[Samba] User names not replicating to secondary DC
L.P.H. van Belle
belle at bazuin.nl
Fri Feb 28 16:01:18 UTC 2020
+1 ..
So fix both resolv.conf.
Then both smb.conf
DC1 : > dns forwarder = 172.23.93.3
DC0 : no forwarder.
And reboot DC0. wait 1 min.
Reboot DC1.
Wait 1 min.
And no check it all.
Have a nice weekend.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: vrijdag 28 februari 2020 16:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] User names not replicating to secondary DC
>
> Found one error , see below.
> do note, most look very good for the othere things.
>
> ________________________________
>
> Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com]
> Verzonden: vrijdag 28 februari 2020 16:41
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org; samba
> Onderwerp: Re: [Samba] User names not replicating to
> secondary DC
>
>
> > Can you run this script on both DC's.
> >
> >
> https://github.com/thctlo/samba4/raw/master/samba-collect-debu
> g-info.sh
> <https://github.com/thctlo/samba4/raw/master/samba-collect-deb
> ug-info.sh>
>
> === BEGIN dc0 ===
> Collected config --- 2020-02-28-08:30 -----------
>
> Hostname: dc0
> DNS Domain: msi.mydomain.com
> FQDN: dc0.msi.mydomain.com
> ipaddress: 172.23.93.25
>
> -----------
>
> Kerberos SRV _kerberos._tcp.msi.mydomain.com record
> verified ok, sample output:
> Server: 172.23.93.25
> Address: 172.23.93.25#53
>
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc0.msi.mydomain.com.
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc1.msi.mydomain.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.3 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.3 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
> SUPPORT_URL="https://help.ubuntu.com/
> <https://help.ubuntu.com/> "
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/
> <https://bugs.launchpad.net/ubuntu/> "
>
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy
> <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.3 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
> state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc fq_codel state UP group default qlen 1000
> link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff
> inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3
> inet6 fe80::a00:27ff:fe88:470f/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 172.23.93.25 dc0.msi.mydomain.com dc0
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting
> local clients directly to
> # all known uplink DNS servers. This file lists all
> configured search domains.
> #
> # Third party programs must not access this file
> directly, but only through the
> # symlink at /etc/resolv.conf. To manage
> man:resolv.conf(5) in a different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about
> the supported modes of
> # operation for /etc/resolv.conf.
>
> nameserver 172.23.93.25
> ADD: nameserver 172.23.93.26
> search msi.mydomain.com
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = MSI.MYDOMAIN.COM
>
> ; Note, this is added because other software may need it.
> ; personaly i would remove : des-cbc-crc des-cbc-md5
> but for compatibility i leave it in.
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch
> functionality.
> # If you have the `glibc-doc-reference' and `info'
> packages installed, try:
> # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat systemd
> group: compat systemd
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = DC0
> realm = MSI.MYDOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap,
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MSI
> # This line was added 190710 (DFD)
> dns update command = /usr/sbin/samba_dnsupdate
> --use-samba-tool
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND
> DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz
> for information on the
> // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> acl "trusted" {
> 172.23.93.0/24;
> 127.0.0.1;
> };
>
>
> options {
> directory "/var/cache/bind";
> notify no;
> empty-zones-enable no;
> allow-query { trusted;};
> allow-recursion { trusted;};
> forwarders { 8.8.8.8; };
> allow-transfer { none;};
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 172.23.93.25; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not
> used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the Samba dlopen ( Bind DLZ ) module
> include "/var/lib/samba/bind-dns/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and
> reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list: 3 zone(s) found
>
> pszZoneName : 93.23.172.in-addr.arpa
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.msi.mydomain.com
>
> pszZoneName : msi.mydomain.com
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.msi.mydomain.com
>
> pszZoneName : _msdcs.msi.mydomain.com
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.msi.mydomain.com
>
> Samba DNS zone list Automated check :
> zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : msi.mydomain.com ok, no Bind flat-files found
> -----------
> zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
> -----------
>
> Installed packages:
> ii acl
> 2.2.52-3build1 amd64
> Access control list utilities
> ii attr
> 1:2.4.47-2build1 amd64
> Utilities for manipulating filesystem extended attributes
> ii bind9
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> Internet Domain Name Server
> ii bind9-host
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> DNS lookup utility (deprecated)
> ii bind9utils
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> Utilities for BIND
> ii krb5-config 2.6
> all Configuration
> files for Kerberos Version 5
> ii krb5-locales
> 1.16-2ubuntu0.1 all
> internationalization support for MIT Kerberos
> ii krb5-user
> 1.16-2ubuntu0.1 amd64
> basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64
> 2.2.52-3build1 amd64
> Access control list shared library
> ii libacl1-dev
> 2.2.52-3build1 amd64
> Access control list static libraries and headers
> ii libattr1:amd64
> 1:2.4.47-2build1 amd64
> Extended attribute shared library
> ii libattr1-dev:amd64
> 1:2.4.47-2build1 amd64
> Extended attribute static libraries and headers
> ii libbind9-160:amd64
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> amd64 Heimdal
> Kerberos - libraries
> ii libkrb5-3:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries
> ii libkrb5support0:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Windows domain authentication integration plugin
> ii libwbclient0:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba winbind client library
> ii python-samba
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Python bindings for Samba
> ii python3-attr 17.4.0-2
> all Attributes
> without boilerplate (Python 3)
> ii samba
> 2:4.9.18+dfsg-0.1bionic1 amd64
> SMB/CIFS file, print, and login server for Unix
> ii samba-common
> 2:4.9.18+dfsg-0.1bionic1 all
> common files used by both the Samba server and client
> ii samba-common-bin
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba Directory Services Database
> ii samba-libs:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba core libraries
> ii samba-vfs-modules:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba Virtual FileSystem plugins
> ii winbind
> 2:4.9.18+dfsg-0.1bionic1 amd64
> service to resolve user and group information from Windows NT servers
>
> -----------
> === END dc0 ===
>
> === BEGIN dc1 ===
> Collected config --- 2020-02-28-08:28 -----------
>
> Hostname: dc1
> DNS Domain: msi.mydomain.com
> FQDN: dc1.msi.mydomain.com
> ipaddress: 172.23.93.26
>
> -----------
>
> Kerberos SRV _kerberos._tcp.msi.mydomain.com record
> verified ok, sample output:
> Server: 172.23.93.3
> Address: 172.23.93.3#53
>
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc0.msi.mydomain.com.
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc1.msi.mydomain.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.3 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.3 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
> SUPPORT_URL="https://help.ubuntu.com/
> <https://help.ubuntu.com/> "
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/
> <https://bugs.launchpad.net/ubuntu/> "
>
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy
> <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.3 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
> state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc fq_codel state UP group default qlen 1000
> link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff
> inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3
> inet6 fe80::a00:27ff:fe3e:9b53/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 172.23.93.26 dc1.msi.mydomain.com dc1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> ADD Top: nameserver 172.23.93.26
> ADD nameserver 172.23.93.25
> nameserver 172.23.93.3 <<< and this is ?
> search msi.mydomain.com
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = MSI.MYDOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch
> functionality.
> # If you have the `glibc-doc-reference' and `info'
> packages installed, try:
> # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat systemd
> group: compat systemd
> shadow: compat
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return]
> dns myhostname
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = DC1
> realm = MSI.MYDOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap,
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MSI
>
> dns forwarder = 172.23.93.3
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> #winbind use default domain = true
> #winbind offline logon = false
> #winbind nss info = rfc2307
> #winbind enum users = yes
> #winbind enum groups = yes
> # This line added 200129 DFD.
> dns update command = /usr/sbin/samba_dnsupdate
> --use-samba-tool
>
> [netlogon]
> path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND
> DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz
> for information on the
> // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> acl "trusted" {
> 172.23.93.0/24;
> 127.0.0.1;
> };
>
> options {
> directory "/var/cache/bind";
> notify no;
> empty-zones-enable no;
> allow-query { trusted;};
> allow-recursion { trusted;};
> forwarders { 8.8.8.8; };
> allow-transfer { none;};
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 172.23.93.26; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> // If there is a firewall between you and
> nameservers you want
> // to talk to, you may need to fix the firewall
> to allow multiple
> // ports to talk. See
> http://www.kb.cert.org/vuls/id/800113
> <http://www.kb.cert.org/vuls/id/800113>
>
> // If your ISP provided one or more IP
> addresses for stable
> // nameservers, you probably want to use them
> as forwarders.
> // Uncomment the following block, and insert
> the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
>
>
> //============================================================
> ============
> // If BIND logs error messages about the root
> key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys <https://www.isc.org/bind-keys>
>
> //============================================================
> ============
> #dnssec-validation auto;
>
> auth-nxdomain no; # conform to RFC1035
> #listen-on-v6 { any; };
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not
> used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and
> reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list: 3 zone(s) found
>
> pszZoneName : 93.23.172.in-addr.arpa
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.msi.mydomain.com
>
> pszZoneName : msi.mydomain.com
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.msi.mydomain.com
>
> pszZoneName : _msdcs.msi.mydomain.com
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.msi.mydomain.com
>
> Samba DNS zone list Automated check :
> zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : msi.mydomain.com ok, no Bind flat-files found
> -----------
> zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
> -----------
>
> Installed packages:
> ii acl
> 2.2.52-3build1 amd64
> Access control list utilities
> ii attr
> 1:2.4.47-2build1 amd64
> Utilities for manipulating filesystem extended attributes
> ii bind9
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> Internet Domain Name Server
> ii bind9-host
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> DNS lookup utility (deprecated)
> ii bind9utils
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> Utilities for BIND
> ii krb5-config 2.6
> all
> Configuration files for Kerberos Version 5
> ii krb5-locales
> 1.16-2ubuntu0.1 all
> internationalization support for MIT Kerberos
> ii krb5-user
> 1.16-2ubuntu0.1 amd64
> basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64
> 2.2.52-3build1 amd64
> Access control list shared library
> ii libattr1:amd64
> 1:2.4.47-2build1 amd64
> Extended attribute shared library
> ii libbind9-160:amd64
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64
> 7.5.0+dfsg-1 amd64
> Heimdal Kerberos - libraries
> ii libkrb5-3:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries
> ii libkrb5support0:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Samba nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Windows domain authentication integration plugin
> ii libsmbclient:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Samba winbind client library
> ii python-samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Python bindings for Samba
> ii python3-nacl
> 1.1.2-1build1 amd64
> Python bindings to libsodium (Python 3)
> ii samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> SMB/CIFS file, print, and login server for Unix
> ii samba-common
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 all
> common files used by both the Samba server and client
> ii samba-common-bin
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Samba common files used by both the server and the client
> ii samba-dsdb-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Samba Directory Services Database
> ii samba-libs:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Samba core libraries
> ii samba-vfs-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> Samba Virtual FileSystem plugins
> ii winbind
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.15 amd64
> service to resolve user and group information from Windows
> NT servers
>
> -----------
> === END dc1 ===
> >
> > Anonimize where needed but keep thing like.
> > You.dom.tld like that, dont change that to example.tld.
> >
> > Greetz,
> >
> > Louis
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [ MailScanner heeft een e-mail met
> mogelijk een poging tot fraude gevonden van "lists.samba.org"
> mailto:samba-bounces at lists.samba.org
> <mailto:samba-bounces at lists.samba.org> ] Namens
> > > Durwin via samba
> > > Verzonden: vrijdag 28 februari 2020 16:19
> > > Aan: Rowland penny
> > > CC: sambalist; samba
> > > Onderwerp: Re: [Samba] User names not replicating
> to secondary DC
> > >
> > > > >
> > > > > > Why are you using the internal dns server on
> one DC and
> > > Bind9 on the
> > >
> > > > > other ?
> > > > > I am very familiar with configuring Named on Fedora. I
> > > thought it
> > > > > would be
> > > > > just as easy on Ubuntu. After discovering the
> files were
> > > in different
> > >
> > > > > places
> > > > > and so many more being 'included', I decided to use
> > > internal on the
> > > > > second
> > > > > one. I believe there is a command to switch
> over to internal,
> > > correct?
> > > >
> > > > There is, samba_upgradedns, but in your case, I
> would suggest you
> > > > upgrade the internal dns to bind9. Every DC is
> > > authoritative for the dns
> > >
> > > > domain, there are no slaves. this means that your
> > > forwarders must be
> > > > outside the AD dns domain.
> > > >
> > > > Try this /etc/bind/named.conf.options:
> > > >
> > > > acl "trusted" {
> > > > 172.23.93.0/24;
> > > > 127.0.0.1;
> > > > };
> > > >
> > > > options {
> > > > directory "/var/cache/bind";
> > > > notify no;
> > > > empty-zones-enable no;
> > > > allow-query { trusted;};
> > > > allow-recursion { trusted;};
> > > > forwarders { 8.8.8.8; };
> > > > allow-transfer { none;};
> > > > dnssec-validation no;
> > > > dnssec-enable no;
> > > > dnssec-lookaside no;
> > > > listen-on-v6 { none; };
> > > > listen-on port 53 { 172.23.93.25; 127.0.0.1; };
> > > >
> > > > tkey-gssapi-keytab
> "/var/lib/samba/private/dns.keytab";
> > > > };
> > >
> > > I made these changes as well as converting dc1 to bind_dlz.
> > > Still on replication of new user to secondary DC.
> > >
> > > Here is output from 'samba-tool drs showrepl'
> > >
> > > Ubuntu18.04> samba-tool drs showrepl
> > > Default-First-Site-Name\DC1
> > > DSA Options: 0x00000001
> > > DSA object GUID: 891b31bc-f3a6-45c8-acf8-a5416c669084
> > > DSA invocationId: 58a95aa5-5fb2-4983-94aa-18f06698383a
> > >
> > > ==== INBOUND NEIGHBORS ====
> > >
> > > CN=Configuration,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ Fri Feb 28 08:09:58 2020 MST
> was successful
> > > 0 consecutive failure(s).
> > > Last success @ Fri Feb 28 08:09:58 2020 MST
> > >
> > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ Fri Feb 28 08:10:00 2020 MST
> was successful
> > > 0 consecutive failure(s).
> > > Last success @ Fri Feb 28 08:10:00 2020 MST
> > >
> > > DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ Fri Feb 28 08:10:01 2020 MST
> was successful
> > > 0 consecutive failure(s).
> > > Last success @ Fri Feb 28 08:10:01 2020 MST
> > >
> > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ Fri Feb 28 08:09:55 2020 MST
> was successful
> > > 0 consecutive failure(s).
> > > Last success @ Fri Feb 28 08:09:55 2020 MST
> > >
> > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ Fri Feb 28 08:11:10 2020 MST
> was successful
> > > 0 consecutive failure(s).
> > > Last success @ Fri Feb 28 08:11:10 2020 MST
> > >
> > > ==== OUTBOUND NEIGHBORS ====
> > >
> > > CN=Configuration,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ NTTIME(0) was successful
> > > 0 consecutive failure(s).
> > > Last success @ NTTIME(0)
> > >
> > > CN=Schema,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ NTTIME(0) was successful
> > > 0 consecutive failure(s).
> > > Last success @ NTTIME(0)
> > >
> > > DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ NTTIME(0) was successful
> > > 0 consecutive failure(s).
> > > Last success @ NTTIME(0)
> > >
> > > DC=ForestDnsZones,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ NTTIME(0) was successful
> > > 0 consecutive failure(s).
> > > Last success @ NTTIME(0)
> > >
> > > DC=DomainDnsZones,DC=msi,DC=mydomain,DC=com
> > > Default-First-Site-Name\DC0 via RPC
> > > DSA object GUID: 41220c65-9a03-4980-a359-69154250ec0d
> > > Last attempt @ NTTIME(0) was successful
> > > 0 consecutive failure(s).
> > > Last success @ NTTIME(0)
> > >
> > > ==== KCC CONNECTION OBJECTS ====
> > >
> > > Connection --
> > > Connection name: 79339f2a-0afd-4378-b77d-55e32c253ece
> > > Enabled : TRUE
> > > Server DNS name : dc0.msi.mydomain.com
> > > Server DN name : CN=NTDS
> > >
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites
> > ,CN=Configuration,DC=msi,DC=mydomain,DC=com
> > > TransportType: RPC
> > > options: 0x00000001
> > > Warning: No NC replicated for Connection!
> > >
> > > >
> > > > Rowland
> > > >
> > > >
>
>
>
> This email message and any attachments are for the sole
> use of the intended recipient(s) and may contain proprietary
> and/or confidential information which may be privileged or
> otherwise protected from disclosure. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you are not
> the intended recipient(s), please contact the sender by reply
> email and destroy the original message and any copies of the
> message as well as any attachments to the original message.
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list