[Samba] messy replication
Rowland penny
rpenny at samba.org
Tue Jul 16 13:01:51 UTC 2019
On 16/07/2019 13:49, L.P.H. van Belle via samba wrote:
> I've summerized a bit..
> And i saw Rowland also answered already.
> Below is anonimized, but it shows, 2 completely different server setups.
> I really suggest you setup your AD-DC's the same.
>
> To summ up.
>
> DC1
>
> Samba is running as an AD DC but 'winbindd' is NOT running.
> You running SSSD on the AD-DC, which is not supported.
> Your using a really out-dated OS..
>
> The hosts is not correct :
> 127.0.0.1 localhost.localdomain localhost
> Better
> 127.0.0.1 localhost localhost.localdomain
>
>
> resolv.conf is not correctly setup, sidenote, its possible, but not needed.
> nsswitch.conf reffers to sss not winbind
> Which is not supported.
>
> Smb.conf..
> realm = USE-CAPS-FOR-KERBEROSDOMAINS
>
> You did not remove the base settings of a stand alone server.
> kdc:service ticket lifetime = 24
> kdc:user ticket lifetime = 24
> kdc:renewal lifetime = 168
>
> Are beter if set in krb5.conf
>
> And AD-DC domain server, with guest ok = yes ?
> By default no guest is allowed.
>
> Shares with to long names might give problems.
>
>
> Bind9
> auth-nxdomain yes; # because this server is autoritive for this dnsdomain name.
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> Verify if bind still has access to that file.
>
> # packages.
> Still Lenny and Squeeze left overs.
>
> All and all.. Hmm, well, thats a lot of time to fix this.
>
> Next DC2.
> Debian 9.5 , out dated, should be 9.9.
>
> Hosts
> Remove : 127.0.1.1 domain-controller
>
> /etc/nsswitch.conf
> No setup, possible, but often not wanted.
>
> Smb.conf
> A good to bad setting shown in realm=
>
> winbind use default domain = true
> Where this is not working on the AD-DC's.
>
> The kdc: entries to be removed.
>
> 2x ldap server require strong auth = no
>
> This server used internal DNS the other BIND9_DLZ
Virtually what I found, an out of date Samba AD DC, that was wrongly set
up in the first place. I would demote DC2 and then fix DC1 before
joining a new second DC (with a different name)
Rowland
More information about the samba
mailing list