[Samba] messy replication
rpenny at samba.org
Tue Jul 16 13:01:51 UTC 2019
On 16/07/2019 13:49, L.P.H. van Belle via samba wrote:
> I've summerized a bit..
> And i saw Rowland also answered already.
> Below is anonimized, but it shows, 2 completely different server setups.
> I really suggest you setup your AD-DC's the same.
> To summ up.
> Samba is running as an AD DC but 'winbindd' is NOT running.
> You running SSSD on the AD-DC, which is not supported.
> Your using a really out-dated OS..
> The hosts is not correct :
> 127.0.0.1 localhost.localdomain localhost
> 127.0.0.1 localhost localhost.localdomain
> resolv.conf is not correctly setup, sidenote, its possible, but not needed.
> nsswitch.conf reffers to sss not winbind
> Which is not supported.
> realm = USE-CAPS-FOR-KERBEROSDOMAINS
> You did not remove the base settings of a stand alone server.
> kdc:service ticket lifetime = 24
> kdc:user ticket lifetime = 24
> kdc:renewal lifetime = 168
> Are beter if set in krb5.conf
> And AD-DC domain server, with guest ok = yes ?
> By default no guest is allowed.
> Shares with to long names might give problems.
> auth-nxdomain yes; # because this server is autoritive for this dnsdomain name.
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> Verify if bind still has access to that file.
> # packages.
> Still Lenny and Squeeze left overs.
> All and all.. Hmm, well, thats a lot of time to fix this.
> Next DC2.
> Debian 9.5 , out dated, should be 9.9.
> Remove : 127.0.1.1 domain-controller
> No setup, possible, but often not wanted.
> A good to bad setting shown in realm=
> winbind use default domain = true
> Where this is not working on the AD-DC's.
> The kdc: entries to be removed.
> 2x ldap server require strong auth = no
> This server used internal DNS the other BIND9_DLZ
Virtually what I found, an out of date Samba AD DC, that was wrongly set
up in the first place. I would demote DC2 and then fix DC1 before
joining a new second DC (with a different name)
More information about the samba