[Samba] after a couple of year of success is not possible to add workstations to domain

Wed Feb 7 18:22:25 UTC 2018

*//*

thank you denis for your answer.

Il 07/02/2018 18:40, Denis Cardon via samba ha scritto:
> Hi Massimo,
>
>>>>
>>>>> Il 05/02/2018 16:41, Rowland Penny ha scritto:
>>>>>> On Mon, 5 Feb 2018 16:01:27 +0100
>>>>>> "Massimo Donato - Adcom.it via samba" <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>> */Hi all,
>>>>>>>      after a couple of year of successfully working samba AD DC is
>>>>>>> not possible to add workstations to domain
>>>>>>> since a few day ago in windows i get a messagge complaining that 
>>>>>>> the
>>>>>>> account previously exists. ant that to try access with a different
>>>>>>> account. after some investigation i found that the backupDC was in
>>>>>>> hardware fault. the primary seems to work great, but still 
>>>>>>> unable to
>>>>>>> add workstation to domain.
>>>>>>> seems like something is missing,
>>>>>>> samba version is 4.7.4(upgraded during investigation)
>>>>>>>
>>>>>>> any advice ? where to look ?
>>>>>>>
>>>>>> One of the problems here is that you are thinking in terms of
>>>>>> 'primary'
>>>>>> and 'backup' DCs. You haven't got a 'primary' DC or a 'backup' 
>>>>>> DC, you
>>>>>> just have two DCs and they should both contain exactly the same
>>>>>> data in
>>>>>> AD. Problem is, when your second DC became faulty, it may have
>>>>>> corrupted AD on the DC and then replicated this corruption to the
>>>>>> first DC.
>>>>>>
>>>>>> I would turn off the faulty DC (if it is still running), demote the
>>>>>> dead DC and then run 'samba-tool dbcheck'
>>>>>>
>>>>>> But, before I tried to do anything, I would ensure that the first DC
>>>>>> was fully backed up.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> thank you Rowland for your answer.,
>>>>> i understend what you mean regarding DC, there was just two dc.
>>>>> the faulty DC is no more in our datacenter(disk dead)
>>>>> so i have one DC that is corrupted, i have a backup, but only after
>>>>> corruption.
>>>>> dbcheck is good, even with ncs option, 0 errors
>>>>> any other advice to check ?
>>>>
>>>> which server is/was the RID FSMO role owner?
>>>>
>>>> Denis
>>> I think the one still lives, was the forst one i configured.
>>>
>>> i tryed something just not to bother all the list, may this help ?
>>>
>>> [root at zeus log]# samba-tool dbcheck --fix
>>> WARNING: The "profile acls" option is deprecated
>>> Checking 309 objects
>>> Checked 309 objects (0 errors)
>>> [root at zeus log]# samba-tool dbcheck --cross-nc --fix
>>> WARNING: The "profile acls" option is deprecated
>>> Checking 3578 objects
>>> Checked 3578 objects (0 errors)
>>> [root at zeus log]# samba-tool drs showrepl
>>> WARNING: The "profile acls" option is deprecated
>>> Default-First-Site-Name\ZEUS
>>> DSA Options: 0x00000001
>>> DSA object GUID: e0a28581-6f38-4a9e-b593-43b65cafb872
>>> DSA invocationId: adb5b609-20d2-4b4c-a8da-1bdb74dc444e
>>>
>>> ==== INBOUND NEIGHBORS ====
>>>
>>> ==== OUTBOUND NEIGHBORS ====
>>>
>>> ==== KCC CONNECTION OBJECTS ====
>> also tryed this and no errors:
>> any idea on how to remove the dead server from dns entries ?
>>
>> [root at zeus /]# host -t SRV _kerberos._udp.somdomain.com.
>> _kerberos._udp.somdomain.com has SRV record 0 100 88 zeus.somdomain.com.
>> _kerberos._udp.somdomain.com has SRV record 0 100 88
>> backupdc.somdomain.com.
>> [root at zeus /]# host -t SRV _ldap._tcp.somdomain.com
>> _ldap._tcp.somdomain.com has SRV record 0 100 389 zeus.somdomain.com.
>> _ldap._tcp.somdomain.com has SRV record 0 100 389 
>> backupdc.somdomain.com.
>
> if you are in 4.7, then
>
> samba-tool domain demote --remove-other-dead-server=backupdc
>
> it should remove both the computer/ntdsa entries and the dns entries.
>
> Cheers,
>
> Denis
i tryed your demote
and athe answer was

[root at zeus ~]# samba-tool domain demote --remove-other-dead-server=backupdc
WARNING: The "profile acls" option is deprecated
ERROR: Demote failed: DemoteException: backupdc is not an AD DC in 
somdomain.com
A transaction is still active in ldb context [0x27bfd20] on 
tdb:///usr/local/samba/private/sam.ldb

and also

host -t SRV _kerberos._udp.somdomain.com.

and still reports the same.

in the meawhile also tryed to update to 4.7.5, with no errors/improvements.
still can't add workstation to domain, and also "rsat aduc" is not able 
to detect domain.

and also increased log leve and now, after some hours afterstasrtup the 
i found this in winbindd.log

[2018/02/07 19:19:02.377707,  1] 
../source3/winbindd/winbindd_util.c:361(trustdom_list_done)
   trustdom_list_done: Could not receive trusts for domain somdomain.com

---
Questa email è stata esaminata alla ricerca di virus da AVG.
http://www.avg.com