[Samba] GPO issues - getting SYSVOL cleaned up again
Stefan G. Weichinger
lists at xunil.at
Wed Jul 31 13:40:52 UTC 2019
Am 31.07.19 um 14:48 schrieb L.P.H. van Belle via samba:
> ?? And we did compair this months ago..
> You did say, everything is in sync now.
> Ahhh... ;-)
I agree! ;-)
> If you really want to know if you DC's are setup the same.
> Tip.. Copy /etc of both server into a new folder.
> And runn diff -r /etc-dc1/ /etc-dc2/ > check-me.txt
> And check-me.txt
yeah ...
> I just did that on my brand new Buster proxy servers, 2 with keepalived.
> I'm almost done with this, you should only see hostname IP's as differences...
> Virtual ips, firewalling, added winbind, nfs, strongswan, kerberos SSO auths.
> Squid with 4 setups.. Pfew.. But guys, when done im posting this howto also.
> With squid 4.8 on buster, ( hint : repo buster-squid48 ssl enabled )
> What a dragon this was, strongswan is last what im on now.
> If someone has a strongswan setup with user/ldap auth, pm me your config ;-)
>
>
> Ok, what you posted below.
>
> pre01svdeb03 : apt-get remove --purge --auroremove resolvconf
> Old dc: pre01svdeb02 : apt-get remove --purge --auroremove resolvconf
>
> Make these changes/verify them after the remove of resolvconf
>
> pre01svdeb03
> /etc/resolv.conf
> search pilsbacher.at
> nameserver 192.168.16.206
> nameserver 192.168.16.205
>
> pre01svdeb02
> /etc/resolv.conf
> search pilsbacher.at
> nameserver 192.168.16.206
> nameserver 192.168.16.205
>
> ^^ yes note that "NOT switching" the DC's.
> If want here the other DC first untill its all ok local on this server.
>
> Reboot pre01svdeb02
> Backup your logs on this server and clear them.
>
> Yes, reboot! That clear cachings also, just to be sure.
>
> After boot, login, wait ... Wait ...
>
> klist -ke /var/lib/samba/private/secrets.keytab
> Verify the hostname
I waited a little bit ...
That file is OLD
root at pre01svdeb02:~# ls -l /var/lib/samba/private/secrets.keytab
-rw------- 1 root root 1067 Mai 24 2017
/var/lib/samba/private/secrets.keytab
and WRONG:
root at pre01svdeb02:~# klist -ke /var/lib/samba/private/secrets.keytab
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 HOST/dc at PILSBACHER.AT (des-cbc-crc)
1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-crc)
1 DC$@PILSBACHER.AT (des-cbc-crc)
1 HOST/dc at PILSBACHER.AT (des-cbc-md5)
1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-md5)
1 DC$@PILSBACHER.AT (des-cbc-md5)
1 HOST/dc at PILSBACHER.AT (arcfour-hmac)
1 HOST/dc.pilsbacher.at at PILSBACHER.AT (arcfour-hmac)
1 DC$@PILSBACHER.AT (arcfour-hmac)
1 HOST/dc at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
1 DC$@PILSBACHER.AT (aes128-cts-hmac-sha1-96)
1 HOST/dc at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
1 DC$@PILSBACHER.AT (aes256-cts-hmac-sha1-96)
I wait some more and get myself a coffee ...
>
> Verify /var/lib/samba/private/dns_update_cache
> Does it show the correct hostname.
>
> Is it correct now ?
> Yes => run samba-tool dbcheck --cross-nc
>
> No errors? ( ignore tombstone objects )
> samba_dnsupdate --verbose
>
> And if ok, now switch's DC's again in /etc/resolv.conf
>
> search pilsbacher.at
> nameserver 192.168.16.205
> nameserver 192.168.16.206
>
> And reboot once more, check logs again.
More information about the samba
mailing list