[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

L.P.H. van Belle belle at bazuin.nl
Wed Jun 21 06:30:30 UTC 2017 

Hai, 

Im wondering also what happend here, i cant figure it out (yet). 
I did read this now few times.. 

Baptiste, can you give me the following output. 
( keep this order for the output please. 

cat /etc/hosts
cat /etc/resolv.conf
cat /etc/nssswitch.conf

cat /etc/krb5.conf
cat /var/lib/samba/private/krb5.conf

klist -ket /etc/krb5.keytab
klist -ket /var/lib/samba/private/secrets.keytab

Get this script, run it, and if you get errors post them. 
http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh

cat /etc/samba/smb.conf



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 20 juni 2017 19:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from 
> debian Jessie to Stretch
> 
> On Tue, 20 Jun 2017 18:52:49 +0200
> Prunk Dump <prunkdump at gmail.com> wrote:
> 
> > Hello.
> > 
> > I upgraded Debian from "Jessie" to "Strech" following the Debian 
> > Upgrade Handbook. I'am not using special repositories, just 
> the Debian 
> > stable branch. Everything is updated with "apt-get upgrade" and 
> > "apt-get dist-upgrade".

! I noticed that, samba-dsdb-modules in a "winbind" only install errors again. 
Not a problem, but check if samba-dsdb-modules is installed on your DC after the upgrade. 
Better, show me : 
dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"



> > 
> > This upgrade is really mandatory because after two years of Debian 
> > Jessie I have encountered many difficulties with the samba 
> version. By 
> > two times the Debian security team was not able to apply security 
> > patch to the base stable Samba version. So two times Samba version 
> > change and put my network down. So I can't keep the Jessie Samba 
> > Version for two years more I want to maintain good security.
Can you point me to these 2?

> 
> Not sure if upgrading to an unreleased Debian version is a 
> good idea, you could do what I am doing, use Louis Van 
> Belle's packages on Jessie.
Rowland, Debian Stretch is released 3 days ago  ;-) 

> 
> > 
> > But now I'am very disappointed.
> > I don't understand why all my DCs have a bad 
> > "/var/lib/samba/private/secret.keytab"
> > I don't understand why Kerberos authentication does not 
> works inside 
> > Samba but works with "kinit" (like in the previous log have sent).
We will figure this out, .. Just thinking.. 

kinit uses the defealt /etc/krb5.conf 
Samba /var/lib/samba/private/krb5.conf

System default normaly points to /etc/krb5.keytab
Samba /var/lib/samba/private/secret.keytab

> 
> I don't understand it either, but I feel it must down to at 
> least one of the packages that got upgraded and that are used 
> by Samba. Perhaps Louis can comment here, I feel he knows 
> more about what is required to get the latest version of 
> Samba working on Debian.
Im thinging, baptiste, your using nfsv4 kerberized? 
Do cat /etc/idmap.conf for me also, are you using "[Static"] user namemappings like
principal at REALM = localusername


> 
> > 
> > I'm lost. I don't know what to do...
> > 
> > -> How can I regererate the "/var/lib/samba/private/secret.keytab"
> > with all the 5 encryptions ?
First the info, then the fix. 

> 
> This is something Andrew is going to have to help you with, 
> but I think he gave a hint about using 'chgtdcpass'

> 
> > 
> > -> On the DC that have all the FSMO roles have made a "samba-tool
> > dbcheck --cross-ncs --fix --yes" (as say on the samba 
> upgrade guide).
> > Do I need to do this on the others DCs ? Or is this better to first 
> > restoring replication ?
Run my samba-check-db-repl.sh script then well see what needs fixing. 

> 
> This should fix any faults in db on this machine, replication 
> should then send any changes to the other DCs, but I can see 
> no reason not to run the command on the other DCs
> 
> > 
> > -> Do I need to do a manual directory replication ?
> > 
> 
> I wouldn't at this stage, but if you can fix it on one DC and 
> the fixes don't get replicated, this may be something to 
> consider later.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list