[Samba] problem after replacing a Win2K3 AD

Guido Lorenzutti guido at lorenzutti.com.ar
Sun Jul 30 22:09:44 UTC 2017


  

On Sun, 30 Jul 2017 13:13:17 -0300, Guido Lorenzutti wrote: 

> On
Fri, 28 Jul 2017 09:43:04 +0100, Rowland Penny via samba wrote: 
> 
>>
On Thu, 27 Jul 2017 20:57:41 -0300
>> Guido Lorenzutti via samba
wrote:
>> 
>>> Researching a little more I found this: Checking object
@ROOTDSE Please use --fix to fix these errors Checked 358 objects (240
errors) How can I see what value is going to be fixed ? Tnxs in
advance.
>> 
>> You could try adding '-v' to the command, or just add
'--fix' and
>> you will be asked to confirm each and every one, but most
people just
>> add '--fix --yes' and get everything fixed and don't care
what they
>> are fixing.
>> 
>> Rowland
> 
> Well.. i didnt work: I
run... 
> 
> root at dc:~# samba-tool dbcheck --fix --yes | tail
> Fix
nTSecurityDescriptor on
CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local?
[YES]
> Fixed attribute 'nTSecurityDescriptor' of
'CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local'
>

> Fix nTSecurityDescriptor on CN=Operadores de configuración de
red,CN=Builtin,DC=Trust,DC=local? [YES]
> Fixed attribute
'nTSecurityDescriptor' of 'CN=Operadores de configuración de
red,CN=Builtin,DC=Trust,DC=local'
> 
> Fix nTSecurityDescriptor on
CN=PC108,CN=Computers,DC=Trust,DC=local? [YES]
> Fixed attribute
'nTSecurityDescriptor' of 'CN=PC108,CN=Computers,DC=Trust,DC=local'
> 
>
Checked 358 objects (240 errors)
> 
> root at dc:~# samba-tool dbcheck |
tail
> Not fixing nTSecurityDescriptor on
CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
>

> Not fixing nTSecurityDescriptor on
CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
>

> Not fixing nTSecurityDescriptor on CN=Operadores de configuración de
red,CN=Builtin,DC=Trust,DC=local
> 
> Not fixing nTSecurityDescriptor on
CN=PC108,CN=Computers,DC=Trust,DC=local
> 
> Please use --fix to fix
these errors
> Checked 358 objects (240 errors)
> 
> The errors are
still there.. and I found another problem:
> 
> root at dc:~#
samba_dnsupdate --verbose --all-names
> IPs: ['192.168.0.12']
> force
update: A dc.Trust.local 192.168.0.12
> force update: A Trust.local
192.168.0.12
> force update: SRV _ldap._tcp.Trust.local dc.Trust.local
389
> force update: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local
389
> force update: SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389
> force update: SRV _kerberos._tcp.Trust.local
dc.Trust.local 88
> force update: SRV _kerberos._udp.Trust.local
dc.Trust.local 88
> force update: SRV
_kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> force update:
SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> force update: SRV
_kpasswd._udp.Trust.local dc.Trust.local 464
> force update: CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
>
force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389
> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389
> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88
> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88
> force update: SRV _ldap._tcp.pdc._msdcs.Trust.local
dc.Trust.local 389
> force update: A gc._msdcs.Trust.local
192.168.0.12
> force update: SRV _gc._tcp.Trust.local dc.Trust.local
3268
> force update: SRV _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local
3268
> force update: SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268
> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268
> need delete: A dc.Trust.local 192.168.0.66
> need
delete: A Trust.local 192.168.0.66
> need delete: A
gc._msdcs.Trust.local 192.168.0.66
> 21 DNS updates and 3 DNS deletes
needed
> Traceback (most recent call last):
> File
"/usr/sbin/samba_dnsupdate", line 784, in 
> creds =
get_credentials(lp)
> File "/usr/sbin/samba_dnsupdate", line 169, in
get_credentials
> raise e
> RuntimeError: kinit for DC$@TRUST.LOCAL
failed (Cannot contact any KDC for requested realm)
> 
> But, If i add
an ip alias to my dc, of the old and dead win2k3 (192.168.0.66) the
output is this:
> 
> root at dc:~# samba_dnsupdate --verbose --all-names
>
IPs: ['192.168.0.12', '192.168.0.66']
> force update: A dc.Trust.local
192.168.0.12
> force update: A Trust.local 192.168.0.12
> force update:
SRV _ldap._tcp.Trust.local dc.Trust.local 389
> force update: SRV
_ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
> force update: SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389
> force update: SRV _kerberos._tcp.Trust.local
dc.Trust.local 88
> force update: SRV _kerberos._udp.Trust.local
dc.Trust.local 88
> force update: SRV
_kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> force update:
SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> force update: SRV
_kpasswd._udp.Trust.local dc.Trust.local 464
> force update: CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
>
force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389
> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389
> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88
> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88
> force update: SRV _ldap._tcp.pdc._msdcs.Trust.local
dc.Trust.local 389
> force update: A gc._msdcs.Trust.local
192.168.0.12
> force update: SRV _gc._tcp.Trust.local dc.Trust.local
3268
> force update: SRV _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local
3268
> force update: SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268
> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268
> force update: A dc.Trust.local 192.168.0.66
>
force update: A Trust.local 192.168.0.66
> force update: A
gc._msdcs.Trust.local 192.168.0.66
> 24 DNS updates and 0 DNS deletes
needed
> Successfully obtained Kerberos ticket to
DNS/serveribm.trust.local as DC$
> update(nsupdate): A dc.Trust.local
192.168.0.12
> Calling nsupdate for A dc.Trust.local 192.168.0.12
(add)
> Failed nsupdate: A dc.Trust.local 192.168.0.12 : [Errno 2] No
such file or directory
> update(nsupdate): A Trust.local 192.168.0.12
>
Calling nsupdate for A Trust.local 192.168.0.12 (add)
> Failed nsupdate:
A Trust.local 192.168.0.12 : [Errno 2] No such file or directory
>
update(nsupdate): SRV _ldap._tcp.Trust.local dc.Trust.local 389
>
Calling nsupdate for SRV _ldap._tcp.Trust.local dc.Trust.local 389
(add)
> Failed nsupdate: SRV _ldap._tcp.Trust.local dc.Trust.local 389 :
[Errno 2] No such file or directory
> update(nsupdate): SRV
_ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
> Calling nsupdate
for SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389 (add)
>
Failed nsupdate: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
: [Errno 2] No such file or directory
> update(nsupdate): SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389
> Calling nsupdate for SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389 (add)
> Failed nsupdate: SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389 : [Errno 2] No such file or directory
>
update(nsupdate): SRV _kerberos._tcp.Trust.local dc.Trust.local 88
>
Calling nsupdate for SRV _kerberos._tcp.Trust.local dc.Trust.local 88
(add)
> Failed nsupdate: SRV _kerberos._tcp.Trust.local dc.Trust.local
88 : [Errno 2] No such file or directory
> update(nsupdate): SRV
_kerberos._udp.Trust.local dc.Trust.local 88
> Calling nsupdate for SRV
_kerberos._udp.Trust.local dc.Trust.local 88 (add)
> Failed nsupdate:
SRV _kerberos._udp.Trust.local dc.Trust.local 88 : [Errno 2] No such
file or directory
> update(nsupdate): SRV
_kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> Calling
nsupdate for SRV _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
(add)
> Failed nsupdate: SRV _kerberos._tcp.dc._msdcs.Trust.local
dc.Trust.local 88 : [Errno 2] No such file or directory
>
update(nsupdate): SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
>
Calling nsupdate for SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
(add)
> Failed nsupdate: SRV _kpasswd._tcp.Trust.local dc.Trust.local
464 : [Errno 2] No such file or directory
> update(nsupdate): SRV
_kpasswd._udp.Trust.local dc.Trust.local 464
> Calling nsupdate for SRV
_kpasswd._udp.Trust.local dc.Trust.local 464 (add)
> Failed nsupdate:
SRV _kpasswd._udp.Trust.local dc.Trust.local 464 : [Errno 2] No such
file or directory
> update(nsupdate): CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
>
Calling nsupdate for CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
(add)
> Failed nsupdate: CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local :
[Errno 2] No such file or directory
> update(nsupdate): SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389
> Calling nsupdate for SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389 (add)
> Failed nsupdate: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389 : [Errno 2] No such file or directory
>
update(nsupdate): SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389
> Calling nsupdate for SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389 (add)
> Failed nsupdate: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389 : [Errno 2] No such file or directory
>
update(nsupdate): SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88
> Calling nsupdate for SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88 (add)
> Failed nsupdate: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88 : [Errno 2] No such file or directory
>
update(nsupdate): SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88
> Calling nsupdate for SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88 (add)
> Failed nsupdate: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88 : [Errno 2] No such file or directory
>
update(nsupdate): SRV _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local
389
> Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.Trust.local
dc.Trust.local 389 (add)
> Failed nsupdate: SRV
_ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389 : [Errno 2] No such
file or directory
> update(nsupdate): A gc._msdcs.Trust.local
192.168.0.12
> Calling nsupdate for A gc._msdcs.Trust.local 192.168.0.12
(add)
> Failed nsupdate: A gc._msdcs.Trust.local 192.168.0.12 : [Errno
2] No such file or directory
> update(nsupdate): SRV
_gc._tcp.Trust.local dc.Trust.local 3268
> Calling nsupdate for SRV
_gc._tcp.Trust.local dc.Trust.local 3268 (add)
> Failed nsupdate: SRV
_gc._tcp.Trust.local dc.Trust.local 3268 : [Errno 2] No such file or
directory
> update(nsupdate): SRV _ldap._tcp.gc._msdcs.Trust.local
dc.Trust.local 3268
> Calling nsupdate for SRV
_ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 (add)
> Failed
nsupdate: SRV _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 :
[Errno 2] No such file or directory
> update(nsupdate): SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268
> Calling nsupdate for SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268 (add)
> Failed nsupdate: SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268 : [Errno 2] No such file or directory
>
update(nsupdate): SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268
> Calling nsupdate for SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268 (add)
> Failed nsupdate: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268 : [Errno 2] No such file or directory
>
update(nsupdate): A dc.Trust.local 192.168.0.66
> Calling nsupdate for A
dc.Trust.local 192.168.0.66 (add)
> Failed nsupdate: A dc.Trust.local
192.168.0.66 : [Errno 2] No such file or directory
> update(nsupdate): A
Trust.local 192.168.0.66
> Calling nsupdate for A Trust.local
192.168.0.66 (add)
> Failed nsupdate: A Trust.local 192.168.0.66 :
[Errno 2] No such file or directory
> update(nsupdate): A
gc._msdcs.Trust.local 192.168.0.66
> Calling nsupdate for A
gc._msdcs.Trust.local 192.168.0.66 (add)
> Failed nsupdate: A
gc._msdcs.Trust.local 192.168.0.66 : [Errno 2] No such file or
directory
> Failed update of 24 entries
> 
> Tnxs in advance.

Well..
still doing some test I found more evidence that the samba-tool domain
"samba-tool domain demote --remove-other-dead-server=" didnt work as
expected. 

If I query the internal dns I found the records of the old
domain controller: 

root at dc:~# samba-tool dns query dc.trust.local
trust.local serveribm.trust.local A -U administrador
Password for
[TRUSTadministrador]:
 Name=, Records=1, Children=0
 A: 192.168.0.66
(flags=f0, serial=1478, ttl=3600)

And if I ask for the
_ldap._tcp.trust.local record it points to the old domain controller.

#
dig -t SRV _ldap._tcp.trust.local

;  DiG 9.10.3-P4-Debian  -t SRV
_ldap._tcp.trust.local
;; global options: +cmd
;; Got answer:
;;
->>HEADER

Links:
------
[1] mailto:samba at lists.samba.org


More information about the samba mailing list