[Samba] messy replication
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 16 13:11:46 UTC 2019
Hai Rowland,
Yes, agree here, better correct DC1, then join new.
So i'll post this, its focused on Debian servers, but usable for any other.
I've run the debug on the company AD-DC server here.
A good example for an AD-DC setup with Bind9_DLZ.
And remember, most is on/from wiki.samba.org
Im running this. ( Debian Stretch as AD-DC )
This server started as a wheezy server and is upgraded to stretch, and soon to buster.
The base of below shown results of the debug script, is this setup.
https://github.com/thctlo/samba4/blob/master/howtos/
If you follow these howtos your setup will be much better.
Use that and below also to adjust you settings.
P.s above is based on jessie and samba 4.5.x, small adjustments might be needed.
Collected config --- 2019-07-16-14:51 -----------
Hostname: dc1
DNS Domain: internal.dnsdomain.tld
FQDN: dc1.internal.dnsdomain.tld
ipaddress: 192.168.1.1
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost localhost.localdomain
192.168.1.1 dc1.internal.dnsdomain.tld dc1
-----------
Checking file: /etc/resolv.conf
# DC 1 is the first resolver for both DC's.
search internal.dnsdomain.tld
nameserver 192.168.1.1
nameserver 192.168.1.2
# Fallback for internet if both (samba-ad-dc) are down.
#nameserver 8.8.8.8
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
; ticket_lifetime = 24h
; ccache_type = 4
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
log level = 0
workgroup = BAZRTD
realm = YOUR.REALM.TLD
netbios name = DC1
server role = active directory domain controller
server services = -dns -spoolss
interfaces = 192.168.1.1 127.0.0.1
bind interfaces only = yes
# Dont forget to set the idmap_ldb on ALL DC's if you use it
idmap_ldb:use rfc2307 = yes
# expand groups is default set to 0,
# My setup needs a minimal of 2, preffered 4. But the higher the number, the slower your samba.
#winbind expand groups = 1
# Since we cant use : winbind nss info = rfc2307 : on the DC's.
template shell = /bin/bash
template homedir = /home/users/%U
# disable printing completely, when set empty no error log messages.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# disable usershares creating, when set empty no error in the logs.
usershare path =
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/dc1.key.pem
tls certfile = /etc/ssl/local/certs/dc1.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
# Select what you need here.
# ldap server require strong auth = yes
# ldap server require strong auth = allow_sasl_over_tls
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# acl_xattr:ignore system acls = yes # optional, i have these enabled.
[netlogon]
path = /home/samba/sysvol/internal.dnsdomain.tld/scripts
read only = No
# acl_xattr:ignore system acls = yes # optional, i have these enabled.
# comment on acl_xattr:ignore system acls = yes
# why not use it, you get better ACL's and only windows pc's use these.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
// Defined ACL Begin
acl thisserverip {
192.168.1.1;
};
acl all-networks {
192.168.1.0/24; 10.1.0.0/16;
};
// Defined ACL End
options {
directory "/var/cache/bind";
version "0.0.7";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// XenoSite DNS servers + google DNS
forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain yes;
listen-on-v6 { "none"; };
listen-on port 53 { "thisserverip"; 127.0.0.1; };
notify no;
empty-zones-enable no;
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
// Beware, samba 4.8 and lower.
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
// Beware, samba 4.9 and up.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy
include "/var/lib/samba/bind-dns/named.conf";
// handy to have and ready to enable
//include "/etc/bind/named.conf.logging"
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 15 zone(s) found
.... i removed some here.
pszZoneName : internal.dnsdomain.tld
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld
pszZoneName : 1.168.192
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.internal.dnsdomain.tld
pszZoneName : _msdcs.internal.dnsdomain.tld
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.internal.dnsdomain.tld
Samba DNS zone list Automated check :
-----------
zone : internal.dnsdomain.tld ok, no Bind flat-files found
-----------
zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64 Access control list utilities
ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Internet Domain Name Server
ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Version of 'host' bundled with BIND 9.X
ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 Utilities for BIND
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library
ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers
ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5 amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.7-4 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba winbind client library
ii python-samba 2:4.10.6+nmu-1.1deb9~1 amd64 Python bindings for Samba
ii python3-xattr 0.9.1-1 amd64 module for manipulating filesystem extended attributes - Python 3
ii samba 2:4.10.6+nmu-1.1deb9~1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.10.6+nmu-1.1deb9~1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.10.6+nmu-1.1deb9~1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.10.6+nmu-1.1deb9~1 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.10.6+nmu-1.1deb9~1 amd64 command-line SMB/CIFS clients for Unix
ii ssh-krb5 1:7.4p1-10+deb9u6 all secure shell client and server (transitional package)
ii winbind 2:4.10.6+nmu-1.1deb9~1 amd64 service to resolve user and group information from Windows NT servers
ii xattr 0.9.1-1 amd64 tool for manipulating filesystem extended attributes
-----------
>
> Virtually what I found, an out of date Samba AD DC, that was
> wrongly set
> up in the first place. I would demote DC2 and then fix DC1 before
> joining a new second DC (with a different name)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list