[Samba] Serverinfo Error

Tue Jul 30 08:08:24 UTC 2019

On 30/07/2019 08:28, L.P.H. van Belle via samba wrote:
> Hai,
>
> Ok, below looks ok, except in dont see the search domain in the networkctl output.
> Which is possible, if you configured your interfaces through /etc/network/interfaces
>
> Im still amazed its not working.. Everything looks good.
> We are missing a bit info why/how/what/where.
>
> Short resume.
> Your on debian Buster official samba correct? ( samba 4.9.5 ) and your using internal DNS.
> Configs looks ok in the debug output. No app armor Denied messages.
> Dns is running and basilcy your resolving looks ok.
>
> And while im looking at this.
> You joined this server to a windows AD-Domain and siezed fsmo roles, correct?
>
> Can you try this, if this helps, in then end you can switch the 2 dns servers ip's.
>
> Change you /etc/resolv.conf to
> # First a windows AD-DC DNS.
> nameserver 10.10.1.XXXS
> # Second This server IP.
> nameserver 10.10.1.10
> search edm-inc.com
>
> Your krb5.conf, i suggest you change it to this.
> I left the other options i use in, might be handy.
> You need the part. Enctypes part for win 2008.
>
> [libdefaults]
>      default_realm = EDM-INC.COM
>      dns_lookup_kdc = true
>      dns_lookup_realm = false
>
> ; for Windows 2008 with AES ( win 2003 compliant )
>      default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
>
> Reboot
> After the reboot, wait 5 min, this depends a bit on the size of you AD.
> Now run again: samba-tool drs showrepl
> Any errors? No errors, great. Check again if you getting you server info works.
> If you get errors, then, yes, you can upgrade you packages with mine even if you modifies that python file.
> P.s. if you see things you and you dont know, first post things again.
>
>
> Before you move to 4.10.6, i suggest try 4.9.11 first.
> Because i still not sure if it's samba what is the problem if this.
> And you can always upgrade to 4.10.6 later on, i want to know if 4.9.11 helps/fixed this.
> That is because, I think this is a python2/3 problem or this patch in debian official is a problem :
>    - CVE-2019-12435 zone operations can crash rpc server
> And broke the join in samba.
> I just dont know which it is, but i do know multle python things are fixed in later version.
>
> If you preffer 4.9.11 from official debian. You need to backport it yourself.
> Or use samba from debian testing/sid which is 4.9.11
>
> For my repo use these steps.
> 1) Choose http or https for you apt, both work, for https you need to :
> apt-get install apt-transport-https
>
> 2) Import my public key
> wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
>
> 3) (optional) setup a header line for the repo file.
> echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list
>
> 4) In the line below, change the OS and/or samba version to what you want. Shown is debian stretch with samba 4.9.
> echo "deb http://apt.van-belle.nl/debian buster-samba49 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
>
> This gives you 4.9.11, almost the same with debian official, i only added/enabled spotlight support.
>
> Try this first im suggesting then when it all looks good, then you can easy upgrade to 4.10.6
> Then in above repo line just change samba49 to samba410 and run apt update && apt dist-upgrade


I have been thinking about this and reading the code that didn't get run 
and I know think that the OP is at the point that existed before 4.6.0, 
He possibly has missing records in AD, can I suggest he reads this:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

Rowland