[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

Tue Sep 5 15:12:40 UTC 2017

On 2017-09-05 16:52, L.P.H. van Belle wrote:
> Yes, if you flexible with reinstalling, you could..

I don't want another quick and dirty solution that turns out to break
half a year down the line, I'm fine with nuking half my DCs if that
means getting to a clean state.

Besides, recreating containers is faster than manually messing around in
/var/lib on each one of them.

> I suggest the following, move fsmo roles to villach-dc and check database replications.

DB replication is already spewing errors, what am I to look out for?

> Remove the most faulty one first, graz-dc-1b, from the domain. ( check and cleanup DNS and AD! Very important ) 

What to check for? What to clean up?

> You dont have to reinstall the complete os, just cleanup as told, and reprovisioning that server again. 

Adding a new DC with the same hostname as the old DC is what got me into
trouble last time. I'll pass up on that offer.

>>> Then remove a failty server and re-add it as a new installed DC.
>>> ( the good DS with FSMO)
>>> First backup: /var/lib/samba/private/secrets.keytab
>>> Remove the incorrect entries from keytab file with ktutil rkt 
>>> /var/lib/samba/private/secrets.keytab
>>> list -e -t
>>
>> Might as well just nuke graz-dc-sem and add a complete new DC 
>> from scratch, no?
> No, and yes, but i preffer no, not needed (yet). 
> Start with the keytab cleanup 
> Check the dns record if the uuid A PTR and hostnames resolve to the correct server. 
> If thats the case, then no, cleanup of keytab is, i think, sufficient. 

Just to confirm the order: Clean up the keytab, if that doesn't work,
start removing servers?

> Yes, if its really a mess. ;-) 
> Then, first a an new DC, then remove, just make sure you always have 2 dc's up and running (correctly)

Servers in Villach seem to run fine, thank $DEITY, so I'll leave them
alone for now.

>>> Now re-provision and you should have correct working DC's again. 
>>>
>>> ! Before re-provisioning, make sure all OLD records dns and 
>> AD are gone. 
>>
>> I still have undeleteable replication records from the last 
>> time I had to nuke a DC, nobody replied to my emails on that issue.
> 
> Ok, now, im out of office in about 10 min, but mail that subject for me again> I'll have a look.

First message on that topic:
https://lists.samba.org/archive/samba/2017-March/207429.html

Last message, where I mentioned the replication bug:
https://lists.samba.org/archive/samba/2017-April/207918.html

> Own and if you dont use it, ApacheDirectoryStudio can help a lot with cleanup of these kind of things. 

Currently I'm using the ADSI MMC snap-in, any downsides compared to ADS?

> But just make sure you know what you delete, for you mess up the AD even more. 

That why I'm not touching anything without a full list.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167