[Samba] User names not replicating to secondary DC

L.P.H. van Belle belle at bazuin.nl
Fri Feb 28 15:53:12 UTC 2020


Found one error , see below. 
do note, most look very good for the othere things. 

________________________________

	Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com] 
	Verzonden: vrijdag 28 februari 2020 16:41
	Aan: L.P.H. van Belle
	CC: samba at lists.samba.org; samba
	Onderwerp: Re: [Samba] User names not replicating to secondary DC
	
	
	> Can you run this script on both DC's. 
	> 
	> https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh <https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh>  
	
	=== BEGIN dc0 === 
	Collected config  --- 2020-02-28-08:30 ----------- 
	
	Hostname: dc0 
	DNS Domain: msi.mydomain.com 
	FQDN: dc0.msi.mydomain.com 
	ipaddress: 172.23.93.25 
	
	----------- 
	
	Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output: 
	Server:                172.23.93.25 
	Address:        172.23.93.25#53 
	
	_kerberos._tcp.msi.mydomain.com        service = 0 100 88 dc0.msi.mydomain.com. 
	_kerberos._tcp.msi.mydomain.com        service = 0 100 88 dc1.msi.mydomain.com. 
	Samba is running as an AD DC 
	
	----------- 
	       Checking file: /etc/os-release 
	
	NAME="Ubuntu" 
	VERSION="18.04.3 LTS (Bionic Beaver)" 
	ID=ubuntu 
	ID_LIKE=debian 
	PRETTY_NAME="Ubuntu 18.04.3 LTS" 
	VERSION_ID="18.04" 
	HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> " 
	SUPPORT_URL="https://help.ubuntu.com/ <https://help.ubuntu.com/> " 
	BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/ <https://bugs.launchpad.net/ubuntu/> " 
	PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> " 
	VERSION_CODENAME=bionic 
	UBUNTU_CODENAME=bionic 
	
	----------- 
	
	
	This computer is running Ubuntu 18.04.3 LTS x86_64 
	
	----------- 
	running command : ip a 
	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
	    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
	    inet 127.0.0.1/8 scope host lo 
	    inet6 ::1/128 scope host 
	2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 
	    link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff 
	    inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3 
	    inet6 fe80::a00:27ff:fe88:470f/64 scope link 
	
	----------- 
	       Checking file: /etc/hosts 
	
	127.0.0.1        localhost 
	172.23.93.25        dc0.msi.mydomain.com dc0 
	
	# The following lines are desirable for IPv6 capable hosts 
	::1     localhost ip6-localhost ip6-loopback 
	fe00::0 ip6-localnet 
	ff02::1 ip6-allnodes 
	ff02::2 ip6-allrouters 
	ff02::3 ip6-allhosts 
	
	----------- 
	
	       Checking file: /etc/resolv.conf 
	
	# This file is managed by man:systemd-resolved(8). Do not edit. 
	# 
	# This is a dynamic resolv.conf file for connecting local clients directly to 
	# all known uplink DNS servers. This file lists all configured search domains. 
	# 
	# Third party programs must not access this file directly, but only through the 
	# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, 
	# replace this symlink by a static file or a different symlink. 
	# 
	# See man:systemd-resolved.service(8) for details about the supported modes of 
	# operation for /etc/resolv.conf. 
	
	nameserver 172.23.93.25 
ADD:  nameserver 172.23.93.26
	search msi.mydomain.com 
	----------- 
	
	       Checking file: /etc/krb5.conf 
	
	[libdefaults] 
	        default_realm = MSI.MYDOMAIN.COM 
	
	; Note, this is added because other software may need it. 
	; personaly i would remove : des-cbc-crc des-cbc-md5 but for compatibility i leave it in. 
	; for Windows 2008 with AES 
	        default_tgs_enctypes =  aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
	        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
	        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
	
	----------- 
	
	       Checking file: /etc/nsswitch.conf 
	
	# /etc/nsswitch.conf 
	# 
	# Example configuration of GNU Name Service Switch functionality. 
	# If you have the `glibc-doc-reference' and `info' packages installed, try: 
	# `info libc "Name Service Switch"' for information about this file. 
	
	passwd:         compat systemd 
	group:          compat systemd 
	shadow:         compat 
	gshadow:        files 
	
	hosts:          files dns 
	networks:       files 
	
	protocols:      db files 
	services:       db files 
	ethers:         db files 
	rpc:            db files 
	
	netgroup:       nis 
	
	----------- 
	
	       Checking file: /etc/samba/smb.conf 
	
	# Global parameters 
	[global] 
	        netbios name = DC0 
	        realm = MSI.MYDOMAIN.COM 
	        server role = active directory domain controller 
	        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
	        workgroup = MSI 
	        # This line was added 190710 (DFD) 
	        dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool 
	        idmap_ldb:use rfc2307 = yes 
	
	[netlogon] 
	        path = /var/lib/samba/sysvol/msi.mydomain.com/scripts 
	        read only = No 
	
	[sysvol] 
	        path = /var/lib/samba/sysvol 
	        read only = No 
	
	----------- 
	
	Detected bind DLZ enabled.. 
	       Checking file: /etc/bind/named.conf 
	
	// This is the primary configuration file for the BIND DNS server named. 
	// 
	// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
	// structure of BIND configuration files in Debian, *BEFORE* you customize 
	// this configuration file. 
	// 
	// If you are just adding zones, please do that in /etc/bind/named.conf.local 
	
	include "/etc/bind/named.conf.options"; 
	include "/etc/bind/named.conf.local"; 
	include "/etc/bind/named.conf.default-zones"; 
	
	----------- 
	
	       Checking file: /etc/bind/named.conf.options 
	
	acl "trusted" { 
	        172.23.93.0/24; 
	        127.0.0.1; 
	}; 
	
	
	options { 
	        directory "/var/cache/bind"; 
	        notify no; 
	        empty-zones-enable no; 
	        allow-query { trusted;}; 
	        allow-recursion { trusted;}; 
	        forwarders { 8.8.8.8; }; 
	        allow-transfer { none;}; 
	        dnssec-validation no; 
	        dnssec-enable no; 
	        dnssec-lookaside no; 
	        listen-on-v6 { none; }; 
	        listen-on port 53 { 172.23.93.25; 127.0.0.1; }; 
	
	        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; 
	}; 
	
	----------- 
	
	       Checking file: /etc/bind/named.conf.local 
	
	// 
	// Do any local configuration here 
	// 
	
	// Consider adding the 1918 zones here, if they are not used in your 
	// organization 
	//include "/etc/bind/zones.rfc1918"; 
	
	// adding the Samba dlopen ( Bind DLZ ) module 
	include "/var/lib/samba/bind-dns/named.conf"; 
	
	----------- 
	
	       Checking file: /etc/bind/named.conf.default-zones 
	
	// prime the server with knowledge of the root servers 
	zone "." { 
	        type hint; 
	        file "/etc/bind/db.root"; 
	}; 
	
	// be authoritative for the localhost forward and reverse zones, and for 
	// broadcast zones as per RFC 1912 
	
	zone "localhost" { 
	        type master; 
	        file "/etc/bind/db.local"; 
	}; 
	
	zone "127.in-addr.arpa" { 
	        type master; 
	        file "/etc/bind/db.127"; 
	}; 
	
	zone "0.in-addr.arpa" { 
	        type master; 
	        file "/etc/bind/db.0"; 
	}; 
	
	zone "255.in-addr.arpa" { 
	        type master; 
	        file "/etc/bind/db.255"; 
	}; 
	
	----------- 
	
	Samba DNS zone list:   3 zone(s) found 
	
	  pszZoneName                 : 93.23.172.in-addr.arpa 
	  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
	  Version                     : 50 
	  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
	  pszDpFqdn                   : DomainDnsZones.msi.mydomain.com 
	
	  pszZoneName                 : msi.mydomain.com 
	  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
	  Version                     : 50 
	  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
	  pszDpFqdn                   : DomainDnsZones.msi.mydomain.com 
	
	  pszZoneName                 : _msdcs.msi.mydomain.com 
	  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
	  Version                     : 50 
	  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
	  pszDpFqdn                   : ForestDnsZones.msi.mydomain.com 
	
	Samba DNS zone list Automated check : 
	zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found 
	----------- 
	zone : msi.mydomain.com ok, no Bind flat-files found 
	----------- 
	zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found 
	----------- 
	
	Installed packages: 
	ii  acl                                   2.2.52-3build1                                  amd64        Access control list utilities 
	ii  attr                                  1:2.4.47-2build1                                amd64        Utilities for manipulating filesystem extended attributes 
	ii  bind9                                 1:9.11.3+dfsg-1ubuntu1.11                       amd64        Internet Domain Name Server 
	ii  bind9-host                            1:9.11.3+dfsg-1ubuntu1.11                       amd64        DNS lookup utility (deprecated) 
	ii  bind9utils                            1:9.11.3+dfsg-1ubuntu1.11                       amd64        Utilities for BIND 
	ii  krb5-config                           2.6                                             all          Configuration files for Kerberos Version 5 
	ii  krb5-locales                          1.16-2ubuntu0.1                                 all          internationalization support for MIT Kerberos 
	ii  krb5-user                             1.16-2ubuntu0.1                                 amd64        basic programs to authenticate using MIT Kerberos 
	ii  libacl1:amd64                         2.2.52-3build1                                  amd64        Access control list shared library 
	ii  libacl1-dev                           2.2.52-3build1                                  amd64        Access control list static libraries and headers 
	ii  libattr1:amd64                        1:2.4.47-2build1                                amd64        Extended attribute shared library 
	ii  libattr1-dev:amd64                    1:2.4.47-2build1                                amd64        Extended attribute static libraries and headers 
	ii  libbind9-160:amd64                    1:9.11.3+dfsg-1ubuntu1.11                       amd64        BIND9 Shared Library used by BIND 
	ii  libgssapi-krb5-2:amd64                1.16-2ubuntu0.1                                 amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism 
	ii  libkrb5-26-heimdal:amd64              7.5.0+dfsg-1                                    amd64        Heimdal Kerberos - libraries 
	ii  libkrb5-3:amd64                       1.16-2ubuntu0.1                                 amd64        MIT Kerberos runtime libraries 
	ii  libkrb5support0:amd64                 1.16-2ubuntu0.1                                 amd64        MIT Kerberos runtime libraries - Support library 
	ii  libnss-winbind:amd64                  2:4.9.18+dfsg-0.1bionic1                        amd64        Samba nameservice integration plugins 
	ii  libpam-winbind:amd64                  2:4.9.18+dfsg-0.1bionic1                        amd64        Windows domain authentication integration plugin 
	ii  libwbclient0:amd64                    2:4.9.18+dfsg-0.1bionic1                        amd64        Samba winbind client library 
	ii  python-samba                          2:4.9.18+dfsg-0.1bionic1                        amd64        Python bindings for Samba 
	ii  python3-attr                          17.4.0-2                                        all          Attributes without boilerplate (Python 3) 
	ii  samba                                 2:4.9.18+dfsg-0.1bionic1                        amd64        SMB/CIFS file, print, and login server for Unix 
	ii  samba-common                          2:4.9.18+dfsg-0.1bionic1                        all          common files used by both the Samba server and client 
	ii  samba-common-bin                      2:4.9.18+dfsg-0.1bionic1                        amd64        Samba common files used by both the server and the client 
	ii  samba-dsdb-modules:amd64              2:4.9.18+dfsg-0.1bionic1                        amd64        Samba Directory Services Database 
	ii  samba-libs:amd64                      2:4.9.18+dfsg-0.1bionic1                        amd64        Samba core libraries 
	ii  samba-vfs-modules:amd64               2:4.9.18+dfsg-0.1bionic1                        amd64        Samba Virtual FileSystem plugins 
	ii  winbind                               2:4.9.18+dfsg-0.1bionic1                        amd64        service to resolve user and group information from Windows NT servers 
	
	----------- 
	=== END dc0 === 
	
	=== BEGIN dc1 === 
	Collected config  --- 2020-02-28-08:28 ----------- 
	
	Hostname: dc1 
	DNS Domain: msi.mydomain.com 
	FQDN: dc1.msi.mydomain.com 
	ipaddress: 172.23.93.26 
	
	----------- 
	
	Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output: 
	Server:                172.23.93.3 
	Address:        172.23.93.3#53 
	
	_kerberos._tcp.msi.mydomain.com        service = 0 100 88 dc0.msi.mydomain.com. 
	_kerberos._tcp.msi.mydomain.com        service = 0 100 88 dc1.msi.mydomain.com. 
	Samba is running as an AD DC 
	
	----------- 
	       Checking file: /etc/os-release 
	
	NAME="Ubuntu" 
	VERSION="18.04.3 LTS (Bionic Beaver)" 
	ID=ubuntu 
	ID_LIKE=debian 
	PRETTY_NAME="Ubuntu 18.04.3 LTS" 
	VERSION_ID="18.04" 
	HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> " 
	SUPPORT_URL="https://help.ubuntu.com/ <https://help.ubuntu.com/> " 
	BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/ <https://bugs.launchpad.net/ubuntu/> " 
	PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> " 
	VERSION_CODENAME=bionic 
	UBUNTU_CODENAME=bionic 
	
	----------- 
	
	
	This computer is running Ubuntu 18.04.3 LTS x86_64 
	
	----------- 
	running command : ip a 
	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
	    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
	    inet 127.0.0.1/8 scope host lo 
	    inet6 ::1/128 scope host 
	2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 
	    link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff 
	    inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3 
	    inet6 fe80::a00:27ff:fe3e:9b53/64 scope link 
	
	----------- 
	       Checking file: /etc/hosts 
	
	127.0.0.1        localhost 
	172.23.93.26    dc1.msi.mydomain.com dc1 
	
	# The following lines are desirable for IPv6 capable hosts 
	::1     ip6-localhost ip6-loopback 
	fe00::0 ip6-localnet 
	ff00::0 ip6-mcastprefix 
	ff02::1 ip6-allnodes 
	ff02::2 ip6-allrouters 
	
	----------- 
	
	       Checking file: /etc/resolv.conf 
	
	# Generated by NetworkManager 
ADD Top: nameserver 172.23.93.26
ADD 	nameserver 172.23.93.25 
	nameserver 172.23.93.3 		<<< and this is  ? 
	search msi.mydomain.com 

	----------- 
	
	       Checking file: /etc/krb5.conf 
	
	[libdefaults] 
	        default_realm = MSI.MYDOMAIN.COM 
	        dns_lookup_realm = false 
	        dns_lookup_kdc = true 
	
	----------- 
	
	       Checking file: /etc/nsswitch.conf 
	
	# /etc/nsswitch.conf 
	# 
	# Example configuration of GNU Name Service Switch functionality. 
	# If you have the `glibc-doc-reference' and `info' packages installed, try: 
	# `info libc "Name Service Switch"' for information about this file. 
	
	passwd:         compat systemd 
	group:          compat systemd 
	shadow:         compat 
	gshadow:        files 
	
	hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname 
	networks:       files 
	
	protocols:      db files 
	services:       db files 
	ethers:         db files 
	rpc:            db files 
	
	netgroup:       nis 
	
	----------- 
	
	       Checking file: /etc/samba/smb.conf 
	
	# Global parameters 
	[global] 
	        netbios name = DC1 
	        realm = MSI.MYDOMAIN.COM 
	        server role = active directory domain controller 
	        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
	        workgroup = MSI 
	
	        dns forwarder = 172.23.93.3 
	        idmap_ldb:use rfc2307 = yes 
	        template shell = /bin/bash 
	        #winbind use default domain = true 
	        #winbind offline logon = false 
	        #winbind nss info = rfc2307 
	        #winbind enum users = yes 
	        #winbind enum groups = yes 
	        # This line added 200129 DFD. 
	        dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool 
	
	[netlogon] 
	        path = /var/lib/samba/sysvol/msi.mydomain.com/scripts 
	        read only = No 
	
	[sysvol] 
	        path = /var/lib/samba/sysvol 
	        read only = No 
	
	----------- 
	
	Detected bind DLZ enabled.. 
	       Checking file: /etc/bind/named.conf 
	
	// This is the primary configuration file for the BIND DNS server named. 
	// 
	// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
	// structure of BIND configuration files in Debian, *BEFORE* you customize 
	// this configuration file. 
	// 
	// If you are just adding zones, please do that in /etc/bind/named.conf.local 
	
	include "/etc/bind/named.conf.options"; 
	include "/etc/bind/named.conf.local"; 
	include "/etc/bind/named.conf.default-zones"; 
	
	----------- 
	
	       Checking file: /etc/bind/named.conf.options 
	
	acl "trusted" { 
	        172.23.93.0/24; 
	        127.0.0.1; 
	}; 
	
	options { 
	        directory "/var/cache/bind"; 
	        notify no; 
	        empty-zones-enable no; 
	        allow-query { trusted;}; 
	        allow-recursion { trusted;}; 
	        forwarders { 8.8.8.8; }; 
	        allow-transfer { none;}; 
	        dnssec-validation no; 
	        dnssec-enable no; 
	        dnssec-lookaside no; 
	        listen-on-v6 { none; }; 
	        listen-on port 53 { 172.23.93.26; 127.0.0.1; }; 
	
	        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; 
	
	        // If there is a firewall between you and nameservers you want 
	        // to talk to, you may need to fix the firewall to allow multiple 
	        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113 <http://www.kb.cert.org/vuls/id/800113>  
	
	        // If your ISP provided one or more IP addresses for stable 
	        // nameservers, you probably want to use them as forwarders.   
	        // Uncomment the following block, and insert the addresses replacing 
	        // the all-0's placeholder. 
	
	        // forwarders { 
	        //         0.0.0.0; 
	        // }; 
	
	        //======================================================================== 
	        // If BIND logs error messages about the root key being expired, 
	        // you will need to update your keys.  See https://www.isc.org/bind-keys <https://www.isc.org/bind-keys>  
	        //======================================================================== 
	        #dnssec-validation auto; 
	
	        auth-nxdomain no;    # conform to RFC1035 
	        #listen-on-v6 { any; }; 
	}; 
	
	----------- 
	
	       Checking file: /etc/bind/named.conf.local 
	
	// 
	// Do any local configuration here 
	// 
	
	// Consider adding the 1918 zones here, if they are not used in your 
	// organization 
	//include "/etc/bind/zones.rfc1918"; 
	
	----------- 
	
	       Checking file: /etc/bind/named.conf.default-zones 
	
	// prime the server with knowledge of the root servers 
	zone "." { 
	        type hint; 
	        file "/etc/bind/db.root"; 
	}; 
	
	// be authoritative for the localhost forward and reverse zones, and for 
	// broadcast zones as per RFC 1912 
	
	zone "localhost" { 
	        type master; 
	        file "/etc/bind/db.local"; 
	}; 
	
	zone "127.in-addr.arpa" { 
	        type master; 
	        file "/etc/bind/db.127"; 
	}; 
	
	zone "0.in-addr.arpa" { 
	        type master; 
	        file "/etc/bind/db.0"; 
	}; 
	
	zone "255.in-addr.arpa" { 
	        type master; 
	        file "/etc/bind/db.255"; 
	}; 
	
	----------- 
	
	Samba DNS zone list:   3 zone(s) found 
	
	  pszZoneName                 : 93.23.172.in-addr.arpa 
	  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
	  Version                     : 50 
	  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
	  pszDpFqdn                   : DomainDnsZones.msi.mydomain.com 
	
	  pszZoneName                 : msi.mydomain.com 
	  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
	  Version                     : 50 
	  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
	  pszDpFqdn                   : DomainDnsZones.msi.mydomain.com 
	
	  pszZoneName                 : _msdcs.msi.mydomain.com 
	  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
	  Version                     : 50 
	  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
	  pszDpFqdn                   : ForestDnsZones.msi.mydomain.com 
	
	Samba DNS zone list Automated check : 
	zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found 
	----------- 
	zone : msi.mydomain.com ok, no Bind flat-files found 
	----------- 
	zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found 
	----------- 
	
	Installed packages: 
	ii  acl                                        2.2.52-3build1                                      amd64        Access control list utilities 
	ii  attr                                       1:2.4.47-2build1                                    amd64        Utilities for manipulating filesystem extended attributes 
	ii  bind9                                      1:9.11.3+dfsg-1ubuntu1.11                           amd64        Internet Domain Name Server 
	ii  bind9-host                                 1:9.11.3+dfsg-1ubuntu1.11                           amd64        DNS lookup utility (deprecated) 
	ii  bind9utils                                 1:9.11.3+dfsg-1ubuntu1.11                           amd64        Utilities for BIND 
	ii  krb5-config                                2.6                                                 all          Configuration files for Kerberos Version 5 
	ii  krb5-locales                               1.16-2ubuntu0.1                                     all          internationalization support for MIT Kerberos 
	ii  krb5-user                                  1.16-2ubuntu0.1                                     amd64        basic programs to authenticate using MIT Kerberos 
	ii  libacl1:amd64                              2.2.52-3build1                                      amd64        Access control list shared library 
	ii  libattr1:amd64                             1:2.4.47-2build1                                    amd64        Extended attribute shared library 
	ii  libbind9-160:amd64                         1:9.11.3+dfsg-1ubuntu1.11                           amd64        BIND9 Shared Library used by BIND 
	ii  libgssapi-krb5-2:amd64                     1.16-2ubuntu0.1                                     amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism 
	ii  libkrb5-26-heimdal:amd64                   7.5.0+dfsg-1                                        amd64        Heimdal Kerberos - libraries 
	ii  libkrb5-3:amd64                            1.16-2ubuntu0.1                                     amd64        MIT Kerberos runtime libraries 
	ii  libkrb5support0:amd64                      1.16-2ubuntu0.1                                     amd64        MIT Kerberos runtime libraries - Support library 
	ii  libnss-winbind:amd64                       2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Samba nameservice integration plugins 
	ii  libpam-winbind:amd64                       2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Windows domain authentication integration plugin 
	ii  libsmbclient:amd64                         2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        shared library for communication with SMB/CIFS servers 
	ii  libwbclient0:amd64                         2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Samba winbind client library 
	ii  python-samba                               2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Python bindings for Samba 
	ii  python3-nacl                               1.1.2-1build1                                       amd64        Python bindings to libsodium (Python 3) 
	ii  samba                                      2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        SMB/CIFS file, print, and login server for Unix 
	ii  samba-common                               2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     all          common files used by both the Samba server and client 
	ii  samba-common-bin                           2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Samba common files used by both the server and the client 
	ii  samba-dsdb-modules                         2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Samba Directory Services Database 
	ii  samba-libs:amd64                           2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Samba core libraries 
	ii  samba-vfs-modules                          2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        Samba Virtual FileSystem plugins 
	ii  winbind                                    2:4.7.6+dfsg~ubuntu-0ubuntu2.15                     amd64        service to resolve user and group information from Windows NT servers 
	
	----------- 
	=== END dc1 ===
	> 
	> Anonimize where needed but keep thing like. 
	> You.dom.tld like that, dont change that to example.tld. 
	> 
	> Greetz, 
	> 
	> Louis 
	> 
	> > -----Oorspronkelijk bericht-----
	> > Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens 
	> > Durwin via samba
	> > Verzonden: vrijdag 28 februari 2020 16:19
	> > Aan: Rowland penny
	> > CC: sambalist; samba
	> > Onderwerp: Re: [Samba] User names not replicating to secondary DC
	> > 
	> > > >
	> > > > > Why are you using the internal dns server on one DC and 
	> > Bind9 on the 
	> > 
	> > > > other ?
	> > > > I am very familiar with configuring Named on Fedora.  I 
	> > thought it 
	> > > > would be
	> > > > just as easy on Ubuntu.  After discovering the files were 
	> > in different 
	> > 
	> > > > places
	> > > > and so many more being 'included', I decided to use 
	> > internal on the 
	> > > > second
	> > > > one.  I believe there is a command to switch over to internal, 
	> > correct?
	> > > 
	> > > There is, samba_upgradedns, but in your case, I would suggest you 
	> > > upgrade the internal dns to bind9. Every DC is 
	> > authoritative for the dns 
	> > 
	> > > domain, there are no slaves. this means that your 
	> > forwarders must be 
	> > > outside the AD dns domain.
	> > > 
	> > > Try this /etc/bind/named.conf.options:
	> > > 
	> > > acl "trusted" {
	> > >          172.23.93.0/24;
	> > >          127.0.0.1;
	> > > };
	> > > 
	> > > options {
	> > >          directory "/var/cache/bind";
	> > >          notify no;
	> > >          empty-zones-enable no;
	> > >          allow-query { trusted;};
	> > >          allow-recursion { trusted;};
	> > >          forwarders { 8.8.8.8; };
	> > >          allow-transfer { none;};
	> > >          dnssec-validation no;
	> > >          dnssec-enable no;
	> > >          dnssec-lookaside no;
	> > >          listen-on-v6 { none; };
	> > >          listen-on port 53 { 172.23.93.25; 127.0.0.1; };
	> > > 
	> > >          tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
	> > > };
	> > 
	> > I made these changes as well as converting dc1 to bind_dlz.
	> > Still on replication of new user to secondary DC.
	> > 
	> > Here is output from 'samba-tool drs showrepl'
	> > 
	> > Ubuntu18.04> samba-tool drs showrepl
	> > Default-First-Site-Name\DC1
	> > DSA Options: 0x00000001
	> > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084
	> > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a
	> > 
	> > ==== INBOUND NEIGHBORS ====
	> > 
	> > CN=Configuration,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ Fri Feb 28 08:09:58 2020 MST was successful
	> >        0 consecutive failure(s).
	> >        Last success @ Fri Feb 28 08:09:58 2020 MST
	> > 
	> > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ Fri Feb 28 08:10:00 2020 MST was successful
	> >        0 consecutive failure(s).
	> >        Last success @ Fri Feb 28 08:10:00 2020 MST
	> > 
	> > DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ Fri Feb 28 08:10:01 2020 MST was successful
	> >        0 consecutive failure(s).
	> >        Last success @ Fri Feb 28 08:10:01 2020 MST
	> > 
	> > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ Fri Feb 28 08:09:55 2020 MST was successful
	> >        0 consecutive failure(s).
	> >        Last success @ Fri Feb 28 08:09:55 2020 MST
	> > 
	> > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ Fri Feb 28 08:11:10 2020 MST was successful
	> >        0 consecutive failure(s).
	> >        Last success @ Fri Feb 28 08:11:10 2020 MST
	> > 
	> > ==== OUTBOUND NEIGHBORS ====
	> > 
	> > CN=Configuration,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ NTTIME(0) was successful
	> >        0 consecutive failure(s).
	> >        Last success @ NTTIME(0)
	> > 
	> > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ NTTIME(0) was successful
	> >        0 consecutive failure(s).
	> >        Last success @ NTTIME(0)
	> > 
	> > DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ NTTIME(0) was successful
	> >        0 consecutive failure(s).
	> >        Last success @ NTTIME(0)
	> > 
	> > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ NTTIME(0) was successful
	> >        0 consecutive failure(s).
	> >        Last success @ NTTIME(0)
	> > 
	> > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
	> >    Default-First-Site-Name\DC0 via RPC
	> >        DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
	> >        Last attempt @ NTTIME(0) was successful
	> >        0 consecutive failure(s).
	> >        Last success @ NTTIME(0)
	> > 
	> > ==== KCC CONNECTION OBJECTS ====
	> > 
	> > Connection --
	> >    Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece
	> >    Enabled        : TRUE
	> >    Server DNS name : dc0.msi.mydomain.com
	> >    Server DN name  : CN=NTDS 
	> > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites
	> ,CN=Configuration,DC=msi,DC=mydomain,DC=com
	> >        TransportType: RPC
	> >        options: 0x00000001
	> > Warning: No NC replicated for Connection!
	> > 
	> > > 
	> > > Rowland
	> > > 
	> > > 
	
	
	
	This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.





More information about the samba mailing list