[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 5 14:52:24 UTC 2017
Yes, if you flexible with reinstalling, you could..
> -----Oorspronkelijk bericht-----
> Van: Sven Schwedas [mailto:sven.schwedas at tao.at]
> Verzonden: dinsdag 5 september 2017 16:32
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Server GC/name.dom/dom is not
> registered with our KDC: Miscellaneous failure (see text):
> Server (GC/name/dom at DOM) unknown
> On 2017-09-05 16:21, L.P.H. van Belle wrote:
> >> Keytabs look reasonable, as far as I can see, but why does
> >> graz-dc-sem have the same SPN output as graz-dc-1b in
> addition to its
> >> own?
> > A snapshotted server/cloned server? I dont know but thats
> not correct.
> Nope, both were created clean. There used to be a
> graz-dc-bis, but removing and re-adding it completely broke
> replication, so I nuked it and created 1b to replace it. That
> odyssey is in the list archives somewhere…
Very strange then if they where all created clean.
removing and re-adding is possible, but not without rist.
> > I suggest, cleanup the DS with FSMO roles.
> Clean up as in move FSMO roles to a clean server (leaves only
> villach-dc-*) ?
Yes and no. ;-)
I suggest the following, move fsmo roles to villach-dc and check database replications.
Remove the most faulty one first, graz-dc-1b, from the domain. ( check and cleanup DNS and AD! Very important )
You dont have to reinstall the complete os, just cleanup as told, and reprovisioning that server again.
Reboot and then wait, and check database replication again.
! Do reboot !
And repeat for all servers you dont trust.
That should bring you network back as it should be.
> > Then remove a failty server and re-add it as a new installed DC.
> > ( the good DS with FSMO)
> > First backup: /var/lib/samba/private/secrets.keytab
> > Remove the incorrect entries from keytab file with ktutil rkt
> > /var/lib/samba/private/secrets.keytab
> > list -e -t
> Might as well just nuke graz-dc-sem and add a complete new DC
> from scratch, no?
No, and yes, but i preffer no, not needed (yet).
Start with the keytab cleanup
Check the dns record if the uuid A PTR and hostnames resolve to the correct server.
If thats the case, then no, cleanup of keytab is, i think, sufficient.
Yes, if its really a mess. ;-)
Then, first a an new DC, then remove, just make sure you always have 2 dc's up and running (correctly)
> > Check if dates here are related to other work you/someone did?
> > Now you can remove the failty one from the domain and
> re-add it (with
> > provisioning) Backup and cleanup /etc/samba/smb.conf (rename)
> > /var/cache/samba ( remove all files from folder)
> > /var/lib/samba ( remove all files and directories
> from folder)
> > Now re-provision and you should have correct working DC's again.
> > ! Before re-provisioning, make sure all OLD records dns and
> AD are gone.
> I still have undeleteable replication records from the last
> time I had to nuke a DC, nobody replied to my emails on that issue.
Ok, now, im out of office in about 10 min, but mail that subject for me again.
I'll have a look.
Own and if you dont use it, ApacheDirectoryStudio can help a lot with cleanup of these kind of things.
But just make sure you know what you delete, for you mess up the AD even more.
More information about the samba