[Samba] Replication problems bdc to pdc

L.P.H. van Belle belle at bazuin.nl
Wed Dec 13 12:31:48 UTC 2017


Hai, 

For both servers: /etc/hosts
127.0.0.1 localhost localhost.localdomain 
Or 
127.0.0.1 localhost
+ the dc's as shown now, thats ok, normaly only the DC itself, but it does not hurt if you add both dc's in there.

If you need users/groups on the DC's 
/etc/nsswitch.conf
passwd:         compat winbind 
group:          compat winbind 
For example you want to login with a "AD users" in the server with ssh. 

Change the resolving ordere here to. 
hosts:          files dns mdns4_minimal [NOTFOUND=return]
Or remove avahi-* completeley, then check if this is gone : mdns4_minimal [NOTFOUND=return]


Bind DNS is used and you did set : 
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; 
But your forgot. 
/etc/bind/named.conf.local
// adding the dlopen ( Bind DLZ ) module for samba.
include "/var/lib/samba/private/named.conf";


After these changes, first reboot the DC with FSMO roles then the second DC. 

And check you replication again. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Ji??í Knotek via samba
> Verzonden: woensdag 13 december 2017 13:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Replication problems bdc to pdc
> 
> Hallo Louis,
> 
> I am sorry. I forgot to login as a root, I hurried.
> 
> 
> 10.44.1.10 is gateway on destination site, there is not available.
> 
> 
> "Primary" Active Directory Domain Controler: 
> --------------------------------------------------------------
> -----------------------------------------------
> 
> root at ry11citdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
> Check hostnames : Ok
> Checking detected host ipnumbers from resolv.conf and default gateway
> Ping gateway ip : 10.44.1.1 : Error
> Warning, no ping to gateway, this might be firewalled.
> check you internet connection, AD DNS might need it.
> ping nameserver1: 10.44.1.10 : Ok
> ping nameserver2: 10.44.1.9 : Ok
> Check ping google dns : 8.8.8.8 : Error
> Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
> Check you internet connection, AD DNS might need it.
> Checking file owner..
> -rw-r--r-- pi pi         /etc/samba/smb.conf
> Checking file owner..
> -rw-r--r-- pi pi         /etc/samba/lmhosts
> Checking file owner..
> Missing file /etc/samba/smbpasswd
> drwxr-xr-x root root     /usr/bin
> drwxr-xr-x root root     /var/cache/samba
> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
> drwxr-xr-x root root     /var/run/samba
> drwxr-x--- root adm      /var/log/samba
> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
> drwxr-xr-x root root     /var/run/samba
> drwxr-xr-x root root     /var/lib/samba/private
> drwxr-xr-x root root     /usr/sbin
> drwxr-xr-x root root     /var/lib/samba
> DCS ry11citdc.ry11cit.lan
> DC1 ry11citdc.ry11cit.lan
> DC2
> Samba AD DC info:             =  detected (command and where to look)
> This server hostname          = ry11citdc (hostname -s and /etc/hosts 
> and DNS server)
> This server FQDN (hostname)   = ry11citdc.ry11cit.lan 
> (hostname -f and 
> /etc/hosts and DNS server)
> This server primary dnsdomain = ry11cit.lan (hostname -d and 
> /etc/resolv.conf and DNS server)
> This server IP address(ses)   = 10.44.1.10  Only one 
> interface detected 
> (hostname -i (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
> The DC (with FSMO) Site name  = Default-First-Site-Name 
> (samba-tool fsmo 
> show)
> The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool 
> fsmo show)
> The Kerberos REALM name used  = RY11CIT.LAN    (kinit and 
> /etc/krb5.conf 
> and resolving)
> The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
> SAMBA_SERVER_ROLE: active directory domain controller
> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, 
> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, 
> backupkey, dnsserver
> 
> 
> file samba-debug-info.txt:---------------------------------
> 
> Collected config  --- 2017-12-13-13:02 -----------
> 
> Hostname: ry11citdc
> DNS Domain: ry11cit.lan
> FQDN: ry11citdc.ry11cit.lan
> ipaddress: 10.44.1.10
> 
> -----------
> Samba is running as an AD DC
> Checking file: /etc/os-release
> PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
> NAME="Raspbian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=raspbian
> ID_LIKE=debian
> HOME_URL="http://www.raspbian.org/"
> SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
> BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
> 
> -----------
> 
> Warning, /etc/devuan_version does not exist
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UP group default qlen 1000
>      link/ether b8:27:eb:69:ac:e4 brd ff:ff:ff:ff:ff:ff
>      inet 10.44.1.10/16 brd 10.44.255.255 scope global eth0
> -----------
> Checking file: /etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc
> 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc
> 
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
>      default_realm = RY11CIT.LAN
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> -----------
> Checking file: /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat
> group:          compat
> shadow:         compat
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> Checking file: /etc/samba/smb.conf
> # Global parameters
> [global]
>      netbios name = RY11CITDC
>      realm = RY11CIT.LAN
>      server services = -dns
>      workgroup = RY11CIT
>      server role = active directory domain controller
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/ry11cit.lan/scripts
>      read only = No
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> -----------
> No username map detected.
> 
> -----------
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in 
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> -----------
> Checking file: /etc/bind/named.conf.options
> options {
>      directory "/var/cache/bind";
> 
>      // If there is a firewall between you and nameservers you want
>      // to talk to, you may need to fix the firewall to allow multiple
>      // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> 
>      // If your ISP provided one or more IP addresses for stable
>      // nameservers, you probably want to use them as forwarders.
>      // Uncomment the following block, and insert the 
> addresses replacing
>      // the all-0's placeholder.
> 
>      // forwarders {
>      //     0.0.0.0;
>      // };
> 
> //============================================================
> ============
>      // If BIND logs error messages about the root key being expired,
>      // you will need to update your keys.  See 
> https://www.isc.org/bind-keys
> //============================================================
> ============
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> 
> -----------
> Checking file: /etc/bind/named.conf.local
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> 
> 
> -----------
> Checking file: /etc/bind/named.conf.default-zones
> // prime the server with knowledge of the root servers
> zone "." {
>      type hint;
>      file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>      type master;
>      file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>      type master;
>      file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>      type master;
>      file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>      type master;
>      file "/etc/bind/db.255";
> };
> 
> 
> 
> -----------
> 
> Installed packages, running: dpkg -l | egrep 
> "samba|winbind|krb5|smb|acl|xattr"
> ii  acl 2.2.52-3                     armhf        Access control list 
> utilities
> ii  krb5-config 2.6                          all          
> Configuration 
> files for Kerberos Version 5
> ii  krb5-user 1.15-1+deb9u1                armhf        basic 
> programs 
> to authenticate using MIT Kerberos
> ii  libacl1:armhf 2.2.52-3                     armhf        Access 
> control list shared library
> ii  libgssapi-krb5-2:armhf 1.15-1+deb9u1                armhf 
>        MIT 
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:armhf 1.15-1+deb9u1                armhf        MIT 
> Kerberos runtime libraries
> ii  libkrb5support0:armhf 1.15-1+deb9u1                armhf  
>       MIT 
> Kerberos runtime libraries - Support library
> ii  libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1       armhf     
>    shared 
> library for communication with SMB/CIFS servers
> ii  libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1       armhf     
>    Samba 
> winbind client library
> ii  python-samba 2:4.5.12+dfsg-2+deb9u1       armhf        Python 
> bindings for Samba
> ii  samba 2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file, 
> print, and login server for Unix
> ii  samba-common 2:4.5.12+dfsg-2+deb9u1       all          
> common files 
> used by both the Samba server and client
> ii  samba-common-bin 2:4.5.12+dfsg-2+deb9u1       armhf        Samba 
> common files used by both the server and the client
> ii  samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1       armhf     
>    Samba 
> Directory Services Database
> ii  samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba 
> core libraries
> ii  samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba 
> Virtual FileSystem plugins
> ii  smbclient 2:4.5.12+dfsg-2+deb9u1       armhf        command-line 
> SMB/CIFS clients for Unix
> ii  winbind 2:4.5.12+dfsg-2+deb9u1       armhf        service 
> to resolve 
> user and group information from Windows NT servers
> -----------
> 
> 
> 
> 
> "Backup / Standby" Active Directory Domain Controler: 
> --------------------------------------------------------------
> -----------------------------------------------
> 
> root at ry11citsdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
> Check hostnames : Ok
> Checking detected host ipnumbers from resolv.conf and default gateway
> Ping gateway ip : 10.44.1.1 : Error
> Warning, no ping to gateway, this might be firewalled.
> check you internet connection, AD DNS might need it.
> ping nameserver1: 10.44.1.9 : Ok
> ping nameserver2: 10.44.1.10 : Ok
> Check ping google dns : 8.8.8.8 : Error
> Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
> Check you internet connection, AD DNS might need it.
> Checking file owner..
> -rw-r--r-- pi pi         /etc/samba/smb.conf
> Checking file owner..
> -rw-r--r-- pi pi         /etc/samba/lmhosts
> Checking file owner..
> Missing file /etc/samba/smbpasswd
> drwxr-xr-x root root     /usr/bin
> drwxr-xr-x root root     /var/cache/samba
> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
> drwxr-xr-x root root     /var/run/samba
> drwxr-x--- root adm      /var/log/samba
> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
> drwxr-xr-x root root     /var/run/samba
> drwxr-xr-x root root     /var/lib/samba/private
> drwxr-xr-x root root     /usr/sbin
> drwxr-xr-x root root     /var/lib/samba
> DCS ry11citsdc.ry11cit.lan
> ry11citdc.ry11cit.lan
> DC1 ry11citsdc.ry11cit.lan
> DC2 ry11citdc.ry11cit.lan
> Samba AD DC info:             =  detected (command and where to look)
> This server hostname          = ry11citsdc (hostname -s and 
> /etc/hosts 
> and DNS server)
> This server FQDN (hostname)   = ry11citsdc.ry11cit.lan 
> (hostname -f and 
> /etc/hosts and DNS server)
> This server primary dnsdomain = ry11cit.lan (hostname -d and 
> /etc/resolv.conf and DNS server)
> This server IP address(ses)   = 10.44.1.9  Only one interface 
> detected 
> (hostname -i (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
> The DC (with FSMO) Site name  = Default-First-Site-Name 
> (samba-tool fsmo 
> show)
> The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool 
> fsmo show)
> The Kerberos REALM name used  = RY11CIT.LAN    (kinit and 
> /etc/krb5.conf 
> and resolving)
> The Ipadres of DC ry11citsdc.ry11cit.lan        = 10.44.1.9
> The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
> SAMBA_SERVER_ROLE: active directory domain controller
> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, 
> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, 
> backupkey, dnsserver
> root at ry11citsdc:~#
> 
> 
> file samba-debug-info.txt:---------------------------------
> 
> Collected config  --- 2017-12-13-12:45 -----------
> 
> Hostname: ry11citsdc
> DNS Domain: ry11cit.lan
> FQDN: ry11citsdc.ry11cit.lan
> ipaddress: 10.44.1.9
> 
> -----------
> Samba is running as an AD DC
> Checking file: /etc/os-release
> PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
> NAME="Raspbian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=raspbian
> ID_LIKE=debian
> HOME_URL="http://www.raspbian.org/"
> SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
> BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
> 
> -----------
> 
> Warning, /etc/devuan_version does not exist
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UP group default qlen 1000
>      link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff
>      inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0
> 3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc 
> pfifo_fast 
> state DOWN group default qlen 1000
>      link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff
> -----------
> Checking file: /etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> 10.44.1.10 ry11citdc.ry11cit.lan ry11citdc
> 10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc
> 
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
>      default_realm = RY11CIT.LAN
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> -----------
> Checking file: /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat
> group:          compat
> shadow:         compat
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> Checking file: /etc/samba/smb.conf
> # Global parameters
> [global]
>      netbios name = RY11CITSDC
>      realm = RY11CIT.LAN
>      server services = -dns
>      workgroup = RY11CIT
>      server role = active directory domain controller
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/ry11cit.lan/scripts
>      read only = No
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> -----------
> No username map detected.
> 
> -----------
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in 
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> -----------
> Checking file: /etc/bind/named.conf.options
> options {
>      directory "/var/cache/bind";
> 
>      // If there is a firewall between you and nameservers you want
>      // to talk to, you may need to fix the firewall to allow multiple
>      // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> 
>      // If your ISP provided one or more IP addresses for stable
>      // nameservers, you probably want to use them as forwarders.
>      // Uncomment the following block, and insert the 
> addresses replacing
>      // the all-0's placeholder.
> 
>      // forwarders {
>      //     0.0.0.0;
>      // };
> 
> //============================================================
> ============
>      // If BIND logs error messages about the root key being expired,
>      // you will need to update your keys.  See 
> https://www.isc.org/bind-keys
> //============================================================
> ============
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> 
> -----------
> Checking file: /etc/bind/named.conf.local
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> 
> 
> -----------
> Checking file: /etc/bind/named.conf.default-zones
> // prime the server with knowledge of the root servers
> zone "." {
>      type hint;
>      file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>      type master;
>      file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>      type master;
>      file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>      type master;
>      file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>      type master;
>      file "/etc/bind/db.255";
> };
> 
> 
> 
> -----------
> 
> Installed packages, running: dpkg -l | egrep 
> "samba|winbind|krb5|smb|acl|xattr"
> ii  acl 2.2.52-3                     armhf        Access control list 
> utilities
> ii  krb5-config 2.6                          all          
> Configuration 
> files for Kerberos Version 5
> ii  krb5-user 1.15-1+deb9u1                armhf        basic 
> programs 
> to authenticate using MIT Kerberos
> ii  libacl1:armhf 2.2.52-3                     armhf        Access 
> control list shared library
> ii  libgssapi-krb5-2:armhf 1.15-1+deb9u1                armhf 
>        MIT 
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:armhf 1.15-1+deb9u1                armhf        MIT 
> Kerberos runtime libraries
> ii  libkrb5support0:armhf 1.15-1+deb9u1                armhf  
>       MIT 
> Kerberos runtime libraries - Support library
> ii  libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1       armhf     
>    shared 
> library for communication with SMB/CIFS servers
> ii  libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1       armhf     
>    Samba 
> winbind client library
> ii  python-samba 2:4.5.12+dfsg-2+deb9u1       armhf        Python 
> bindings for Samba
> ii  samba 2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file, 
> print, and login server for Unix
> ii  samba-common 2:4.5.12+dfsg-2+deb9u1       all          
> common files 
> used by both the Samba server and client
> ii  samba-common-bin 2:4.5.12+dfsg-2+deb9u1       armhf        Samba 
> common files used by both the server and the client
> ii  samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1       armhf     
>    Samba 
> Directory Services Database
> ii  samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba 
> core libraries
> ii  samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba 
> Virtual FileSystem plugins
> ii  smbclient 2:4.5.12+dfsg-2+deb9u1       armhf        command-line 
> SMB/CIFS clients for Unix
> ii  winbind 2:4.5.12+dfsg-2+deb9u1       armhf        service 
> to resolve 
> user and group information from Windows NT servers
> -----------
> 
> 
> On 13. 12. 2017 12:05, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > Both script where missing "run as root".
> > I've update the github versions.
> >
> > Can you run that these again, but as root or with sudo.
> > And post the content again.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Ji??í Knotek via samba
> >> Verzonden: woensdag 13 december 2017 11:36
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Replication problems bdc to pdc
> >>
> >> Hallo Louis,
> >>
> >>       thanks for the response.
> >>
> >> Yes, change on ry11citsdc, now hostname -d works correctly.
> >> Somewhere I
> >> saw the opposite entry. Thanks for the repair. 
> Samba-setup-checkup.sh
> >> follows:----------------------------------------------------
> >>
> 
> ....
> 
> >> Thanks Jiri Knotek
> >>
> >>
> >> On 13. 12. 2017 10:52, L.P.H. van Belle via samba wrote:
> >>> Ow and..
> >>>
> >>> Your hosts files are incorrect.
> >>> Layout should be :
> >>> ip 	hostname.fqdn hostname
> >>>
> >>> So this should be :
> >>>> 10.44.1.10  ry11citdc.ry11cit.lan ry11citdc
> >>>> 10.44.1.9   ry11citsdc.ry11cit.lan ry11citsdc
> >>> Reboot both servers after the change.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>> L.P.H. van Belle via samba
> >>>> Verzonden: woensdag 13 december 2017 10:41
> >>>> Aan: samba at lists.samba.org
> >>>> CC: Ji??í Knotek
> >>>> Onderwerp: Re: [Samba] Replication problems bdc to pdc
> >>>>
> >>>> Great you use my script :-)
> >>>> Now we know something is wrong, run this one.
> >>>>
> >>>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> >>> ollect-debug-info.sh
> >>>> And post the content to the list, that helps a lot.
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>    
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>>> Ji??í Knotek via samba
> >>>>> Verzonden: woensdag 13 december 2017 10:14
> >>>>> Aan: samba at lists.samba.org
> >>>>> Onderwerp: Re: [Samba] Replication problems bdc to pdc
> >>>>>
> >>>>> Hello Rowland,
> >>>>>
> >>>>>        thank you for advice. I reconfigure both AC-DCs again
> >>>>> with new data
> >>>>> and send updated data. Unfortunately, the result is the same.
> >>>>> I'm also
> >>>>> sending a listing from
> >>>>>
> >>>>> samba-setup-checkup.sh.
> >>>>>
> >>>>>     * Linux: Raspbian, debian stretch lite
> >>>>>     * Samba version 4.5.12-Debian
> >>>>>     * DNS: BIND9_DLZ 9.10.x
> >>>>>     * Installed packages: ntp ntpdate samba smbclient winbind
> >>>> libcups2
> >>>>> samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user
> >>>>>
> >>>>> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate 
> ry11citsdc
> >>>>> ry11citdc dc=ry11cit,dc=lan*
> >>>>> Replicate from ry11citdc to ry11citsdc was successful.
> >>>>>
> >>>>> *root at ry11citdc:/home/pi/Ry11# samba-tool drs replicate 
> ry11citdc
> >>>>> ry11citsdc dc=ry11cit,dc=lan*
> >>>>> ERROR(<class 'samba.drs_utils.drsException'>):
> >>>> DsReplicaSync failed -
> >>>>> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
> >>>>>      File
> >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> >>>>> 368, in run
> >>>>>        drs_utils.sendDsReplicaSync(server_bind, 
> server_bind_handle,
> >>>>> source_dsa_guid, NC, req_options)
> >>>>>      File
> >>>>> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
> >>>>> in sendDsReplicaSync
> >>>>>        raise drsException("DsReplicaSync failed %s" % estr)
> >>>>>
> >>>>>
> >>>>> *root at ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh*
> >>>>> Check hostnames : Mismatch in hostname definitions
> >>>>> please check :
> >>>>> HOST_NAME_SHORT: ry11citdc
> >>>>> HOST_NAME_DOMAIN:
> >>>>> HOST_NAME_FQDN: ry11citdc
> >>>>> HOST_IP1: 10.44.1.10
> >>>>> HOST_IP2: Only one interface detected
> >>>>> HOST_GATEWAY: 10.44.1.1
> >>>>> HOST_PRIMARY_INTERFACE: 10.44.1.1
> >>>>> eth0
> >>>>> HOST_RESOLV_DOMAIN: domain ry11cit.lan
> >>>>> HOST_RESOLV_SEARCH: search ry11cit.lan
> >>>>> HOST_RESOLV_NAMESERV1: 10.44.1.10
> >>>>> HOST_RESOLV_NAMESERV2: 10.44.1.9
> >>>>> HOST_RESOLV_NAMESERV3:
> >>>>> Possible error detected in /etc/hosts, mismatch FQDN and
> >>>> detected IP
> >>>>> 10.44.1.10 for the host.
> >>>>> expected was : 10.44.1.10 ry11citdc ry11citdc
> >>>>> Checking detected host ipnumbers from resolv.conf and
> >>>> default gateway
> >>>>> Ping gateway ip : 10.44.1.1 : Error
> >>>>> ping nameserver1: 10.44.1.10 : Ok
> >>>>> ping nameserver2: 10.44.1.9 : Ok
> >>>>> Check ping google dns : 8.8.8.8 : Error
> >>>>> Checking file owner..
> >>>>> -rw-r--r-- pi pi         /etc/samba/smb.conf
> >>>>> Checking file owner..
> >>>>> -rw-r--r-- pi pi         /etc/samba/lmhosts
> >>>>> Checking file owner..
> >>>>> Missing file /etc/samba/smbpasswd
> >>>>> drwxr-xr-x root root     /usr/bin
> >>>>> drwxr-xr-x root root     /var/cache/samba
> >>>>> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
> >>>>> drwxr-xr-x root root     /var/run/samba
> >>>>> drwxr-x--- root adm      /var/log/samba
> >>>>> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
> >>>>> drwxr-xr-x root root     /var/run/samba
> >>>>> drwxr-xr-x root root     /var/lib/samba/private
> >>>>> drwxr-xr-x root root     /usr/sbin
> >>>>> drwxr-xr-x root root     /var/lib/samba
> >>>>> DCS 2(SERVFAIL
> >>>>> DC1 2(SERVFAIL
> >>>>> DC2
> >>>>> ERROR: Invalid IP address '2(SERVFAIL'!
> >>>>> Samba AD DC info:             =  detected (command and
> >>>> where to look)
> >>>>> This server hostname          = ry11citdc (hostname -s and
> >>>> /etc/hosts
> >>>>> and DNS server)
> >>>>> This server FQDN (hostname)   = ry11citdc (hostname -f and
> >>>> /etc/hosts
> >>>>> and DNS server)
> >>>>> This server primary dnsdomain =  (hostname -d and
> >>>>> /etc/resolv.conf and
> >>>>> DNS server)
> >>>>> This server IP address(ses)   = 10.44.1.10  Only one
> >>>>> interface detected
> >>>>> (hostname -i (-I) and /etc/networking/interfaces and DNS server
> >>>>> The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
> >>>>> The DC (with FSMO) Site name  = Default-First-Site-Name
> >>>>> (samba-tool fsmo
> >>>>> show)
> >>>>> The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool
> >>>>> fsmo show)
> >>>>> The Kerberos REALM name used  = RY11CIT.LAN    (kinit and
> >>>>> /etc/krb5.conf
> >>>>> and resolving)
> >>>>> The Ipadres of DC 2(SERVFAIL        = 2(SERVFAIL)
> >>>>> SAMBA_SERVER_ROLE: active directory domain controller
> >>>>> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap,
> >>>>> kdc, drepl,
> >>>>> winbindd, ntp_signd, kcc, dnsupdate
> >>>>> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
> >>>>> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, 
> eventlog6,
> >>>>> backupkey, dnsserver
> >>>>>
> >>>>>
> >>>>> *I did not come to the way the hostname -d command would
> >> return the
> >>>>> domain name. How can I do that? In addition, there are
> >>>> host, lmhost,
> >>>>> resolv.conf, and so on**
> >>>>> *
> >>>>>
> >>>>> Please help, I don 't know the advice.
> >>>>>
> >>>>> System integrator Ji??í Knotek
> >>>>>
> >>>>>
> >>>>> "Primary" Active Directory Domain
> >>>>> Controler:----------------------------------------------------
> >>>>> -----------------------------------------------
> >>>>>
> >>>>> --------------------------------------------------------------
> >>>>> --------------------------------------------------------------
> >>>>> -------------------------
> >>>>>
> >>>>>
> >>>>> hostname:-----------------
> >>>>> ry11citdc.ry11cit.lan
> >>>>>
> >>>>> hosts:---------------
> >>>>> 127.0.0.1    localhost localhost.localdomain
> >>>>> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
> >>>>> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan
> >>>>>
> >>>>> resolv.conf.head:-------------------
> >>>>> domain ry11cit.lan
> >>>>> search ry11cit.lan
> >>>>>
> >>>>> systemctl.conf"--------------------
> >>>>> net.ipv4.ip_forward=1
> >>>>> net.ipv6.conf.all.disable_ipv6=1
> >>>>>
> >>>>>
> >>>>>
> >>>>> krb5.conf:------------
> >>>>>
> >>>>> [libdefaults]
> >>>>>        default_realm = RY11CIT.LAN
> >>>>>        dns_lookup_realm = false
> >>>>>        dns_lookup_kdc = true
> >>>>>
> >>>>> named.conf:------------------------
> >>>>>
> >>>>> include "/etc/bind/named.conf.options";
> >>>>> include "/etc/bind/named.conf.local";
> >>>>> include "/etc/bind/named.conf.default-zones";
> >>>>> include "/var/lib/samba/private/named.conf";
> >>>>>
> >>>>> named.conf.options:-----------------------
> >>>>>
> >>>>> options {
> >>>>>        directory "/var/cache/bind";
> >>>>>
> >>>>>        dnssec-validation auto;
> >>>>>
> >>>>>        auth-nxdomain no;    # conform to RFC1035
> >>>>>        listen-on-v6 { none; };
> >>>>>        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >>>>> };
> >>>>>
> >>>>> lmhost:--------------------------
> >>>>> 127.0.0.1   localhost
> >>>>> 10.44.1.10  ry11citdc
> >>>>> 10.44.1.9   ry11citsdc
> >>>>>
> >>>>> smb.conf:------------------------------
> >>>>>
> >>>>> # Global parameters
> >>>>> [global]
> >>>>>        netbios name = RY11CITDC
> >>>>>        realm = RY11CIT.LAN
> >>>>>        server services = -dns
> >>>>>        workgroup = RY11CIT
> >>>>>        server role = active directory domain controller
> >>>>>
> >>>>> [netlogon]
> >>>>>        path = /var/lib/samba/sysvol/ry11cit.lan/scripts
> >>>>>        read only = No
> >>>>>
> >>>>> [sysvol]
> >>>>>        path = /var/lib/samba/sysvol
> >>>>>        read only = No
> >>>>>
> >>>>> Samba Provision---------------:
> >>>>>
> >>>>>        samba-tool domain provision --realm=RY11CIT.LAN
> >>>> --domain=RY11CIT
> >>>>> --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....'
> >>>>>
> >>>>> "Backup / Standby" Active Directory Domain
> >>>>> Controler:----------------------------------------------------
> >>>>> -----------------------------------------------
> >>>>>
> >>>>>
> >>>>> --------------------------------------------------------------
> >>>>> --------------------------------------------------------------
> >>>>> -------------------------
> >>>>>
> >>>>>
> >>>>> hostname:-----------------
> >>>>> ry11citsdc.ry11cit.lan
> >>>>>
> >>>>> hosts:---------------
> >>>>> 127.0.0.1    localhost localhost.localdomain
> >>>>> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
> >>>>> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan
> >>>>>
> >>>>> resolv.conf.head:-------------------
> >>>>> domain ry11cit.lan
> >>>>> search ry11cit.lan
> >>>>>
> >>>>> systemctl.conf"--------------------
> >>>>> net.ipv4.ip_forward=1
> >>>>> net.ipv6.conf.all.disable_ipv6=1
> >>>>>
> >>>>>
> >>>>>
> >>>>> krb5.conf:------------
> >>>>>
> >>>>> [libdefaults]
> >>>>>        default_realm = RY11CIT.LAN
> >>>>>        dns_lookup_realm = false
> >>>>>        dns_lookup_kdc = true
> >>>>>
> >>>>> named.conf:------------------------
> >>>>>
> >>>>> include "/etc/bind/named.conf.options";
> >>>>> include "/etc/bind/named.conf.local";
> >>>>> include "/etc/bind/named.conf.default-zones";
> >>>>> include "/var/lib/samba/private/named.conf";
> >>>>>
> >>>>> named.conf.options:-----------------------
> >>>>>
> >>>>> options {
> >>>>>        directory "/var/cache/bind";
> >>>>>
> >>>>>        dnssec-validation auto;
> >>>>>
> >>>>>        auth-nxdomain no;    # conform to RFC1035
> >>>>>        listen-on-v6 { none; };
> >>>>>        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >>>>> };
> >>>>>
> >>>>> lmhost:--------------------------
> >>>>> 127.0.0.1   localhost
> >>>>> 10.44.1.10  ry11citdc
> >>>>> 10.44.1.9   ry11citsdc
> >>>>>
> >>>>> smb.conf:------------------------------
> >>>>>
> >>>>> # Global parameters
> >>>>> [global]
> >>>>>        netbios name = RY11CITSDC
> >>>>>        realm = RY11CIT.LAN
> >>>>>        server services = -dns
> >>>>>        workgroup = RY11CIT
> >>>>>        server role = active directory domain controller
> >>>>>
> >>>>> [netlogon]
> >>>>>        path = /var/lib/samba/sysvol/ry11cit.lan/scripts
> >>>>>        read only = No
> >>>>>
> >>>>> [sysvol]
> >>>>>        path = /var/lib/samba/sysvol
> >>>>>        read only = No
> >>>>>
> >>>>> Samba join---------------:
> >>>>>
> >>>>>           samba-tool domain join RY11CIT DC -Uadministrator
> >>>>> --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....'
> >>>>>
> >>>>>
> >>>>> Thanks Jiri Knotek
> >>>>>
> >>>>>
> >>>>> -- 
> >>>>> To unsubscribe from this list go to the following URL 
> and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>>>
> >>>> -- 
> >>>> To unsubscribe from this list go to the following URL 
> and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >> -- 
> >>
> >> *Ing. Ji??í Knotek*
> >> programátor
> >>
> >> *GEMA s.r.o. Automatizace technologických proces??*
> >>
> >> Doubravice 13, Pardubice 19, 53353
> >> Tel: +420604570127
> >> E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz>
> >> Web:www.gemapce.cz <http://www.gemapce.cz/>
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> 
> -- 
> 
> *Ing. Ji??í Knotek*
> programátor
> 
> *GEMA s.r.o. Automatizace technologických proces??*
> 
> Doubravice 13, Pardubice 19, 53353
> Tel: +420604570127
> E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz>
> Web:www.gemapce.cz <http://www.gemapce.cz/>
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list