[Samba] Various AD issues; summary

Sven Schwedas sven.schwedas at tao.at
Wed May 22 10:42:09 UTC 2019

Alright, I managed to jury-rig LDAP-authenticated FTP access to the file
shares, which works well enough that I no longer have the whole company
breathing down my neck. Sorry for being so cranky yesterday.

From what we've established, it seems that there are a bunch of
replication issues, maybe others:

• Authentication on one member server fails for some users, but not all.
There doesn't seem to be any pattern to who is and isn't affected.

• Trust between PCs and the domain is randomly lost. That was handled by
L1 support without telling me (they just re-joined the PCs every other
week), so I wasn't aware of that yesterday

• All sorts of replication issues between the various DCs:

> https://up.tao.at/u/samba/graz-dc-sem.txt (FSMO role holder)
> https://up.tao.at/u/samba/graz-dc-1b.txt
> https://up.tao.at/u/samba/villach-dc-1a.txt
> https://up.tao.at/u/samba/villach-dc-bis.txt

(Unchanged from yesterday)

• Some DB issues:

> https://up.tao.at/u/samba/graz-dc-sem-dbcheck.txt
> https://up.tao.at/u/samba/graz-dc-1b-dbcheck.txt
> https://up.tao.at/u/samba/villach-dc-1a-dbcheck.txt
> https://up.tao.at/u/samba/villach-dc-bis-dbcheck.txt

(Unchanged from yesterday)

And since we now actually have time for this, all collected info for all
domain-joined servers:


I have no idea how villach-dc-bis worked so far with that krb5.conf
setup, but I guess that needs fixing.

For general smb.conf stuff, the features we now still need are

• rfc2307-based Unix attributes (it's where we get all UIDs/GIDs from)
• ACLs are set programmatically with a script (management wants that
locked down), so if there's a better way to handle those, we can just
nuke the current setup and reset them all
• ACLs still need to work for people SSHing (or now FTPing) into the
servers with their domain accounts, not just from Windows
• New features (like SePrivileges support) aren't interesting, file
shares will be deprecated in favour of Cloud™ Stuff™ soon-ish anyway
(let's see for how long)
• Mail servers need winbind expansion and enumeration to support legacy
stuff that we won't get around to fix for a while yet (the domain has
like 50 users and a maximum nesting depth of 1, so performance is fine
for now)

With these constraints, what are the minimal smb.conf setups I need?

Other todos for now:

• Fix krb5.conf everywhere (remove dns_lookup_realm?)
• Improve nsswitch setup

I'll get to that when I know what all the smb.confs need to look like.

And going back to Louis' email:

On 22.05.19 10:29, L.P.H. van Belle wrote:
> Yes, then it does take the hostname. Just be warned, that in such
> cases the hostname max lenght is 15 chars.

That used to be a problem a while back when we had longer hostnames, but
shouldn't apply with the current setup. So I guess we can get rid of
that too.

> You need to verify all GUID of the DC's. ( and A/PTR/CNAME records ) 
> ldbsearch -H /var/lib/samba/private/sam.ldb '(fromServer=*CN=Windows-DC*)' --cross-ncs dn

That gives me no results on all DCs. The wiki suggests using "ldbsearch
-H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs
objectguid" for GUIDs, which does give me results.

> Samba INTERNAL_DNS Back End - Troubleshooting

That seems to work fine, there's nothing blocking samba's internal DNS
from listening on :53, and I can query it just fine.

> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

villach-dc-bis doesn't have its _msdcs record set on /any/ server. All
other records are fine on all servers.

I set it on graz-dc-sem as detailed in the wiki, and it replicated fine
to all servers except graz-dc-1b. I restarted samba-ad-dc on that to
increase the log level, and that restart alone seems to have done the
trick, it now has the record as well.

I also fixed villach-dc-bis Kerberos to
> [libdefaults]
> 	default_realm = AD.TAO.AT
> 	dns_lookup_kdc = true
> 	default_keytab_name = FILE:/etc/krb5.keytab
> [domain_realm]
> 	.ad.tao.at = AD.TAO.AT
> 	ad.tao.at = AD.TAO.AT
> 	.tao.at = AD.TAO.AT
> 	tao.at = AD.TAO.AT

and restarted samba-ad-dc on it.

Now, trying to full sync replicate works fine for the base partition and
Configuration, but replicating ForestDnsZones or DomainDnsZones both
fail with:

> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)

Replicating Schema still runs to a timeout on the sending server and a
PANIC on villach-dc-bis.

Log file on villach-dc-bis: https://up.tao.at/u/samba/log.samba.txt

Relevant time stamps 2019/05/22 12:26:26.456202 (ForestDnsZones
failure), 2019/05/22 12:26:49.027595 (DomainDnsZones failure) and
2019/05/22 12:27:03.755312 (Schema panic)

Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190522/05e97fb7/signature.sig>

More information about the samba mailing list