[Samba] problem after replacing a Win2K3 AD
Rowland Penny
rpenny at samba.org
Mon Jul 31 07:51:20 UTC 2017
On Sun, 30 Jul 2017 19:56:37 -0300
Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
>
>
> On Sun, 30 Jul 2017 19:09:44 -0300, Guido Lorenzutti wrote:
>
> > On
> Sun, 30 Jul 2017 13:13:17 -0300, Guido Lorenzutti wrote:
> >
> >> On Fri,
> 28 Jul 2017 09:43:04 +0100, Rowland Penny via samba wrote:
> >>
> >>> On
> Thu, 27 Jul 2017 20:57:41 -0300
> >>> Guido Lorenzutti via samba
> wrote:
> >>>
> >>>> Researching a little more I found this: Checking object
> @ROOTDSE Please use --fix to fix these errors Checked 358 objects (240
> errors) How can I see what value is going to be fixed ? Tnxs in
> advance.
> >>>
> >>> You could try adding '-v' to the command, or just add
> '--fix' and
> >>> you will be asked to confirm each and every one, but
> most people just
> >>> add '--fix --yes' and get everything fixed and
> don't care what they
> >>> are fixing.
> >>>
> >>> Rowland
> >>
> >> Well.. i
> didnt work: I run...
> >>
> >> root at dc:~# samba-tool dbcheck --fix --yes |
> tail
> >> Fix nTSecurityDescriptor on
> CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local?
> [YES]
> >> Fixed attribute 'nTSecurityDescriptor' of
> 'CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local'
> >>
>
> >> Fix nTSecurityDescriptor on CN=Operadores de configuración de
> red,CN=Builtin,DC=Trust,DC=local? [YES]
> >> Fixed attribute
> 'nTSecurityDescriptor' of 'CN=Operadores de configuración de
> red,CN=Builtin,DC=Trust,DC=local'
> >>
> >> Fix nTSecurityDescriptor on
> CN=PC108,CN=Computers,DC=Trust,DC=local? [YES]
> >> Fixed attribute
> 'nTSecurityDescriptor' of 'CN=PC108,CN=Computers,DC=Trust,DC=local'
> >>
>
> >> Checked 358 objects (240 errors)
> >>
> >> root at dc:~# samba-tool
> dbcheck | tail
> >> Not fixing nTSecurityDescriptor on
> CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
> >>
>
> >> Not fixing nTSecurityDescriptor on
> CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
> >>
>
> >> Not fixing nTSecurityDescriptor on CN=Operadores de configuración
> de red,CN=Builtin,DC=Trust,DC=local
> >>
> >> Not fixing
> nTSecurityDescriptor on CN=PC108,CN=Computers,DC=Trust,DC=local
> >>
> >>
> Please use --fix to fix these errors
> >> Checked 358 objects (240
> errors)
> >>
> >> The errors are still there.. and I found another
> problem:
> >>
> >> root at dc:~# samba_dnsupdate --verbose --all-names
> >> IPs:
> ['192.168.0.12']
> >> force update: A dc.Trust.local 192.168.0.12
> >> force
> update: A Trust.local 192.168.0.12
> >> force update: SRV
> _ldap._tcp.Trust.local dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV _kerberos._tcp.Trust.local
> dc.Trust.local 88
> >> force update: SRV _kerberos._udp.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> >> force update:
> SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> >> force update: SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464
> >> force update: CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389
> >> force update: A
> gc._msdcs.Trust.local 192.168.0.12
> >> force update: SRV
> _gc._tcp.Trust.local dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268
> >> force update:
> SRV _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> need delete: A dc.Trust.local 192.168.0.66
> >>
> need delete: A Trust.local 192.168.0.66
> >> need delete: A
> gc._msdcs.Trust.local 192.168.0.66
> >> 21 DNS updates and 3 DNS deletes
> needed
> >> Traceback (most recent call last):
> >> File
> "/usr/sbin/samba_dnsupdate", line 784, in
> >> creds =
> get_credentials(lp)
> >> File "/usr/sbin/samba_dnsupdate", line 169, in
> get_credentials
> >> raise e
> >> RuntimeError: kinit for DC$@TRUST.LOCAL
> failed (Cannot contact any KDC for requested realm)
> >>
> >> But, If i add
> an ip alias to my dc, of the old and dead win2k3 (192.168.0.66) the
> output is this:
> >>
> >> root at dc:~# samba_dnsupdate --verbose
> --all-names
> >> IPs: ['192.168.0.12', '192.168.0.66']
> >> force update: A
> dc.Trust.local 192.168.0.12
> >> force update: A Trust.local
> 192.168.0.12
> >> force update: SRV _ldap._tcp.Trust.local dc.Trust.local
> 389
> >> force update: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local
> 389
> >> force update: SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV _kerberos._tcp.Trust.local
> dc.Trust.local 88
> >> force update: SRV _kerberos._udp.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> >> force update:
> SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> >> force update: SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464
> >> force update: CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389
> >> force update: A
> gc._msdcs.Trust.local 192.168.0.12
> >> force update: SRV
> _gc._tcp.Trust.local dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268
> >> force update:
> SRV _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> force update: A dc.Trust.local 192.168.0.66
> >>
> force update: A Trust.local 192.168.0.66
> >> force update: A
> gc._msdcs.Trust.local 192.168.0.66
> >> 24 DNS updates and 0 DNS deletes
> needed
> >> Successfully obtained Kerberos ticket to
> DNS/serveribm.trust.local as DC$
> >> update(nsupdate): A dc.Trust.local
> 192.168.0.12
> >> Calling nsupdate for A dc.Trust.local 192.168.0.12
> (add)
> >> Failed nsupdate: A dc.Trust.local 192.168.0.12 : [Errno 2] No
> such file or directory
> >> update(nsupdate): A Trust.local
> 192.168.0.12
> >> Calling nsupdate for A Trust.local 192.168.0.12 (add)
> >>
> Failed nsupdate: A Trust.local 192.168.0.12 : [Errno 2] No such file
> or directory
> >> update(nsupdate): SRV _ldap._tcp.Trust.local dc.Trust.local
> 389
> >> Calling nsupdate for SRV _ldap._tcp.Trust.local dc.Trust.local
> 389 (add)
> >> Failed nsupdate: SRV _ldap._tcp.Trust.local dc.Trust.local
> 389 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
> >> Calling nsupdate
> for SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389 (add)
> >>
> Failed nsupdate: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local
> 389 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389
> >> Calling nsupdate for SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV _kerberos._tcp.Trust.local dc.Trust.local 88
> >>
> Calling nsupdate for SRV _kerberos._tcp.Trust.local dc.Trust.local 88
> (add)
> >> Failed nsupdate: SRV _kerberos._tcp.Trust.local dc.Trust.local
> 88 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _kerberos._udp.Trust.local dc.Trust.local 88
> >> Calling nsupdate for SRV
> _kerberos._udp.Trust.local dc.Trust.local 88 (add)
> >> Failed nsupdate:
> SRV _kerberos._udp.Trust.local dc.Trust.local 88 : [Errno 2] No such
> file or directory
> >> update(nsupdate): SRV
> _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> >> Calling
> nsupdate for SRV _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local
> 88 (add)
> >> Failed nsupdate: SRV _kerberos._tcp.dc._msdcs.Trust.local
> dc.Trust.local 88 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> >>
> Calling nsupdate for SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> (add)
> >> Failed nsupdate: SRV _kpasswd._tcp.Trust.local dc.Trust.local
> 464 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464
> >> Calling nsupdate for SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464 (add)
> >> Failed nsupdate:
> SRV _kpasswd._udp.Trust.local dc.Trust.local 464 : [Errno 2] No such
> file or directory
> >> update(nsupdate): CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local
> >> Calling nsupdate for CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
> (add)
> >> Failed nsupdate: CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389
> >> Calling nsupdate for SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389
> >> Calling nsupdate for SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88
> >> Calling nsupdate for SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88 (add)
> >> Failed nsupdate: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88
> >> Calling nsupdate for SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88 (add)
> >> Failed nsupdate: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local
> 389
> >> Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389 : [Errno 2] No
> such file or directory
> >> update(nsupdate): A gc._msdcs.Trust.local
> 192.168.0.12
> >> Calling nsupdate for A gc._msdcs.Trust.local
> 192.168.0.12 (add)
> >> Failed nsupdate: A gc._msdcs.Trust.local
> 192.168.0.12 : [Errno 2] No such file or directory
> >> update(nsupdate):
> SRV _gc._tcp.Trust.local dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _gc._tcp.Trust.local dc.Trust.local 3268 (add)
> >> Failed nsupdate: SRV
> _gc._tcp.Trust.local dc.Trust.local 3268 : [Errno 2] No such file or
> directory
> >> update(nsupdate): SRV _ldap._tcp.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 (add)
> >> Failed
> nsupdate: SRV _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 :
> [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268 (add)
> >> Failed nsupdate: SRV
> _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268 : [Errno 2] No such file or directory
> >>
> update(nsupdate): A dc.Trust.local 192.168.0.66
> >> Calling nsupdate for
> A dc.Trust.local 192.168.0.66 (add)
> >> Failed nsupdate: A dc.Trust.local
> 192.168.0.66 : [Errno 2] No such file or directory
> >> update(nsupdate):
> A Trust.local 192.168.0.66
> >> Calling nsupdate for A Trust.local
> 192.168.0.66 (add)
> >> Failed nsupdate: A Trust.local 192.168.0.66 :
> [Errno 2] No such file or directory
> >> update(nsupdate): A
> gc._msdcs.Trust.local 192.168.0.66
> >> Calling nsupdate for A
> gc._msdcs.Trust.local 192.168.0.66 (add)
> >> Failed nsupdate: A
> gc._msdcs.Trust.local 192.168.0.66 : [Errno 2] No such file or
> directory
> >> Failed update of 24 entries
> >>
> >> Tnxs in advance.
> >
> >
> Well.. still doing some test I found more evidence that the samba-tool
> domain "samba-tool domain demote --remove-other-dead-server=" didnt
> work as expected.
> >
> > If I query the internal dns I found the records of
> the old domain controller:
> >
> > root at dc:~# samba-tool dns query
> dc.trust.local trust.local serveribm.trust.local A -U administrador
> >
> Password for [TRUSTadministrador]:
> > Name=, Records=1, Children=0
> > A:
> 192.168.0.66 (flags=f0, serial=1478, ttl=3600)
> >
> > And if I ask for the
> _ldap._tcp.trust.local record it points to the old domain controller.
> >
>
> > # dig -t SRV _ldap._tcp.trust.local
> >
> > ; DiG 9.10.3-P4-Debian -t
> SRV _ldap._tcp.trust.local
> > ;; global options: +cmd
> > ;; Got answer:
> >
> ;; ->>HEADER
>
> I forget to mention that I did try to update the dns with
> no luck:
>
> #samba-tool dns update dc trust.local _ldap._tcp.trust.local
> SRV serveribm.trust.local "dc.trust.local 389 0 100" -U administrador
>
>
> Password for [TRUSTadministrador]:
> ERROR: Data requires 4 elements -
> server, port, priority, weight
>
> If I do this:
>
> samba-tool dns update dc
> trust.local _ldap._tcp.trust.local SRV serveribm.trust.local
> dc.trust.local -U administrador
> The samba-tool dosent even ask me for
> the password, it only gives me the this error:
>
> ERROR: Data requires 4
> elements - server, port, priority, weight
>
> But Im providing all the
> required elements.
Sorry but you are not ;-)
If you run (on the DC) this:
samba-tool dns update --help
Amongst the output, you will find this:
SRV "fqdn_string port priority weight"
You are only providing the FQDN.
>
> Also, this dosen't work:
>
> # samba-tool dns query dc
> trust.local * ALL -U administrador
>
> Usage: samba-tool dns query
> [options]
>
> My idea was to list all of the records on the trust.local
> zone.
>
I don't think you can use wildcards, try this instead:
samba-tool dns query 127.0.0.1 trust.local _ldap._tcp SRV
-Uadministrator
This should show the records for _ldap._tcp amongst which will be the
missing data.
I personally would 'delete' the wrong record and then 'add' the new one.
Rowland
More information about the samba
mailing list