[Samba] messy replication
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 16 12:49:02 UTC 2019
I've summerized a bit..
And i saw Rowland also answered already.
Below is anonimized, but it shows, 2 completely different server setups.
I really suggest you setup your AD-DC's the same.
To summ up.
DC1
Samba is running as an AD DC but 'winbindd' is NOT running.
You running SSSD on the AD-DC, which is not supported.
Your using a really out-dated OS..
The hosts is not correct :
127.0.0.1 localhost.localdomain localhost
Better
127.0.0.1 localhost localhost.localdomain
resolv.conf is not correctly setup, sidenote, its possible, but not needed.
nsswitch.conf reffers to sss not winbind
Which is not supported.
Smb.conf..
realm = USE-CAPS-FOR-KERBEROSDOMAINS
You did not remove the base settings of a stand alone server.
kdc:service ticket lifetime = 24
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 168
Are beter if set in krb5.conf
And AD-DC domain server, with guest ok = yes ?
By default no guest is allowed.
Shares with to long names might give problems.
Bind9
auth-nxdomain yes; # because this server is autoritive for this dnsdomain name.
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
Verify if bind still has access to that file.
# packages.
Still Lenny and Squeeze left overs.
All and all.. Hmm, well, thats a lot of time to fix this.
Next DC2.
Debian 9.5 , out dated, should be 9.9.
Hosts
Remove : 127.0.1.1 domain-controller
/etc/nsswitch.conf
No setup, possible, but often not wanted.
Smb.conf
A good to bad setting shown in realm=
winbind use default domain = true
Where this is not working on the AD-DC's.
The kdc: entries to be removed.
2x ldap server require strong auth = no
This server used internal DNS the other BIND9_DLZ
> -----Oorspronkelijk bericht-----
> Van: Adam Weremczuk [mailto:adamw at matrixscience.com]
> Verzonden: dinsdag 16 juli 2019 14:03
> Aan: L.P.H. van Belle; Rowland penny
> Onderwerp: Re: [Samba] messy replication
>
> Hi Louis and Rowland,
>
> Thank you for a prompt reply.
>
> I'm ok with skipping anonimisation as long as the files are
> only share
> with you and maybe a small audience of other trusted Samba gurus.
>
.... Removed ..
> Both diagnostic log files attached.
>
> Thanks,
> Adam
>
>
> On 16/07/19 12:38, L.P.H. van Belle via samba wrote:
> > Can you run this on both your DC's
> >
> > wget
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
ollect-debug-info.sh
> > bash samba-collect-debug-info.sh
> >
> > As im seeing multiple "invalid parameter" message, we need
> to see more of the setup.
> > Anonimize the output if needed.
> >
> > Run this on both DC's : touch /etc/samba/lmhosts
> > And that lmhosts message is gone.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam
> >> Weremczuk via samba
> >> Verzonden: dinsdag 16 juli 2019 13:30
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] messy replication
> >>
> >> Hi all,
> >>
> >> I have an old dc (4.0.9). Let's call it dc1.
> >> I also have a new one (4.5.16) which I'm planning to
> switch to. Let's
> >> call it dc2.
> >>
> >> After initial set up of dc2 I initialised replication and
> >> things looked
> >> ok for a couple of weeks.
> >> Recently I've managed to mess it up. Possibly by editing
> >> users and DNS
> >> records. Or copying Kerberos cache and trying to use it
> elsewhere for
> >> DHCP with DDNS.
> >>
> >> I can connect to DNS with Windows domain tool fine and can see both
> >> domain controllers.
> >>
> >> Active Directory Users and Computers fails intermittently
> >> (not always) with:
> >>
> >> "Naming information cannot be located because:
> >> The user name or password is incorrect.
> >> Contact your system administrator to verify that your domain
> >> is properly
> >> configured and is currently online"
> >>
> >> Another symptom is network drives not being automatically
> >> mounted with
> >> group policy (similar authentication error).
> >> They can be mounted manually though.
> >> Users can log in and computers can quit and rejoin the domain.
> >> So the situation is not dramatic yet.
> >>
> >> Errors from samba-tool (output abbreviated).
> >>
> >> *dc1:* samba-tool drs showrepl
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> DC=DomainDnsZones
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 1463 consecutive failure(s)
> >>
> >> DC=ForestDnsZones
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 1463 consecutive failure(s)
> >>
> >> DC=my_domain_name
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 1474 consecutive failure(s)
> >>
> >> DC=Schema
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 1463 consecutive failure(s)
> >>
> >> DC=Configuration
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 1463 consecutive failure(s)
> >>
> >> ==== OUTBOUND NEIGHBORS ====
> >>
> >> DC=DomainDnsZones
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 26 consecutive failure(s)
> >>
> >> DC=ForestDnsZones
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s)
> >>
> >> DC=my_domain_name
> >> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> >> 26 consecutive failure(s)
> >>
> >> DC=Schema
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s)
> >>
> >> DC=Configuration
> >> Last attempt @ NTTIME(0) was successful
> >> 0 consecutive failure(s)
> >>
> >> *dc2:* All the sections above show success but I can see some
> >> other errors:
> >>
> >> resolve_lmhosts: Attempting lmhosts lookup for name
> >> dc2.my_domain_name<0x20>
> >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts.
> >> Error was No
> >> such file or directory
> >>
> >> Server ldap/dc2.my_domain_name at my_domain_name is not
> >> registered with our
> >> KDC: Miscellaneous failure (see text): Server
> >> (ldap/dc2.my_domain_name at my_domain_name) unknown
> >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> >> NT_STATUS_INVALID_PARAMETER
> >>
> >> *dc1: *samba-tool dbcheck
> >>
> >> Checking 466 objects
> >> ERROR: orphaned backlink attribute 'memberOf' in CN=...
> >> Not removing orphaned backlink member
> >>
> >> ERROR: incorrect DN string component for member in object CN=...
> >> Not fixing incorrect string version of DN
> >>
> >> ERROR: orphaned backlink attribute 'memberOf' in CN=...
> >> Not removing orphaned backlink member
> >>
> >> Please use --fix to fix these errors
> >> Checked 466 objects (86 errors)
> >>
> >> *dc2:* samba-tool dbcheck
> >>
> >> Processing section "[netlogon]"
> >> Processing section "[sysvol]"
> >> pm_process() returned Yes
> >> Checking 466 objects
> >> Checked 466 objects (0 errors)
> >>
> >> I don't care about any data on dc2. I'm happy to purge it
> and re-run
> >> replication if it makes my issue go away.
> >>
> >> But I do care a lot about dc1 since it's live and was working
> >> fine not
> >> long ago.
> >>
> >> What's the likely root cause of my problems?
> >>
> >> How to fix it safely without risking things getting worse?
> >>
> >> Is it safe to run "samba-tool dbcheck --fix" on dc1?
> >>
> >> Any other hints?
> >>
> >> Thanks,
> >> Adam
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
>
>
More information about the samba
mailing list