[Samba] Serverinfo Error
Robert A Wooldridge
bob.wooldridge at edm-inc.com
Tue Jul 30 14:33:50 UTC 2019
On 07/30/2019 02:28 AM, L.P.H. van Belle via samba wrote:
> Ok, below looks ok, except in dont see the search domain in the networkctl output.
> Which is possible, if you configured your interfaces through /etc/network/interfaces
> Im still amazed its not working.. Everything looks good.
> We are missing a bit info why/how/what/where.
> Short resume.
> Your on debian Buster official samba correct? ( samba 4.9.5 ) and your using internal DNS.
Version: 2:4.9.5+dfsg-5. Yes, internal DNS.
> Configs looks ok in the debug output. No app armor Denied messages.
> Dns is running and basilcy your resolving looks ok.
> And while im looking at this.
> You joined this server to a windows AD-Domain and siezed fsmo roles, correct?
Yes, joined to AD-Domain where the DC was Windows Server 2003. Roles
were transferred except forestdns and domaindns. These did not transfer
on first attempt but then they appeared to not have an owner so I seized
both of them. The Server 2003 machine is still active in the domain.
> Can you try this, if this helps, in then end you can switch the 2 dns servers ip's.
> Change you /etc/resolv.conf to
> # First a windows AD-DC DNS.
> nameserver 10.10.1.XXXS
> # Second This server IP.
> nameserver 10.10.1.10
> search edm-inc.com
> Your krb5.conf, i suggest you change it to this.
> I left the other options i use in, might be handy.
> You need the part. Enctypes part for win 2008.
> default_realm = EDM-INC.COM
> dns_lookup_kdc = true
> dns_lookup_realm = false
> ; for Windows 2008 with AES ( win 2003 compliant )
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
I used these settings last week but haven't rebooted.
> After the reboot, wait 5 min, this depends a bit on the size of you AD.
> Now run again: samba-tool drs showrepl
> Any errors? No errors, great. Check again if you getting you server info works.
> If you get errors, then, yes, you can upgrade you packages with mine even if you modifies that python file.
> P.s. if you see things you and you dont know, first post things again.
Will reboot later today.
> Before you move to 4.10.6, i suggest try 4.9.11 first.
> Because i still not sure if it's samba what is the problem if this.
> And you can always upgrade to 4.10.6 later on, i want to know if 4.9.11 helps/fixed this.
> That is because, I think this is a python2/3 problem or this patch in debian official is a problem :
> - CVE-2019-12435 zone operations can crash rpc server
> And broke the join in samba.
> I just dont know which it is, but i do know multle python things are fixed in later version.
> If you preffer 4.9.11 from official debian. You need to backport it yourself.
> Or use samba from debian testing/sid which is 4.9.11
I will try this later today.
More information about the samba