[Samba] User names not replicating to secondary DC
L.P.H. van Belle
belle at bazuin.nl
Fri Feb 28 15:53:12 UTC 2020
Found one error , see below.
do note, most look very good for the othere things.
________________________________
Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com]
Verzonden: vrijdag 28 februari 2020 16:41
Aan: L.P.H. van Belle
CC: samba at lists.samba.org; samba
Onderwerp: Re: [Samba] User names not replicating to secondary DC
> Can you run this script on both DC's.
>
> https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh <https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh>
=== BEGIN dc0 ===
Collected config --- 2020-02-28-08:30 -----------
Hostname: dc0
DNS Domain: msi.mydomain.com
FQDN: dc0.msi.mydomain.com
ipaddress: 172.23.93.25
-----------
Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output:
Server: 172.23.93.25
Address: 172.23.93.25#53
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc0.msi.mydomain.com.
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc1.msi.mydomain.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
SUPPORT_URL="https://help.ubuntu.com/ <https://help.ubuntu.com/> "
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/ <https://bugs.launchpad.net/ubuntu/> "
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
-----------
This computer is running Ubuntu 18.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff
inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3
inet6 fe80::a00:27ff:fe88:470f/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
172.23.93.25 dc0.msi.mydomain.com dc0
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 172.23.93.25
ADD: nameserver 172.23.93.26
search msi.mydomain.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = MSI.MYDOMAIN.COM
; Note, this is added because other software may need it.
; personaly i would remove : des-cbc-crc des-cbc-md5 but for compatibility i leave it in.
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC0
realm = MSI.MYDOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = MSI
# This line was added 190710 (DFD)
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
acl "trusted" {
172.23.93.0/24;
127.0.0.1;
};
options {
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { trusted;};
allow-recursion { trusted;};
forwarders { 8.8.8.8; };
allow-transfer { none;};
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { none; };
listen-on port 53 { 172.23.93.25; 127.0.0.1; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the Samba dlopen ( Bind DLZ ) module
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : 93.23.172.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : _msdcs.msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.msi.mydomain.com
Samba DNS zone list Automated check :
zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
-----------
zone : msi.mydomain.com ok, no Bind flat-files found
-----------
zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3build1 amd64 Access control list utilities
ii attr 1:2.4.47-2build1 amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.3+dfsg-1ubuntu1.11 amd64 Internet Domain Name Server
ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11 amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11 amd64 Utilities for BIND
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.16-2ubuntu0.1 all internationalization support for MIT Kerberos
ii krb5-user 1.16-2ubuntu0.1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library
ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2build1 amd64 Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2build1 amd64 Extended attribute static libraries and headers
ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11 amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba winbind client library
ii python-samba 2:4.9.18+dfsg-0.1bionic1 amd64 Python bindings for Samba
ii python3-attr 17.4.0-2 all Attributes without boilerplate (Python 3)
ii samba 2:4.9.18+dfsg-0.1bionic1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.18+dfsg-0.1bionic1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.18+dfsg-0.1bionic1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.18+dfsg-0.1bionic1 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.9.18+dfsg-0.1bionic1 amd64 service to resolve user and group information from Windows NT servers
-----------
=== END dc0 ===
=== BEGIN dc1 ===
Collected config --- 2020-02-28-08:28 -----------
Hostname: dc1
DNS Domain: msi.mydomain.com
FQDN: dc1.msi.mydomain.com
ipaddress: 172.23.93.26
-----------
Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output:
Server: 172.23.93.3
Address: 172.23.93.3#53
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc0.msi.mydomain.com.
_kerberos._tcp.msi.mydomain.com service = 0 100 88 dc1.msi.mydomain.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
SUPPORT_URL="https://help.ubuntu.com/ <https://help.ubuntu.com/> "
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/ <https://bugs.launchpad.net/ubuntu/> "
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
-----------
This computer is running Ubuntu 18.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff
inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3
inet6 fe80::a00:27ff:fe3e:9b53/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
172.23.93.26 dc1.msi.mydomain.com dc1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
ADD Top: nameserver 172.23.93.26
ADD nameserver 172.23.93.25
nameserver 172.23.93.3 <<< and this is ?
search msi.mydomain.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = MSI.MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = MSI.MYDOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = MSI
dns forwarder = 172.23.93.3
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
#winbind use default domain = true
#winbind offline logon = false
#winbind nss info = rfc2307
#winbind enum users = yes
#winbind enum groups = yes
# This line added 200129 DFD.
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
[netlogon]
path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
acl "trusted" {
172.23.93.0/24;
127.0.0.1;
};
options {
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { trusted;};
allow-recursion { trusted;};
forwarders { 8.8.8.8; };
allow-transfer { none;};
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { none; };
listen-on port 53 { 172.23.93.26; 127.0.0.1; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113 <http://www.kb.cert.org/vuls/id/800113>
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys <https://www.isc.org/bind-keys>
//========================================================================
#dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
#listen-on-v6 { any; };
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : 93.23.172.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.msi.mydomain.com
pszZoneName : _msdcs.msi.mydomain.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.msi.mydomain.com
Samba DNS zone list Automated check :
zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
-----------
zone : msi.mydomain.com ok, no Bind flat-files found
-----------
zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3build1 amd64 Access control list utilities
ii attr 1:2.4.47-2build1 amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.3+dfsg-1ubuntu1.11 amd64 Internet Domain Name Server
ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11 amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11 amd64 Utilities for BIND
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.16-2ubuntu0.1 all internationalization support for MIT Kerberos
ii krb5-user 1.16-2ubuntu0.1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2build1 amd64 Extended attribute shared library
ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11 amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba winbind client library
ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Python bindings for Samba
ii python3-nacl 1.1.2-1build1 amd64 Python bindings to libsodium (Python 3)
ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 all common files used by both the Samba server and client
ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba core libraries
ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64 service to resolve user and group information from Windows NT servers
-----------
=== END dc1 ===
>
> Anonimize where needed but keep thing like.
> You.dom.tld like that, dont change that to example.tld.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens
> > Durwin via samba
> > Verzonden: vrijdag 28 februari 2020 16:19
> > Aan: Rowland penny
> > CC: sambalist; samba
> > Onderwerp: Re: [Samba] User names not replicating to secondary DC
> >
> > > >
> > > > > Why are you using the internal dns server on one DC and
> > Bind9 on the
> >
> > > > other ?
> > > > I am very familiar with configuring Named on Fedora. I
> > thought it
> > > > would be
> > > > just as easy on Ubuntu. After discovering the files were
> > in different
> >
> > > > places
> > > > and so many more being 'included', I decided to use
> > internal on the
> > > > second
> > > > one. I believe there is a command to switch over to internal,
> > correct?
> > >
> > > There is, samba_upgradedns, but in your case, I would suggest you
> > > upgrade the internal dns to bind9. Every DC is
> > authoritative for the dns
> >
> > > domain, there are no slaves. this means that your
> > forwarders must be
> > > outside the AD dns domain.
> > >
> > > Try this /etc/bind/named.conf.options:
> > >
> > > acl "trusted" {
> > > 172.23.93.0/24;
> > > 127.0.0.1;
> > > };
> > >
> > > options {
> > > directory "/var/cache/bind";
> > > notify no;
> > > empty-zones-enable no;
> > > allow-query { trusted;};
> > > allow-recursion { trusted;};
> > > forwarders { 8.8.8.8; };
> > > allow-transfer { none;};
> > > dnssec-validation no;
> > > dnssec-enable no;
> > > dnssec-lookaside no;
> > > listen-on-v6 { none; };
> > > listen-on port 53 { 172.23.93.25; 127.0.0.1; };
> > >
> > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > > };
> >
> > I made these changes as well as converting dc1 to bind_dlz.
> > Still on replication of new user to secondary DC.
> >
> > Here is output from 'samba-tool drs showrepl'
> >
> > Ubuntu18.04> samba-tool drs showrepl
> > Default-First-Site-Name\DC1
> > DSA Options: 0x00000001
> > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084
> > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a
> >
> > ==== INBOUND NEIGHBORS ====
> >
> > CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:09:58 2020 MST
> >
> > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:10:00 2020 MST
> >
> > DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:10:01 2020 MST
> >
> > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:09:55 2020 MST
> >
> > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful
> > 0 consecutive failure(s).
> > Last success @ Fri Feb 28 08:11:10 2020 MST
> >
> > ==== OUTBOUND NEIGHBORS ====
> >
> > CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
> > Default-First-Site-Name\DC0 via RPC
> > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > Last attempt @ NTTIME(0) was successful
> > 0 consecutive failure(s).
> > Last success @ NTTIME(0)
> >
> > ==== KCC CONNECTION OBJECTS ====
> >
> > Connection --
> > Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece
> > Enabled : TRUE
> > Server DNS name : dc0.msi.mydomain.com
> > Server DN name : CN=NTDS
> > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> ,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > TransportType: RPC
> > options: 0x00000001
> > Warning: No NC replicated for Connection!
> >
> > >
> > > Rowland
> > >
> > >
This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
More information about the samba
mailing list