[Samba] messy replication

Adam Weremczuk adamw at matrixscience.com
Tue Jul 16 14:19:25 UTC 2019


Hi all,

I'm simply overwhelmed with both the speed and quality of responses.

I wish all mailing lists and forums were like this!

I'm going to follow your suggestions and try to follow the template below.

My choice of new DC will probably be 4.9.5 on buster.

What steps would you recommend to unlink my broken 4.0.9 -> 4.5.16 
replication before shutting down 4.5.16?

Is it sufficient to follow this: 
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC ?

I'm just  being extra cautious and double checking.

Thanks,
Adam


On 16/07/19 14:11, L.P.H. van Belle via samba wrote:
> Hai Rowland,
>
> Yes, agree here, better correct DC1, then join new.
>
> So i'll post this, its focused on Debian servers, but usable for any other.
> I've run the debug on the company AD-DC server here.
>
> A good example for an AD-DC setup with Bind9_DLZ.
> And remember, most is on/from wiki.samba.org
>
> Im running this. ( Debian Stretch as AD-DC )
>
> This server started as a wheezy server and is upgraded to stretch, and soon to buster.
> The base of below shown results of the debug script, is this setup.
>
> https://github.com/thctlo/samba4/blob/master/howtos/
> If you follow these howtos your setup will be much better.
> Use that and below also to adjust you settings.
> P.s above is based on jessie and samba 4.5.x, small adjustments might be needed.
>
>
> Collected config  --- 2019-07-16-14:51 -----------
>
> Hostname: dc1
> DNS Domain: internal.dnsdomain.tld
> FQDN: dc1.internal.dnsdomain.tld
> ipaddress: 192.168.1.1
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
>         Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 9.9 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
>      link/ether 82:1c:e1:ab:0e:76 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.1.1/24 brd 192.168.249.255 scope global eth0
>
> -----------
>         Checking file: /etc/hosts
>
> 127.0.0.1 localhost localhost.localdomain
> 192.168.1.1 dc1.internal.dnsdomain.tld dc1
>
> -----------
>
>         Checking file: /etc/resolv.conf
> # DC 1 is the first resolver for both DC's.
> search internal.dnsdomain.tld
> nameserver 192.168.1.1
> nameserver 192.168.1.2
> # Fallback for internet if both (samba-ad-dc) are down.
> #nameserver 8.8.8.8
>
> -----------
>
>         Checking file: /etc/krb5.conf
>
> [libdefaults]
>      default_realm = YOUR.REALM.TLD
>      dns_lookup_kdc = true
>      dns_lookup_realm = false
>      forwardable = true
>      proxiable = true
> ;    ticket_lifetime = 24h
> ;    ccache_type = 4
>
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
>      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> -----------
>
>         Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> -----------
>
>         Checking file: /etc/samba/smb.conf
>
> [global]
>
>          log level = 0
>
>          workgroup = BAZRTD
>          realm = YOUR.REALM.TLD
>          netbios name = DC1
>
>          server role = active directory domain controller
>          server services = -dns -spoolss
>
>          interfaces = 192.168.1.1 127.0.0.1
>          bind interfaces only = yes
>
>          # Dont forget to set the idmap_ldb on ALL DC's if you use it
>          idmap_ldb:use rfc2307 = yes
>
>          # expand groups is default set to 0,
>          # My setup needs a minimal of 2, preffered 4. But the higher the number, the slower your samba.
>          #winbind expand groups = 1
>
>          # Since we cant use : winbind nss info = rfc2307 : on the DC's.
>          template shell = /bin/bash
>          template homedir = /home/users/%U
>
>          # disable printing completely, when set empty no error log messages.
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>
>          # disable usershares creating, when set empty no error in the logs.
>          usershare path =
>
>          # Add and Update TLS Key
>          tls enabled = yes
>          tls keyfile = /etc/ssl/local/private/dc1.key.pem
>          tls certfile = /etc/ssl/local/certs/dc1.cert.pem
>          tls cafile = /etc/ssl/certs/company-ca.pem
>
> #	Select what you need here.
> #       ldap server require strong auth = yes
> #       ldap server require strong auth = allow_sasl_over_tls
>          ldap server require strong auth = no
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>          read only = No
> #        acl_xattr:ignore system acls = yes # optional, i have these enabled.
>
> [netlogon]
>          path = /home/samba/sysvol/internal.dnsdomain.tld/scripts
>          read only = No
> #        acl_xattr:ignore system acls = yes # optional, i have these enabled.
>
> # comment on acl_xattr:ignore system acls = yes
> # why not use it, you get better ACL's and only windows pc's use these.
>
>
> -----------
>
> Detected bind DLZ enabled..
>         Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
>         Checking file: /etc/bind/named.conf.options
>
> // Defined ACL Begin
> acl thisserverip {
>          192.168.1.1;
>          };
> acl all-networks {
>          192.168.1.0/24; 10.1.0.0/16;
>          };
> // Defined ACL End
>
> options {
>          directory "/var/cache/bind";
>          version "0.0.7";
>
>          // If there is a firewall between you and nameservers you want
>          // to talk to, you may need to fix the firewall to allow multiple
>          // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>
>          // If your ISP provided one or more IP addresses for stable
>          // nameservers, you probably want to use them as forwarders.
>          // Uncomment the following block, and insert the addresses replacing
>          // the all-0's placeholder.
>
>          // XenoSite DNS servers + google DNS
>          forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
>
>          //========================================================================
>          // If BIND logs error messages about the root key being expired,
>          // you will need to update your keys.  See https://www.isc.org/bind-keys
>          //========================================================================
>          dnssec-validation no;
>          auth-nxdomain yes;
>          listen-on-v6 { "none"; };
>          listen-on port 53 { "thisserverip"; 127.0.0.1; };
>          notify no;
>          empty-zones-enable no;
>
>          //  Add any subnets or hosts you want to allow to use this DNS server
>          allow-query { "all-networks"; 127.0.0.1/32; };
>          //  Add any subnets or hosts you want to allow to use recursive queries
>          allow-recursion {  "all-networks"; 127.0.0.1/32; };
>
>          // https://wiki.samba.org/index.php/Dns-backend_bind
>          // DNS dynamic updates via Kerberos (optional, but recommended)
> 		// Beware, samba 4.8 and lower.
>          //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> 		// Beware, samba 4.9 and up.
>          tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
> };
>
> include "/etc/bind/rndc.key";
>      controls {
>       inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> };
>
> -----------
>
>         Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy
> include "/var/lib/samba/bind-dns/named.conf";
>
> // handy to have and ready to enable
> //include "/etc/bind/named.conf.logging"
>
> -----------
>
>         Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
>          type hint;
>          file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>          type master;
>          file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>          type master;
>          file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>          type master;
>          file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>          type master;
>          file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list:   15 zone(s) found
>
> .... i removed some here.
>
>    pszZoneName                 : internal.dnsdomain.tld
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.internal.dnsdomain.tld
>    
>    pszZoneName                 : 1.168.192
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.internal.dnsdomain.tld
>
>    pszZoneName                 : _msdcs.internal.dnsdomain.tld
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>    pszDpFqdn                   : ForestDnsZones.internal.dnsdomain.tld
>
> Samba DNS zone list Automated check :
> -----------
> zone : internal.dnsdomain.tld ok, no Bind flat-files found
> -----------
> zone : 1.168.192.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : _msdcs.internal.dnsdomain.tld ok, no Bind flat-files found
> -----------
>
> Installed packages:
> ii  acl                              2.2.52-3+b1                    amd64        Access control list utilities
> ii  attr                             1:2.4.47-2+b2                  amd64        Utilities for manipulating filesystem extended attributes
> ii  bind9                            1:9.10.3.dfsg.P4-12.3+deb9u5   amd64        Internet Domain Name Server
> ii  bind9-host                       1:9.10.3.dfsg.P4-12.3+deb9u5   amd64        Version of 'host' bundled with BIND 9.X
> ii  bind9utils                       1:9.10.3.dfsg.P4-12.3+deb9u5   amd64        Utilities for BIND
> ii  krb5-config                      2.6                            all          Configuration files for Kerberos Version 5
> ii  krb5-locales                     1.15-1+deb9u1                  all          internationalization support for MIT Kerberos
> ii  krb5-user                        1.15-1+deb9u1                  amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                    2.2.52-3+b1                    amd64        Access control list shared library
> ii  libacl1-dev                      2.2.52-3+b1                    amd64        Access control list static libraries and headers
> ii  libattr1:amd64                   1:2.4.47-2+b2                  amd64        Extended attribute shared library
> ii  libattr1-dev:amd64               1:2.4.47-2+b2                  amd64        Extended attribute static libraries and headers
> ii  libbind9-140:amd64               1:9.10.3.dfsg.P4-12.3+deb9u5   amd64        BIND9 Shared Library used by BIND
> ii  libgssapi-krb5-2:amd64           1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                  1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64            1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64             2:4.10.6+nmu-1.1deb9~1         amd64        Samba nameservice integration plugins
> ii  libpam-krb5:amd64                4.7-4                          amd64        PAM module for MIT Kerberos
> ii  libpam-winbind:amd64             2:4.10.6+nmu-1.1deb9~1         amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64               2:4.10.6+nmu-1.1deb9~1         amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64               2:4.10.6+nmu-1.1deb9~1         amd64        Samba winbind client library
> ii  python-samba                     2:4.10.6+nmu-1.1deb9~1         amd64        Python bindings for Samba
> ii  python3-xattr                    0.9.1-1                        amd64        module for manipulating filesystem extended attributes - Python 3
> ii  samba                            2:4.10.6+nmu-1.1deb9~1         amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                     2:4.10.6+nmu-1.1deb9~1         all          common files used by both the Samba server and client
> ii  samba-common-bin                 2:4.10.6+nmu-1.1deb9~1         amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules:amd64         2:4.10.6+nmu-1.1deb9~1         amd64        Samba Directory Services Database
> ii  samba-libs:amd64                 2:4.10.6+nmu-1.1deb9~1         amd64        Samba core libraries
> ii  samba-vfs-modules:amd64          2:4.10.6+nmu-1.1deb9~1         amd64        Samba Virtual FileSystem plugins
> ii  smbclient                        2:4.10.6+nmu-1.1deb9~1         amd64        command-line SMB/CIFS clients for Unix
> ii  ssh-krb5                         1:7.4p1-10+deb9u6              all          secure shell client and server (transitional package)
> ii  winbind                          2:4.10.6+nmu-1.1deb9~1         amd64        service to resolve user and group information from Windows NT servers
> ii  xattr                            0.9.1-1                        amd64        tool for manipulating filesystem extended attributes
>
> -----------
>
>
>
>
>> Virtually what I found, an out of date Samba AD DC, that was
>> wrongly set
>> up in the first place. I would demote DC2 and then fix DC1 before
>> joining a new second DC (with a different name)
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>




More information about the samba mailing list