[Samba] GPO issues - getting SYSVOL cleaned up again

L.P.H. van Belle belle at bazuin.nl
Wed Jul 31 13:59:46 UTC 2019 

Ok, after that reboot

! Note, atm dont care about secrets.keytab (yet) 
.. I was a bit ahead with things...

One thing at a time, for the keytab to be corrected, you need a perfect correct working
A PTR CNAME GUIDs for the DC(3) first then we start thinking in kerberos corrections. 

Run samba_dnsupdate --verbose  ( on both DC's ) 
Post that output, ill have a look, and im getting a choco. :-) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 31 juli 2019 15:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again
> 
> Am 31.07.19 um 14:48 schrieb L.P.H. van Belle via samba:
> > ?? And we did compair this months ago.. 
> > You did say, everything is in sync now. 
> > Ahhh...   ;-) 
> 
> I agree! ;-)
> 
> > If you really want to know if you DC's are setup the same. 
> > Tip..  Copy /etc of both server into a new folder. 
> > And runn diff -r /etc-dc1/ /etc-dc2/  > check-me.txt
> > And check-me.txt 
> 
> yeah ...
> 
> > I just did that on my brand new Buster proxy servers, 2 
> with keepalived. 
> > I'm almost done with this, you should only see hostname 
> IP's as differences... 
> > Virtual ips, firewalling, added winbind, nfs, strongswan, 
> kerberos SSO auths. 
> > Squid with 4 setups.. Pfew.. But guys, when done im posting 
> this howto also. 
> > With squid 4.8 on buster, ( hint : repo buster-squid48 ssl 
> enabled ) 
> > What a dragon this was, strongswan is last what im on now. 
> > If someone has a strongswan setup with user/ldap auth, pm 
> me your config ;-) 
> > 
> > 
> > Ok, what you posted below. 
> > 
> > pre01svdeb03 : apt-get remove --purge --auroremove resolvconf 
> > Old dc:  pre01svdeb02 : apt-get remove --purge --auroremove 
> resolvconf 
> > 
> > Make these changes/verify them after the remove of resolvconf
> > 
> > pre01svdeb03 
> > /etc/resolv.conf
> > search pilsbacher.at
> > nameserver 192.168.16.206
> > nameserver 192.168.16.205
> > 
> > pre01svdeb02
> > /etc/resolv.conf
> > search pilsbacher.at
> > nameserver 192.168.16.206
> > nameserver 192.168.16.205
> > 
> > ^^ yes note that "NOT switching" the DC's. 
> > If want here the other DC first untill its all ok local on 
> this server. 
> > 
> > Reboot pre01svdeb02 
> > Backup your logs on this server and clear them. 
> > 
> > Yes, reboot! That clear cachings also, just to be sure. 
> > 
> > After boot, login, wait ... Wait ... 
> > 
> > klist -ke /var/lib/samba/private/secrets.keytab
> > Verify the hostname
> 
> I waited a little bit ...
> 
> That file is OLD
> root at pre01svdeb02:~# ls -l  /var/lib/samba/private/secrets.keytab
> -rw------- 1 root root 1067 Mai 24  2017
> /var/lib/samba/private/secrets.keytab
> 
> and WRONG:
> 
> root at pre01svdeb02:~# klist -ke /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
>    1 HOST/dc at PILSBACHER.AT (des-cbc-crc)
>    1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-crc)
>    1 DC$@PILSBACHER.AT (des-cbc-crc)
>    1 HOST/dc at PILSBACHER.AT (des-cbc-md5)
>    1 HOST/dc.pilsbacher.at at PILSBACHER.AT (des-cbc-md5)
>    1 DC$@PILSBACHER.AT (des-cbc-md5)
>    1 HOST/dc at PILSBACHER.AT (arcfour-hmac)
>    1 HOST/dc.pilsbacher.at at PILSBACHER.AT (arcfour-hmac)
>    1 DC$@PILSBACHER.AT (arcfour-hmac)
>    1 HOST/dc at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
>    1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes128-cts-hmac-sha1-96)
>    1 DC$@PILSBACHER.AT (aes128-cts-hmac-sha1-96)
>    1 HOST/dc at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
>    1 HOST/dc.pilsbacher.at at PILSBACHER.AT (aes256-cts-hmac-sha1-96)
>    1 DC$@PILSBACHER.AT (aes256-cts-hmac-sha1-96)
> 
> 
> I wait some more and get myself a coffee ...
> 
> 
> 
> 
> 
> > 
> > Verify /var/lib/samba/private/dns_update_cache
> > Does it show the correct hostname. 
> > 
> > Is it correct now ? 
> > Yes => run  samba-tool dbcheck --cross-nc 
> > 
> > No errors?   ( ignore tombstone objects ) 
> > samba_dnsupdate --verbose 
> > 
> > And if ok, now switch's DC's again in /etc/resolv.conf
> > 
> > search pilsbacher.at 
> > nameserver 192.168.16.205
> > nameserver 192.168.16.206
> > 
> > And reboot once more, check logs again. 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list