[Samba] problem after replacing a Win2K3 AD

Rowland Penny rpenny at samba.org
Mon Jul 31 07:51:20 UTC 2017 

On Sun, 30 Jul 2017 19:56:37 -0300
Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:

>   
> 
> On Sun, 30 Jul 2017 19:09:44 -0300, Guido Lorenzutti wrote: 
> 
> > On
> Sun, 30 Jul 2017 13:13:17 -0300, Guido Lorenzutti wrote: 
> > 
> >> On Fri,
> 28 Jul 2017 09:43:04 +0100, Rowland Penny via samba wrote: 
> >> 
> >>> On
> Thu, 27 Jul 2017 20:57:41 -0300
> >>> Guido Lorenzutti via samba
> wrote:
> >>> 
> >>>> Researching a little more I found this: Checking object
> @ROOTDSE Please use --fix to fix these errors Checked 358 objects (240
> errors) How can I see what value is going to be fixed ? Tnxs in
> advance.
> >>> 
> >>> You could try adding '-v' to the command, or just add
> '--fix' and
> >>> you will be asked to confirm each and every one, but
> most people just
> >>> add '--fix --yes' and get everything fixed and
> don't care what they
> >>> are fixing.
> >>> 
> >>> Rowland
> >> 
> >> Well.. i
> didnt work: I run... 
> >> 
> >> root at dc:~# samba-tool dbcheck --fix --yes |
> tail
> >> Fix nTSecurityDescriptor on
> CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local?
> [YES]
> >> Fixed attribute 'nTSecurityDescriptor' of
> 'CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local'
> >>
> 
> >> Fix nTSecurityDescriptor on CN=Operadores de configuración de
> red,CN=Builtin,DC=Trust,DC=local? [YES]
> >> Fixed attribute
> 'nTSecurityDescriptor' of 'CN=Operadores de configuración de
> red,CN=Builtin,DC=Trust,DC=local'
> >> 
> >> Fix nTSecurityDescriptor on
> CN=PC108,CN=Computers,DC=Trust,DC=local? [YES]
> >> Fixed attribute
> 'nTSecurityDescriptor' of 'CN=PC108,CN=Computers,DC=Trust,DC=local'
> >>
> 
> >> Checked 358 objects (240 errors)
> >> 
> >> root at dc:~# samba-tool
> dbcheck | tail
> >> Not fixing nTSecurityDescriptor on
> CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
> >>
> 
> >> Not fixing nTSecurityDescriptor on
> CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=Trust,DC=local
> >>
> 
> >> Not fixing nTSecurityDescriptor on CN=Operadores de configuración
> de red,CN=Builtin,DC=Trust,DC=local
> >> 
> >> Not fixing
> nTSecurityDescriptor on CN=PC108,CN=Computers,DC=Trust,DC=local
> >> 
> >>
> Please use --fix to fix these errors
> >> Checked 358 objects (240
> errors)
> >> 
> >> The errors are still there.. and I found another
> problem:
> >> 
> >> root at dc:~# samba_dnsupdate --verbose --all-names
> >> IPs:
> ['192.168.0.12']
> >> force update: A dc.Trust.local 192.168.0.12
> >> force
> update: A Trust.local 192.168.0.12
> >> force update: SRV
> _ldap._tcp.Trust.local dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV _kerberos._tcp.Trust.local
> dc.Trust.local 88
> >> force update: SRV _kerberos._udp.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> >> force update:
> SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> >> force update: SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464
> >> force update: CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389
> >> force update: A
> gc._msdcs.Trust.local 192.168.0.12
> >> force update: SRV
> _gc._tcp.Trust.local dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268
> >> force update:
> SRV _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> need delete: A dc.Trust.local 192.168.0.66
> >>
> need delete: A Trust.local 192.168.0.66
> >> need delete: A
> gc._msdcs.Trust.local 192.168.0.66
> >> 21 DNS updates and 3 DNS deletes
> needed
> >> Traceback (most recent call last):
> >> File
> "/usr/sbin/samba_dnsupdate", line 784, in 
> >> creds =
> get_credentials(lp)
> >> File "/usr/sbin/samba_dnsupdate", line 169, in
> get_credentials
> >> raise e
> >> RuntimeError: kinit for DC$@TRUST.LOCAL
> failed (Cannot contact any KDC for requested realm)
> >> 
> >> But, If i add
> an ip alias to my dc, of the old and dead win2k3 (192.168.0.66) the
> output is this:
> >> 
> >> root at dc:~# samba_dnsupdate --verbose
> --all-names
> >> IPs: ['192.168.0.12', '192.168.0.66']
> >> force update: A
> dc.Trust.local 192.168.0.12
> >> force update: A Trust.local
> 192.168.0.12
> >> force update: SRV _ldap._tcp.Trust.local dc.Trust.local
> 389
> >> force update: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local
> 389
> >> force update: SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV _kerberos._tcp.Trust.local
> dc.Trust.local 88
> >> force update: SRV _kerberos._udp.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> >> force update:
> SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> >> force update: SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464
> >> force update: CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88
> >> force update: SRV
> _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389
> >> force update: A
> gc._msdcs.Trust.local 192.168.0.12
> >> force update: SRV
> _gc._tcp.Trust.local dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268
> >> force update:
> SRV _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268
> >> force update: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> force update: A dc.Trust.local 192.168.0.66
> >>
> force update: A Trust.local 192.168.0.66
> >> force update: A
> gc._msdcs.Trust.local 192.168.0.66
> >> 24 DNS updates and 0 DNS deletes
> needed
> >> Successfully obtained Kerberos ticket to
> DNS/serveribm.trust.local as DC$
> >> update(nsupdate): A dc.Trust.local
> 192.168.0.12
> >> Calling nsupdate for A dc.Trust.local 192.168.0.12
> (add)
> >> Failed nsupdate: A dc.Trust.local 192.168.0.12 : [Errno 2] No
> such file or directory
> >> update(nsupdate): A Trust.local
> 192.168.0.12
> >> Calling nsupdate for A Trust.local 192.168.0.12 (add)
> >>
> Failed nsupdate: A Trust.local 192.168.0.12 : [Errno 2] No such file
> or directory
> >> update(nsupdate): SRV _ldap._tcp.Trust.local dc.Trust.local
> 389
> >> Calling nsupdate for SRV _ldap._tcp.Trust.local dc.Trust.local
> 389 (add)
> >> Failed nsupdate: SRV _ldap._tcp.Trust.local dc.Trust.local
> 389 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389
> >> Calling nsupdate
> for SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local 389 (add)
> >>
> Failed nsupdate: SRV _ldap._tcp.dc._msdcs.Trust.local dc.Trust.local
> 389 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389
> >> Calling nsupdate for SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.ea8419f7-16a5-449b-9ec5-c7ec7f0265a3.domains._msdcs.Trust.local
> dc.Trust.local 389 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV _kerberos._tcp.Trust.local dc.Trust.local 88
> >>
> Calling nsupdate for SRV _kerberos._tcp.Trust.local dc.Trust.local 88
> (add)
> >> Failed nsupdate: SRV _kerberos._tcp.Trust.local dc.Trust.local
> 88 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _kerberos._udp.Trust.local dc.Trust.local 88
> >> Calling nsupdate for SRV
> _kerberos._udp.Trust.local dc.Trust.local 88 (add)
> >> Failed nsupdate:
> SRV _kerberos._udp.Trust.local dc.Trust.local 88 : [Errno 2] No such
> file or directory
> >> update(nsupdate): SRV
> _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local 88
> >> Calling
> nsupdate for SRV _kerberos._tcp.dc._msdcs.Trust.local dc.Trust.local
> 88 (add)
> >> Failed nsupdate: SRV _kerberos._tcp.dc._msdcs.Trust.local
> dc.Trust.local 88 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> >>
> Calling nsupdate for SRV _kpasswd._tcp.Trust.local dc.Trust.local 464
> (add)
> >> Failed nsupdate: SRV _kpasswd._tcp.Trust.local dc.Trust.local
> 464 : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464
> >> Calling nsupdate for SRV
> _kpasswd._udp.Trust.local dc.Trust.local 464 (add)
> >> Failed nsupdate:
> SRV _kpasswd._udp.Trust.local dc.Trust.local 464 : [Errno 2] No such
> file or directory
> >> update(nsupdate): CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local
> >> Calling nsupdate for CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local dc.Trust.local
> (add)
> >> Failed nsupdate: CNAME
> b6183422-9e31-447e-ba37-e232d603e3b3._msdcs.Trust.local
> dc.Trust.local : [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389
> >> Calling nsupdate for SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 389 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389
> >> Calling nsupdate for SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 389 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88
> >> Calling nsupdate for SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88 (add)
> >> Failed nsupdate: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 88 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88
> >> Calling nsupdate for SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88 (add)
> >> Failed nsupdate: SRV
> _kerberos._tcp.Nombre-predeterminado-primer-sitio._sites.dc._msdcs.Trust.local
> dc.Trust.local 88 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local
> 389
> >> Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.Trust.local
> dc.Trust.local 389 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.pdc._msdcs.Trust.local dc.Trust.local 389 : [Errno 2] No
> such file or directory
> >> update(nsupdate): A gc._msdcs.Trust.local
> 192.168.0.12
> >> Calling nsupdate for A gc._msdcs.Trust.local
> 192.168.0.12 (add)
> >> Failed nsupdate: A gc._msdcs.Trust.local
> 192.168.0.12 : [Errno 2] No such file or directory
> >> update(nsupdate):
> SRV _gc._tcp.Trust.local dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _gc._tcp.Trust.local dc.Trust.local 3268 (add)
> >> Failed nsupdate: SRV
> _gc._tcp.Trust.local dc.Trust.local 3268 : [Errno 2] No such file or
> directory
> >> update(nsupdate): SRV _ldap._tcp.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 (add)
> >> Failed
> nsupdate: SRV _ldap._tcp.gc._msdcs.Trust.local dc.Trust.local 3268 :
> [Errno 2] No such file or directory
> >> update(nsupdate): SRV
> _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268 (add)
> >> Failed nsupdate: SRV
> _gc._tcp.Nombre-predeterminado-primer-sitio._sites.Trust.local
> dc.Trust.local 3268 : [Errno 2] No such file or directory
> >>
> update(nsupdate): SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268
> >> Calling nsupdate for SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268 (add)
> >> Failed nsupdate: SRV
> _ldap._tcp.Nombre-predeterminado-primer-sitio._sites.gc._msdcs.Trust.local
> dc.Trust.local 3268 : [Errno 2] No such file or directory
> >>
> update(nsupdate): A dc.Trust.local 192.168.0.66
> >> Calling nsupdate for
> A dc.Trust.local 192.168.0.66 (add)
> >> Failed nsupdate: A dc.Trust.local
> 192.168.0.66 : [Errno 2] No such file or directory
> >> update(nsupdate):
> A Trust.local 192.168.0.66
> >> Calling nsupdate for A Trust.local
> 192.168.0.66 (add)
> >> Failed nsupdate: A Trust.local 192.168.0.66 :
> [Errno 2] No such file or directory
> >> update(nsupdate): A
> gc._msdcs.Trust.local 192.168.0.66
> >> Calling nsupdate for A
> gc._msdcs.Trust.local 192.168.0.66 (add)
> >> Failed nsupdate: A
> gc._msdcs.Trust.local 192.168.0.66 : [Errno 2] No such file or
> directory
> >> Failed update of 24 entries
> >> 
> >> Tnxs in advance.
> > 
> >
> Well.. still doing some test I found more evidence that the samba-tool
> domain "samba-tool domain demote --remove-other-dead-server=" didnt
> work as expected. 
> > 
> > If I query the internal dns I found the records of
> the old domain controller: 
> > 
> > root at dc:~# samba-tool dns query
> dc.trust.local trust.local serveribm.trust.local A -U administrador
> >
> Password for [TRUSTadministrador]:
> > Name=, Records=1, Children=0
> > A:
> 192.168.0.66 (flags=f0, serial=1478, ttl=3600)
> > 
> > And if I ask for the
> _ldap._tcp.trust.local record it points to the old domain controller.
> >
> 
> > # dig -t SRV _ldap._tcp.trust.local
> > 
> > ; DiG 9.10.3-P4-Debian -t
> SRV _ldap._tcp.trust.local
> > ;; global options: +cmd
> > ;; Got answer:
> >
> ;; ->>HEADER
> 
> I forget to mention that I did try to update the dns with
> no luck: 
> 
> #samba-tool dns update dc trust.local _ldap._tcp.trust.local
> SRV serveribm.trust.local "dc.trust.local 389 0 100" -U administrador
> 
> 
> Password for [TRUSTadministrador]:
> ERROR: Data requires 4 elements -
> server, port, priority, weight
> 
> If I do this:
> 
> samba-tool dns update dc
> trust.local _ldap._tcp.trust.local SRV serveribm.trust.local
> dc.trust.local -U administrador
> The samba-tool dosent even ask me for
> the password, it only gives me the this error:
> 
> ERROR: Data requires 4
> elements - server, port, priority, weight
> 
> But Im providing all the
> required elements.

Sorry but you are not ;-)

If you run (on the DC) this:

samba-tool dns update --help

Amongst the output, you will find this:

  SRV    "fqdn_string port priority weight"

You are only providing the FQDN.


> 
> Also, this dosen't work:
> 
> # samba-tool dns query dc
> trust.local * ALL -U administrador
> 
> Usage: samba-tool dns query    
> [options]
> 
> My idea was to list all of the records on the trust.local
> zone.
> 

I don't think you can use wildcards, try this instead:

samba-tool dns query 127.0.0.1 trust.local _ldap._tcp SRV
-Uadministrator

This should show the records for _ldap._tcp amongst which will be the
missing data.

I personally would 'delete' the wrong record and then 'add' the new one.

Rowland

More information about the samba mailing list