[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

Prunk Dump prunkdump at gmail.com
Tue Jun 20 16:52:49 UTC 2017


2017-06-20 18:12 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Tue, 20 Jun 2017 17:54:09 +0200
> Prunk Dump via samba <samba at lists.samba.org> wrote:
>
>> Hello thanks again for the help !
>>
>> I have analysed samba logs more closely. I'am very worried. I have
>> three DC (fichdc, fichds01, fichds02) but here I talk just about
>> fichdc's logs.
>>
>
> How did you upgrade 'jessie' to 'stretch' and why ?
>
> Did all the  Samba packages get upgraded (this includes things like
> talloc, tevent etc)
>
> Rowland
>

Hello.

I upgraded Debian from "Jessie" to "Strech" following the Debian
Upgrade Handbook. I'am not using special repositories, just the Debian
stable branch. Everything is updated with "apt-get upgrade" and
"apt-get dist-upgrade".

This upgrade is really mandatory because after two years of Debian
Jessie I have encountered many difficulties with the samba version. By
two times the Debian security team was not able to apply security
patch to the base stable Samba version. So two times Samba version
change and put my network down. So I can't keep the Jessie Samba
Version for two years more I want to maintain good security.

But now I'am very disappointed.
I don't understand why all my DCs have a bad
"/var/lib/samba/private/secret.keytab"
I don't understand why Kerberos authentication does not works inside
Samba but works with "kinit" (like in the previous log have sent).

I'm lost. I don't know what to do...

-> How can I regererate the "/var/lib/samba/private/secret.keytab"
with all the 5 encryptions ?

-> On the DC that have all the FSMO roles have made a "samba-tool
dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide).
Do I need to do this on the others DCs ? Or is this better to first
restoring replication ?

-> Do I need to do a manual directory replication ?

Thank you very much for your help.

Baptiste.



More information about the samba mailing list