[Samba] GPO issues - getting SYSVOL cleaned up again

Stefan G. Weichinger lists at xunil.at
Wed Jul 31 13:40:52 UTC 2019 

Am 31.07.19 um 14:48 schrieb L.P.H. van Belle via samba:
> ?? And we did compair this months ago.. 
> You did say, everything is in sync now. 
> Ahhh...   ;-) 

I agree! ;-)

> If you really want to know if you DC's are setup the same. 
> Tip..  Copy /etc of both server into a new folder. 
> And runn diff -r /etc-dc1/ /etc-dc2/  > check-me.txt
> And check-me.txt 

yeah ...

> I just did that on my brand new Buster proxy servers, 2 with keepalived. 
> I'm almost done with this, you should only see hostname IP's as differences... 
> Virtual ips, firewalling, added winbind, nfs, strongswan, kerberos SSO auths. 
> Squid with 4 setups.. Pfew.. But guys, when done im posting this howto also. 
> With squid 4.8 on buster, ( hint : repo buster-squid48 ssl enabled ) 
> What a dragon this was, strongswan is last what im on now. 
> If someone has a strongswan setup with user/ldap auth, pm me your config ;-) 
> 
> 
> Ok, what you posted below. 
> 
> pre01svdeb03 : apt-get remove --purge --auroremove resolvconf 
> Old dc:  pre01svdeb02 : apt-get remove --purge --auroremove resolvconf 
> 
> Make these changes/verify them after the remove of resolvconf
> 
> pre01svdeb03 
> /etc/resolv.conf
> search pilsbacher.at
> nameserver 192.168.16.206
> nameserver 192.168.16.205
> 
> pre01svdeb02
> /etc/resolv.conf
> search pilsbacher.at
> nameserver 192.168.16.206
> nameserver 192.168.16.205
> 
> ^^ yes note that "NOT switching" the DC's. 
> If want here the other DC first untill its all ok local on this server. 
> 
> Reboot pre01svdeb02 
> Backup your logs on this server and clear them. 
> 
> Yes, reboot! That clear cachings also, just to be sure. 
> 
> After boot, login, wait ... Wait ... 
> 
> klist -ke /var/lib/samba/private/secrets.keytab
> Verify the hostname

I waited a little bit ...

That file is OLD
root at pre01svdeb02:~# ls -l  /var/lib/samba/private/secrets.keytab
-rw------- 1 root root 1067 Mai 24  2017
/var/lib/samba/private/secrets.keytab

and WRONG:

root at pre01svdeb02:~# klist -ke /var/lib/samba/private/secrets.keytab
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 HOST/dc at PILSBACHER.AT (des-cbc-crc)
   1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-crc)
   1 DC$@PILSBACHER.AT (des-cbc-crc)
   1 HOST/dc at PILSBACHER.AT (des-cbc-md5)
   1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-md5)
   1 DC$@PILSBACHER.AT (des-cbc-md5)
   1 HOST/dc at PILSBACHER.AT (arcfour-hmac)
   1 HOST/dc.pilsbacher.at at PILSBACHER.AT (arcfour-hmac)
   1 DC$@PILSBACHER.AT (arcfour-hmac)
   1 HOST/dc at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
   1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
   1 DC$@PILSBACHER.AT (aes128-cts-hmac-sha1-96)
   1 HOST/dc at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
   1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
   1 DC$@PILSBACHER.AT (aes256-cts-hmac-sha1-96)


I wait some more and get myself a coffee ...





> 
> Verify /var/lib/samba/private/dns_update_cache
> Does it show the correct hostname. 
> 
> Is it correct now ? 
> Yes => run  samba-tool dbcheck --cross-nc 
> 
> No errors?   ( ignore tombstone objects ) 
> samba_dnsupdate --verbose 
> 
> And if ok, now switch's DC's again in /etc/resolv.conf
> 
> search pilsbacher.at 
> nameserver 192.168.16.205
> nameserver 192.168.16.206
> 
> And reboot once more, check logs again.

More information about the samba mailing list