[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown
Sven Schwedas
sven.schwedas at tao.at
Wed Sep 6 14:06:30 UTC 2017
On 2017-09-06 09:28, L.P.H. van Belle wrote:
>>> I suggest the following, move fsmo roles to villach-dc and
>> check database replications.
>>
>> DB replication is already spewing errors, what am I to look out for?
> Ok, get my check db script, run it from any dc. And post me the output.
Output attached. Seems like all servers but graz-dc-sem have some stuff
wrong, just wonderful.
> https://github.com/thctlo/samba4/blob/master/samba-check-db-repl.sh
Just FYI, something's wonky with the script. Bash trips up on CRLF line
endings (everywhere) and 0xC2 control characters (ll. 260-261) sprinkled
through the file. Had to clean that up before it actually ran without
syntax errors.
>>> Remove the most faulty one first, graz-dc-1b, from the
>> domain. ( check
>>> and cleanup DNS and AD! Very important )
>>
>> What to check for? What to clean up?
> Ah, thats hard to tell, this depends a bit on the errors.
> I search/look for the left overs, first with RSAT tools and samba-tool, then with ApacheStudio.
> I look for hostnames/UUID/ things like that, but this is only done if all other options did not work.
> But it depends on the errors/warnings i see/get.
None of the differences look like they could cause the replication
errors, looks more like they're just the results.
>>>>> Then remove a failty server and re-add it as a new installed DC.
>>>>> ( the good DS with FSMO)
>>>>> First backup: /var/lib/samba/private/secrets.keytab
>>>>> Remove the incorrect entries from keytab file with ktutil rkt
>>>>> /var/lib/samba/private/secrets.keytab
>>>>> list -e -t
>>>>
>>>> Might as well just nuke graz-dc-sem and add a complete new DC from
>>>> scratch, no?
>>> No, and yes, but i preffer no, not needed (yet).
>>> Start with the keytab cleanup
>>> Check the dns record if the uuid A PTR and hostnames
>> resolve to the correct server.
>>> If thats the case, then no, cleanup of keytab is, i think,
>> sufficient.
>>
>> Just to confirm the order: Clean up the keytab, if that
>> doesn't work, start removing servers?
> Almost. Backup then ... Cleanup keytab of the server.
I'll try that next, unless you find something shady in the report.
>>> Yes, if its really a mess. ;-)
>>> Then, first a an new DC, then remove, just make sure you
>> always have 2
>>> dc's up and running (correctly)
>>
>> Servers in Villach seem to run fine, thank $DEITY, so I'll
>> leave them alone for now.
> Ok, thats good, run the check-db script and post the complete output for me.
>
>>
>>>>> Now re-provision and you should have correct working DC's again.
>>>>>
>>>>> ! Before re-provisioning, make sure all OLD records dns and
>>>> AD are gone.
>>>>
>>>> I still have undeleteable replication records from the last time I
>>>> had to nuke a DC, nobody replied to my emails on that issue.
>>>
>>> Ok, now, im out of office in about 10 min, but mail that
>> subject for me again> I'll have a look.
>>
>> First message on that topic:
>> https://lists.samba.org/archive/samba/2017-March/207429.html
> Ok, this one, track down both uuid's, checkout which which hostname belongs with these.
Going by the output of `samba-tool drs showrepl` and sam.ldb, the GUIDs
are as follows:
graz-dc-sem 160f5a53-5c29-4a83-aeee-6cb1dbabeed7
graz-dc-bis 7e4973ba-4093-4523-a70f-7caa4845e34d (not in sam.ldb)
graz-dc-1b bcffbad8-1add-46b9-bf69-90e52c0f09ea
villach-dc-sem eb5f9772-cd8f-4cde-9629-f1898c94aedd
villach-dc-bis e1569c90-50f9-4bb5-bd85-79145e3ff6fd
villach-sem/bis want to replicate to the dead and removed graz-dc-bis
for some reason, but don't have its GUID in their sam.ldb either.
> Basicly https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
> In based on the Demoteing wiki example.
> I do the same steps as shown there. Now the last three pictures on the site shows where to look.
> At the site and Service, go through very folder, and check if it is as it should be.
I already checked it back then, and double checked it now. ADUC, ADSS
and DNS are all three clean and contain no reference to either the old
server name or its GUID.
> https://lists.samba.org/archive/samba/2017-March/207460.html
> Between 2 and 3, there the problem starts
>>> – I noticed a typo in the server's `netbios name` setting, corrected it, and restarted the DC.
> 3. Yes, for the new hostname, the old hostname is as left over in the ADDC DB and/or DNS.
>
> This name GRAZ-DC-BIS, and the name with the typo. The GUID for these is where to look info.
Yeah, but where?
> Step 6. ah the point of origin of you problems with of the current post?
Hell if I know, but might be.
> 7. dnsmasq? Ok, i just hope these are not running on the DC's.
It's running on the gateways to cache the DCs' responses and handle some
auxiliary stuff. ad.tao.at and all subdomains are transparently
forwarded to the DCs, no difference in responses for _msdsc etc. between
them and querying the DCs directly.
>> Last message, where I mentioned the replication bug:
>> https://lists.samba.org/archive/samba/2017-April/207918.html
>>
>>> Own and if you dont use it, ApacheDirectoryStudio can help
>> a lot with cleanup of these kind of things.
>>
>> Currently I'm using the ADSI MMC snap-in, any downsides
>> compared to ADS?
> I dont know, never used ADS :-/
>
> Track done these : GUID's, the hostname's, ipnumbers A and PTR records
> 7e4973ba-4093-4523-a70f-7caa4845e34d
> d613fa11-064b-4bcc-ab01-20264f870f47
> (how, see Verifying and Creating the objectGUID Record https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record)
Neither of the two return any results on any DC (or on the dnsmasq
servers), but the GUIDs for the 4 currently existing DCs work fine. This
matches the data from the RSAT tools.
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
-------------- next part --------------
No password for user AD\Administrator was set in this script!
Please enter the password for AD\Administrator :
Running with with console output
Checking the DC_With_FSMO (graz-dc-sem) with SAMBA DC: villach-dc-sem.ad.tao.at
villach-dc-bis.ad.tao.at
graz-dc-1b.ad.tao.at
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://graz-dc-sem.ad.tao.at ldap://villach-dc-sem.ad.tao.at
Please wait.. this can take a while..
ERROR: Compare failed: -1
* Comparing [DOMAIN] context...
* Objects to be compared: 392
Comparing:
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-sem.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
Comparing:
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-sem.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
mailAlt
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1630
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1566
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 176
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 21
* Result for [DNSFOREST]: SUCCESS
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://graz-dc-sem.ad.tao.at ldap://villach-dc-bis.ad.tao.at
Please wait.. this can take a while..
ERROR: Compare failed: -1
* Comparing [DOMAIN] context...
* Objects to be compared: 392
Comparing:
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-sem.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
Comparing:
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-sem.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
mailAlt
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1630
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1566
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 176
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 21
* Result for [DNSFOREST]: SUCCESS
* Comparing [DOMAIN] context...
* Objects to be compared: 392
Comparing:
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-bis.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
Comparing:
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-bis.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
mailAlt
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1630
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1566
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 176
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 21
* Result for [DNSFOREST]: SUCCESS
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged' ldap://graz-dc-sem.ad.tao.at ldap://graz-dc-1b.ad.tao.at
Please wait.. this can take a while..
ERROR: Compare failed: -1
* Comparing [DOMAIN] context...
* Objects to be compared: 392
Comparing:
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-sem.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
Comparing:
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-sem.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
mailAlt
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1630
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1566
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 176
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 21
* Result for [DNSFOREST]: SUCCESS
* Comparing [DOMAIN] context...
* Objects to be compared: 392
Comparing:
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED1,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-bis.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
Comparing:
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED2,CN=Users,DC=ad,DC=tao,DC=at' [ldap://villach-dc-bis.ad.tao.at]
Difference in attribute values:
mailAlt =>
[…REDACTED, GOOD…]
[…REDACTED, OUTDATED…]
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
mailAlt
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1630
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1566
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 176
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 21
* Result for [DNSFOREST]: SUCCESS
* Comparing [DOMAIN] context...
* Objects to be compared: 392
Comparing:
'CN=REDACTED3,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED3,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-1b.ad.tao.at]
Difference in attribute values:
objectClass =>
['organizationalPerson', 'person', 'taoUser', 'top', 'user']
['organizationalPerson', 'person', 'top', 'ucsUser', 'user']
FAILED
Comparing:
'CN=REDACTED4,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED4,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-1b.ad.tao.at]
Difference in attribute values:
lastLogonTimestamp =>
['SMALLVALUE']
['BIGVALUE']
FAILED
Comparing:
'CN=Enterprise Admins,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=Enterprise Admins,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-1b.ad.tao.at]
Attributes found only in ldap://graz-dc-sem.ad.tao.at:
msSFU30NisDomain
gidNumber
FAILED
Comparing:
'CN=REDACTED5,CN=Computers,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED5,CN=Computers,DC=ad,DC=tao,DC=at' [ldap://graz-dc-1b.ad.tao.at]
Difference in attribute values:
lastLogonTimestamp =>
['SMALLVALUE']
['BIGVALUE']
FAILED
Comparing:
'CN=REDACTED6,CN=Computers,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=REDACTED6,CN=Computers,DC=ad,DC=tao,DC=at' [ldap://graz-dc-1b.ad.tao.at]
Difference in attribute values:
lastLogonTimestamp =>
['SMALLVALUE']
['BIGVALUE']
FAILED
Comparing:
'CN=sven.schwedas,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-sem.ad.tao.at]
'CN=sven.schwedas,CN=Users,DC=ad,DC=tao,DC=at' [ldap://graz-dc-1b.ad.tao.at]
Difference in attribute values:
objectClass =>
['organizationalPerson', 'person', 'posixAccount', 'taoUser', 'top', 'user']
['organizationalPerson', 'person', 'posixAccount', 'top', 'ucsUser', 'user']
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes found only in ldap://graz-dc-sem.ad.tao.at:
msSFU30NisDomain
gidNumber
Attributes with different values:
objectClass
lastLogonTimestamp
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1630
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1566
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 176
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 21
* Result for [DNSFOREST]: SUCCESS
.. Next check..
Running : samba-tool drs showrepl
failures don't match
successes don't match
failures don't match
successes don't match
failures don't match
successes don't match
More information about the samba
mailing list