[Samba] 4.3.11-Ubuntu fail to add DC to a AD domain
Jakub Kulesza
jakkul+samba at gmail.com
Wed Apr 25 22:52:01 UTC 2018
Some results:
- I have the replication working from PDC (the old DC) to QDC (the new
DC), not the other way round
on QDC # samba-tool drs replicate qdc pdc DC=biuro,DC=gpm-vindexus,DC=pl
Replicate from pdc to qdc was successful.
on QDC # samba-tool drs replicate pdc qdc DC=biuro,DC=gpm-vindexus,DC=pl
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_FILE_NOT_FOUND')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 386, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85, in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
on PDC # samba-tool drs replicate qdc pdc DC=biuro,DC=gpm-vindexus,DC=pl
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER
Replicate from pdc to qdc was successful.
on PDC # samba-tool drs replicate pdc qdc DC=biuro,DC=gpm-vindexus,DC=pl
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 348, in
run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
- I have browsed the DNS names in the windows tools and see that I have
# host -t SRV _ldap._tcp.*pdc*._msdcs.biuro.gpm-vindexus.pl
_ldap._tcp.pdc._msdcs.biuro.gpm-vindexus.pl has SRV record 0 100 389
pdc.biuro.gpm-vindexus.pl.
but don't have
# host -t SRV _ldap._tcp.*qdc*._msdcs.biuro.gpm-vindexus.pl
Host _ldap._tcp.qdc._msdcs.biuro.gpm-vindexus.pl not found: 3(NXDOMAIN)
should I add it by hand for the qdc?
- right now if a windows machine is trying to change a password, it gets
changed randomly either on pdc or qdc. If it gets changed on qdc, the sync
will overwrite it in a few minutes.
- Some machines have lost domain trust.
- top of the smb.conf on both servers:
# Global parameters
[global]
workgroup = GPMV
realm = biuro.gpm-vindexus.pl
netbios name = PDC
server role = active directory domain controller
dns forwarder = 8.8.8.8
max open files = 57000
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
log level = 1
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
ldap server require strong auth = no
winbind enum groups = yes
winbind enum users = yes
# Global parameters
[global]
workgroup = GPMV
realm = biuro.gpm-vindexus.pl
netbios name = QDC
server role = active directory domain controller
dns forwarder = 8.8.8.8
max open files = 57000
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
log level = 1
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
ldap server require strong auth = no
winbind enum groups = yes
winbind enum users = yes
preferred master = no
- krb:
pdc:~# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = BIURO.GPM-VINDEXUS.PL <http://biuro.gpm-vindexus.pl/>
dns_lookup_realm = false
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
allow_weak_crypto = true
[realms]
BIURO.GPM-VINDEXUS.PL <http://biuro.gpm-vindexus.pl/> = {
kdc = pdc.biuro.gpm-vindexus.pl
admin_server = pdc.biuro.gpm-vindexus.pl
}
qdc:# cat /etc/krb5.conf
[libdefaults]
default_realm = BIURO.GPM-VINDEXUS.PL <http://biuro.gpm-vindexus.pl/>
dns_lookup_realm = false
dns_lookup_kdc = true
- I've enabled winbind and pam winbind on both machines so I can ssh to
both using samba AD usernames to check passwords. Windows user logging
works.
- right now the host biuro.mydomain command resolves all DCs properly:
# host biuro.gpm-vindexus.pl
biuro.gpm-vindexus.pl has address 192.168.0.251
biuro.gpm-vindexus.pl has address 192.168.1.251
biuro.gpm-vindexus.pl has address 192.168.0.252
.251 are the IPs of PDC, .252 is the IP of QDC.
2018-04-25 22:57 GMT+02:00 Jakub Kulesza <jakkul+samba at gmail.com>:
> yes, I tried working with samba wiki and quad-verifying what is
> recommended to be checked.
>
> OK, I'll try to join using 18.04.
>
> the samba_dnsupdate tool does not have the --use-samba-tool option in
> ubuntu 16.04
>
> 2018-04-25 22:47 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>
> :
>
>> On Wed, 25 Apr 2018 22:32:10 +0200
>> Jakub Kulesza <jakkul+samba at gmail.com> wrote:
>>
>> > Rowland, thank you for answering!
>> >
>> > I have investigated this a bit, and I think that using 18.04 for the
>> > new DC will not be successful anyway. Reasons: the AD I have has been
>> > created back in the days when 14.04 LTS was fresh. The provisioning
>> > scripts worked differently. 14.04 has been upgraded to 16.04, and I
>> > think that I do not have all of the DNSes configured properly and
>> > this might be the cause of the synchronization items.
>>
>> The basic provision has always worked in the same way, it has just been
>> tweaked.
>>
>> >
>> > I would really like to get to the bottom of this and understand the
>> > issue to fix it on the old DC. Is there a checklist on what needs to
>> > be done during the initial provisioning and what are the requirements
>> > for samba-tool to be able to join another DC to the AD?
>>
>> I take it you have read the DC join page on the wiki and followed all
>> the hyperlinks.
>>
>> >
>> > Traces:
>> >
>> > 1. running the following on the new DC starts with the following
>> > errors: # samba-tool drs showrepl
>> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>> > NT_STATUS_INVALID_PARAMETER
>> >
>> > NT_STATUS_INVALID_PARAMETER is usually associated with DNS update
>> > issues.
>> >
>> > 2. I had to update "objectGUID CNAME Record" as defined here
>> > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
>>
>> Yes, but you shouldn't have to do this with 4.7.6, it has code to
>> create those records during the join
>>
>> >
>> > 3. querying the domain name in the DNS shows up only the old DC
>> > # host biuro.gpm-vindexus.pl
>> > biuro.gpm-vindexus.pl has address 192.168.0.251
>> > biuro.gpm-vindexus.pl has address 192.168.1.251
>> > (it has 2 addresses in 2 subnets)
>> >
>> > and it should show 192.168.0.252 (qdc, the second server) as well
>>
>> Why ? you are checking one DC FQDN, to get the info for the second DC,
>> you would have to check that DCs FQDN.
>>
>> >
>> >
>> > 3. running samba_dnsupdate on the old primary DC showes a lot of
>> > errors # samba_dnsupdate --all-names
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > ; TSIG error with server: tsig verify failure
>> > Failed update of 24 entries
>>
>> Try 'samba_dnsupdate --all-names --use-samba-tool
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list