>In that case, you have to specify manually the kdc in that /etc/krb5.conf file and not rely on the automatic DNS discovery.

Yes i'm in a star topology but no firewall/restriction about dc's talking to each other (VPN fully routed). Star topology permits to save bandwitdh on small adsl connection (even if ldap's exchange are low).
When DC's domain join, i'm using --server for pointing bridge head DC

> Another corner case is that when having more than 40-50 kdc in the domain, you may encounter another bug with /etc/krb5.conf file with automatic KDC discovery through DNS SRV records, it looks like it is just too much for libkrb5. In that case, you should also disable DNS automatic kerberos discovery and >specify a few useful kdc addresses in the krb5.conf file by hand.

I'll put it away in a corner of my brain. We do not planned to have more than 20 KDC. Maybe in 15 years if activity will grow inordinatly

Have a nice week, and happy new year for all your team :-)