[Samba] GPO issues - getting SYSVOL cleaned up again
L.P.H. van Belle
belle at bazuin.nl
Wed Jul 31 13:59:46 UTC 2019
Ok, after that reboot
! Note, atm dont care about secrets.keytab (yet)
.. I was a bit ahead with things...
One thing at a time, for the keytab to be corrected, you need a perfect correct working
A PTR CNAME GUIDs for the DC(3) first then we start thinking in kerberos corrections.
Run samba_dnsupdate --verbose ( on both DC's )
Post that output, ill have a look, and im getting a choco. :-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 31 juli 2019 15:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again
>
> Am 31.07.19 um 14:48 schrieb L.P.H. van Belle via samba:
> > ?? And we did compair this months ago..
> > You did say, everything is in sync now.
> > Ahhh... ;-)
>
> I agree! ;-)
>
> > If you really want to know if you DC's are setup the same.
> > Tip.. Copy /etc of both server into a new folder.
> > And runn diff -r /etc-dc1/ /etc-dc2/ > check-me.txt
> > And check-me.txt
>
> yeah ...
>
> > I just did that on my brand new Buster proxy servers, 2
> with keepalived.
> > I'm almost done with this, you should only see hostname
> IP's as differences...
> > Virtual ips, firewalling, added winbind, nfs, strongswan,
> kerberos SSO auths.
> > Squid with 4 setups.. Pfew.. But guys, when done im posting
> this howto also.
> > With squid 4.8 on buster, ( hint : repo buster-squid48 ssl
> enabled )
> > What a dragon this was, strongswan is last what im on now.
> > If someone has a strongswan setup with user/ldap auth, pm
> me your config ;-)
> >
> >
> > Ok, what you posted below.
> >
> > pre01svdeb03 : apt-get remove --purge --auroremove resolvconf
> > Old dc: pre01svdeb02 : apt-get remove --purge --auroremove
> resolvconf
> >
> > Make these changes/verify them after the remove of resolvconf
> >
> > pre01svdeb03
> > /etc/resolv.conf
> > search pilsbacher.at
> > nameserver 192.168.16.206
> > nameserver 192.168.16.205
> >
> > pre01svdeb02
> > /etc/resolv.conf
> > search pilsbacher.at
> > nameserver 192.168.16.206
> > nameserver 192.168.16.205
> >
> > ^^ yes note that "NOT switching" the DC's.
> > If want here the other DC first untill its all ok local on
> this server.
> >
> > Reboot pre01svdeb02
> > Backup your logs on this server and clear them.
> >
> > Yes, reboot! That clear cachings also, just to be sure.
> >
> > After boot, login, wait ... Wait ...
> >
> > klist -ke /var/lib/samba/private/secrets.keytab
> > Verify the hostname
>
> I waited a little bit ...
>
> That file is OLD
> root at pre01svdeb02:~# ls -l /var/lib/samba/private/secrets.keytab
> -rw------- 1 root root 1067 Mai 24 2017
> /var/lib/samba/private/secrets.keytab
>
> and WRONG:
>
> root at pre01svdeb02:~# klist -ke /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 1 HOST/dc at PILSBACHER.AT (des-cbc-crc)
> 1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-crc)
> 1 DC$@PILSBACHER.AT (des-cbc-crc)
> 1 HOST/dc at PILSBACHER.AT (des-cbc-md5)
> 1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-md5)
> 1 DC$@PILSBACHER.AT (des-cbc-md5)
> 1 HOST/dc at PILSBACHER.AT (arcfour-hmac)
> 1 HOST/dc.pilsbacher.at at PILSBACHER.AT (arcfour-hmac)
> 1 DC$@PILSBACHER.AT (arcfour-hmac)
> 1 HOST/dc at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
> 1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
> 1 DC$@PILSBACHER.AT (aes128-cts-hmac-sha1-96)
> 1 HOST/dc at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
> 1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
> 1 DC$@PILSBACHER.AT (aes256-cts-hmac-sha1-96)
>
>
> I wait some more and get myself a coffee ...
>
>
>
>
>
> >
> > Verify /var/lib/samba/private/dns_update_cache
> > Does it show the correct hostname.
> >
> > Is it correct now ?
> > Yes => run samba-tool dbcheck --cross-nc
> >
> > No errors? ( ignore tombstone objects )
> > samba_dnsupdate --verbose
> >
> > And if ok, now switch's DC's again in /etc/resolv.conf
> >
> > search pilsbacher.at
> > nameserver 192.168.16.205
> > nameserver 192.168.16.206
> >
> > And reboot once more, check logs again.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list