[Samba] problem after replacing a Win2K3 AD

Guido Lorenzutti guido at lorenzutti.com.ar
Sun Jul 30 22:56:37 UTC 2017


  

On Sun, 30 Jul 2017 19:09:44 -0300, Guido Lorenzutti wrote: 

> On
Sun, 30 Jul 2017 13:13:17 -0300, Guido Lorenzutti wrote: 
> 
>> On Fri,
28 Jul 2017 09:43:04 +0100, Rowland Penny via samba wrote: 
>> 
>>> On
Thu, 27 Jul 2017 20:57:41 -0300
>>> Guido Lorenzutti via samba
wrote:
>>> 
>>>> Researching a little more I found this: Checking object
@ROOTDSE Please use --fix to fix these errors Checked 358 objects (240
errors) How can I see what value is going to be fixed ? Tnxs in
advance.
>>> 
>>> You could try adding '-v' to the command, or just add
'--fix' and
>>> you will be asked to confirm each and every one, but
most people just
>>> add '--fix --yes' and get everything fixed and
don't care what they
>>> are fixing.
>>> 
>>> Rowland
>> 
>> Well.. i
didnt work: I run... 
>> 
>> root at dc:~# samba-tool dbcheck --fix --yes |
tail
>> Fix nTSecurityDescriptor on
CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local?
[YES]
>> Fixed attribute 'nTSecurityDescriptor' of
'CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local'
>>

>> Fix nTSecurityDescriptor on CN=Operadores de configuración de
red,CN=Builtin,DC=Trust,DC=local? [YES]
>> Fixed attribute
'nTSecurityDescriptor' of 'CN=Operadores de configuración de
red,CN=Builtin,DC=Trust,DC=local'
>> 
>> Fix nTSecurityDescriptor on
CN=PC108,CN=Computers,DC=Trust,DC=local? [YES]
>> Fixed attribute
'nTSecurityDescriptor' of 'CN=PC108,CN=Computers,DC=Trust,DC=local'
>>

>> Checked 358 objects (240 errors)
>> 
>> root at dc:~# samba-tool
dbcheck | tail
>> Not fixing nTSecurityDescriptor on
CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
>>

>> Not fixing nTSecurityDescriptor on
CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
>>

>> Not fixing nTSecurityDescriptor on CN=Operadores de configuración
de red,CN=Builtin,DC=Trust,DC=local
>> 
>> Not fixing
nTSecurityDescriptor on CN=PC108,CN=Computers,DC=Trust,DC=local
>> 
>>
Please use --fix to fix these errors
>> Checked 358 objects (240
errors)
>> 
>> The errors are still there.. and I found another
problem:
>> 
>> root at dc:~# samba_dnsupdate --verbose --all-names
>> IPs:
['192.168.0.12']
>> force update: A dc.Trust.local 192.168.0.12
>> force
update: A Trust.local 192.168.0.12
>> force update: SRV
_ldap._tcp.Trust.local dc.Trust.local 389
>> force update: SRV
_ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
>> force update: SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389
>> force update: SRV _kerberos._tcp.Trust.local
dc.Trust.local 88
>> force update: SRV _kerberos._udp.Trust.local
dc.Trust.local 88
>> force update: SRV
_kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
>> force update:
SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
>> force update: SRV
_kpasswd._udp.Trust.local dc.Trust.local 464
>> force update: CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
dc.Trust.local
>> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389
>> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389
>> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88
>> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88
>> force update: SRV
_ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389
>> force update: A
gc._msdcs.Trust.local 192.168.0.12
>> force update: SRV
_gc._tcp.Trust.local dc.Trust.local 3268
>> force update: SRV
_ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268
>> force update:
SRV _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268
>> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268
>> need delete: A dc.Trust.local 192.168.0.66
>>
need delete: A Trust.local 192.168.0.66
>> need delete: A
gc._msdcs.Trust.local 192.168.0.66
>> 21 DNS updates and 3 DNS deletes
needed
>> Traceback (most recent call last):
>> File
"/usr/sbin/samba_dnsupdate", line 784, in 
>> creds =
get_credentials(lp)
>> File "/usr/sbin/samba_dnsupdate", line 169, in
get_credentials
>> raise e
>> RuntimeError: kinit for DC$@TRUST.LOCAL
failed (Cannot contact any KDC for requested realm)
>> 
>> But, If i add
an ip alias to my dc, of the old and dead win2k3 (192.168.0.66) the
output is this:
>> 
>> root at dc:~# samba_dnsupdate --verbose
--all-names
>> IPs: ['192.168.0.12', '192.168.0.66']
>> force update: A
dc.Trust.local 192.168.0.12
>> force update: A Trust.local
192.168.0.12
>> force update: SRV _ldap._tcp.Trust.local dc.Trust.local
389
>> force update: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local
389
>> force update: SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389
>> force update: SRV _kerberos._tcp.Trust.local
dc.Trust.local 88
>> force update: SRV _kerberos._udp.Trust.local
dc.Trust.local 88
>> force update: SRV
_kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
>> force update:
SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
>> force update: SRV
_kpasswd._udp.Trust.local dc.Trust.local 464
>> force update: CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
dc.Trust.local
>> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389
>> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389
>> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88
>> force update: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88
>> force update: SRV
_ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389
>> force update: A
gc._msdcs.Trust.local 192.168.0.12
>> force update: SRV
_gc._tcp.Trust.local dc.Trust.local 3268
>> force update: SRV
_ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268
>> force update:
SRV _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268
>> force update: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268
>> force update: A dc.Trust.local 192.168.0.66
>>
force update: A Trust.local 192.168.0.66
>> force update: A
gc._msdcs.Trust.local 192.168.0.66
>> 24 DNS updates and 0 DNS deletes
needed
>> Successfully obtained Kerberos ticket to
DNS/serveribm.trust.local as DC$
>> update(nsupdate): A dc.Trust.local
192.168.0.12
>> Calling nsupdate for A dc.Trust.local 192.168.0.12
(add)
>> Failed nsupdate: A dc.Trust.local 192.168.0.12 : [Errno 2] No
such file or directory
>> update(nsupdate): A Trust.local
192.168.0.12
>> Calling nsupdate for A Trust.local 192.168.0.12 (add)
>>
Failed nsupdate: A Trust.local 192.168.0.12 : [Errno 2] No such file or
directory
>> update(nsupdate): SRV _ldap._tcp.Trust.local dc.Trust.local
389
>> Calling nsupdate for SRV _ldap._tcp.Trust.local dc.Trust.local
389 (add)
>> Failed nsupdate: SRV _ldap._tcp.Trust.local dc.Trust.local
389 : [Errno 2] No such file or directory
>> update(nsupdate): SRV
_ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
>> Calling nsupdate
for SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389 (add)
>>
Failed nsupdate: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
: [Errno 2] No such file or directory
>> update(nsupdate): SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389
>> Calling nsupdate for SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389 (add)
>> Failed nsupdate: SRV
_ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
dc.Trust.local 389 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV _kerberos._tcp.Trust.local dc.Trust.local 88
>>
Calling nsupdate for SRV _kerberos._tcp.Trust.local dc.Trust.local 88
(add)
>> Failed nsupdate: SRV _kerberos._tcp.Trust.local dc.Trust.local
88 : [Errno 2] No such file or directory
>> update(nsupdate): SRV
_kerberos._udp.Trust.local dc.Trust.local 88
>> Calling nsupdate for SRV
_kerberos._udp.Trust.local dc.Trust.local 88 (add)
>> Failed nsupdate:
SRV _kerberos._udp.Trust.local dc.Trust.local 88 : [Errno 2] No such
file or directory
>> update(nsupdate): SRV
_kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
>> Calling
nsupdate for SRV _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
(add)
>> Failed nsupdate: SRV _kerberos._tcp.dc._msdcs.Trust.local
dc.Trust.local 88 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
>>
Calling nsupdate for SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
(add)
>> Failed nsupdate: SRV _kpasswd._tcp.Trust.local dc.Trust.local
464 : [Errno 2] No such file or directory
>> update(nsupdate): SRV
_kpasswd._udp.Trust.local dc.Trust.local 464
>> Calling nsupdate for SRV
_kpasswd._udp.Trust.local dc.Trust.local 464 (add)
>> Failed nsupdate:
SRV _kpasswd._udp.Trust.local dc.Trust.local 464 : [Errno 2] No such
file or directory
>> update(nsupdate): CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
dc.Trust.local
>> Calling nsupdate for CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
(add)
>> Failed nsupdate: CNAME
b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local :
[Errno 2] No such file or directory
>> update(nsupdate): SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389
>> Calling nsupdate for SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389 (add)
>> Failed nsupdate: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 389 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389
>> Calling nsupdate for SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389 (add)
>> Failed nsupdate: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 389 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88
>> Calling nsupdate for SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88 (add)
>> Failed nsupdate: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 88 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88
>> Calling nsupdate for SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88 (add)
>> Failed nsupdate: SRV
_kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
dc.Trust.local 88 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local
389
>> Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.Trust.local
dc.Trust.local 389 (add)
>> Failed nsupdate: SRV
_ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389 : [Errno 2] No such
file or directory
>> update(nsupdate): A gc._msdcs.Trust.local
192.168.0.12
>> Calling nsupdate for A gc._msdcs.Trust.local
192.168.0.12 (add)
>> Failed nsupdate: A gc._msdcs.Trust.local
192.168.0.12 : [Errno 2] No such file or directory
>> update(nsupdate):
SRV _gc._tcp.Trust.local dc.Trust.local 3268
>> Calling nsupdate for SRV
_gc._tcp.Trust.local dc.Trust.local 3268 (add)
>> Failed nsupdate: SRV
_gc._tcp.Trust.local dc.Trust.local 3268 : [Errno 2] No such file or
directory
>> update(nsupdate): SRV _ldap._tcp.gc._msdcs.Trust.local
dc.Trust.local 3268
>> Calling nsupdate for SRV
_ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 (add)
>> Failed
nsupdate: SRV _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 :
[Errno 2] No such file or directory
>> update(nsupdate): SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268
>> Calling nsupdate for SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268 (add)
>> Failed nsupdate: SRV
_gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
dc.Trust.local 3268 : [Errno 2] No such file or directory
>>
update(nsupdate): SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268
>> Calling nsupdate for SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268 (add)
>> Failed nsupdate: SRV
_ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
dc.Trust.local 3268 : [Errno 2] No such file or directory
>>
update(nsupdate): A dc.Trust.local 192.168.0.66
>> Calling nsupdate for
A dc.Trust.local 192.168.0.66 (add)
>> Failed nsupdate: A dc.Trust.local
192.168.0.66 : [Errno 2] No such file or directory
>> update(nsupdate):
A Trust.local 192.168.0.66
>> Calling nsupdate for A Trust.local
192.168.0.66 (add)
>> Failed nsupdate: A Trust.local 192.168.0.66 :
[Errno 2] No such file or directory
>> update(nsupdate): A
gc._msdcs.Trust.local 192.168.0.66
>> Calling nsupdate for A
gc._msdcs.Trust.local 192.168.0.66 (add)
>> Failed nsupdate: A
gc._msdcs.Trust.local 192.168.0.66 : [Errno 2] No such file or
directory
>> Failed update of 24 entries
>> 
>> Tnxs in advance.
> 
>
Well.. still doing some test I found more evidence that the samba-tool
domain "samba-tool domain demote --remove-other-dead-server=" didnt work
as expected. 
> 
> If I query the internal dns I found the records of
the old domain controller: 
> 
> root at dc:~# samba-tool dns query
dc.trust.local trust.local serveribm.trust.local A -U administrador
>
Password for [TRUSTadministrador]:
> Name=, Records=1, Children=0
> A:
192.168.0.66 (flags=f0, serial=1478, ttl=3600)
> 
> And if I ask for the
_ldap._tcp.trust.local record it points to the old domain controller.
>

> # dig -t SRV _ldap._tcp.trust.local
> 
> ; DiG 9.10.3-P4-Debian -t
SRV _ldap._tcp.trust.local
> ;; global options: +cmd
> ;; Got answer:
>
;; ->>HEADER

I forget to mention that I did try to update the dns with
no luck: 

#samba-tool dns update dc trust.local _ldap._tcp.trust.local
SRV serveribm.trust.local "dc.trust.local 389 0 100" -U administrador


Password for [TRUSTadministrador]:
ERROR: Data requires 4 elements -
server, port, priority, weight

If I do this:

samba-tool dns update dc
trust.local _ldap._tcp.trust.local SRV serveribm.trust.local
dc.trust.local -U administrador
The samba-tool dosent even ask me for
the password, it only gives me the this error:

ERROR: Data requires 4
elements - server, port, priority, weight

But Im providing all the
required elements.

Also, this dosen't work:

# samba-tool dns query dc
trust.local * ALL -U administrador

Usage: samba-tool dns query    
[options]

My idea was to list all of the records on the trust.local
zone.

  

Links:
------
[1] mailto:samba at lists.samba.org


More information about the samba mailing list