[Samba] User names not replicating to secondary DC
L.P.H. van Belle
belle at bazuin.nl
Fri Feb 28 16:01:18 UTC 2020
+1 ..
So fix both resolv.conf.
Then both smb.conf
DC1 : > dns forwarder = 172.23.93.3
DC0 : no forwarder.
And reboot DC0. wait 1 min.
Reboot DC1.
Wait 1 min.
And no check it all.
Have a nice weekend.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: vrijdag 28 februari 2020 16:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] User names not replicating to secondary DC
>
> Found one error , see below.
> do note, most look very good for the othere things.
>
> ________________________________
>
> Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com]
> Verzonden: vrijdag 28 februari 2020 16:41
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org; samba
> Onderwerp: Re: [Samba] User names not replicating to
> secondary DC
>
>
> > Can you run this script on both DC's.
> >
> >
> https://github.com/thctlo/samba4/raw/master/samba-collect-debu
> g-info.sh
> <https://github.com/thctlo/samba4/raw/master/samba-collect-deb
> ug-info.sh>
>
> === BEGIN dc0 ===
> Collected config --- 2020-02-28-08:30 -----------
>
> Hostname: dc0
> DNS Domain: msi.mydomain.com
> FQDN: dc0.msi.mydomain.com
> ipaddress: 172.23.93.25
>
> -----------
>
> Kerberos SRV _kerberos._tcp.msi.mydomain.com record
> verified ok, sample output:
> Server: 172.23.93.25
> Address: 172.23.93.25#53
>
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc0.msi.mydomain.com.
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc1.msi.mydomain.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.3 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.3 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
> SUPPORT_URL="https://help.ubuntu.com/
> <https://help.ubuntu.com/> "
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/
> <https://bugs.launchpad.net/ubuntu/> "
>
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy
> <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.3 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
> state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc fq_codel state UP group default qlen 1000
> link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff
> inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3
> inet6 fe80::a00:27ff:fe88:470f/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 172.23.93.25 dc0.msi.mydomain.com dc0
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting
> local clients directly to
> # all known uplink DNS servers. This file lists all
> configured search domains.
> #
> # Third party programs must not access this file
> directly, but only through the
> # symlink at /etc/resolv.conf. To manage
> man:resolv.conf(5) in a different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about
> the supported modes of
> # operation for /etc/resolv.conf.
>
> nameserver 172.23.93.25
> ADD: nameserver 172.23.93.26
> search msi.mydomain.com
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = MSI.MYDOMAIN.COM
>
> ; Note, this is added because other software may need it.
> ; personaly i would remove : des-cbc-crc des-cbc-md5
> but for compatibility i leave it in.
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch
> functionality.
> # If you have the `glibc-doc-reference' and `info'
> packages installed, try:
> # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat systemd
> group: compat systemd
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = DC0
> realm = MSI.MYDOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap,
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MSI
> # This line was added 190710 (DFD)
> dns update command = /usr/sbin/samba_dnsupdate
> --use-samba-tool
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND
> DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz
> for information on the
> // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> acl "trusted" {
> 172.23.93.0/24;
> 127.0.0.1;
> };
>
>
> options {
> directory "/var/cache/bind";
> notify no;
> empty-zones-enable no;
> allow-query { trusted;};
> allow-recursion { trusted;};
> forwarders { 8.8.8.8; };
> allow-transfer { none;};
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 172.23.93.25; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not
> used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the Samba dlopen ( Bind DLZ ) module
> include "/var/lib/samba/bind-dns/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and
> reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list: 3 zone(s) found
>
> pszZoneName : 93.23.172.in-addr.arpa
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.msi.mydomain.com
>
> pszZoneName : msi.mydomain.com
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.msi.mydomain.com
>
> pszZoneName : _msdcs.msi.mydomain.com
> Flags :
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.msi.mydomain.com
>
> Samba DNS zone list Automated check :
> zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : msi.mydomain.com ok, no Bind flat-files found
> -----------
> zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found
> -----------
>
> Installed packages:
> ii acl
> 2.2.52-3build1 amd64
> Access control list utilities
> ii attr
> 1:2.4.47-2build1 amd64
> Utilities for manipulating filesystem extended attributes
> ii bind9
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> Internet Domain Name Server
> ii bind9-host
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> DNS lookup utility (deprecated)
> ii bind9utils
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> Utilities for BIND
> ii krb5-config 2.6
> all Configuration
> files for Kerberos Version 5
> ii krb5-locales
> 1.16-2ubuntu0.1 all
> internationalization support for MIT Kerberos
> ii krb5-user
> 1.16-2ubuntu0.1 amd64
> basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64
> 2.2.52-3build1 amd64
> Access control list shared library
> ii libacl1-dev
> 2.2.52-3build1 amd64
> Access control list static libraries and headers
> ii libattr1:amd64
> 1:2.4.47-2build1 amd64
> Extended attribute shared library
> ii libattr1-dev:amd64
> 1:2.4.47-2build1 amd64
> Extended attribute static libraries and headers
> ii libbind9-160:amd64
> 1:9.11.3+dfsg-1ubuntu1.11 amd64
> BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> amd64 Heimdal
> Kerberos - libraries
> ii libkrb5-3:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries
> ii libkrb5support0:amd64
> 1.16-2ubuntu0.1 amd64
> MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Windows domain authentication integration plugin
> ii libwbclient0:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba winbind client library
> ii python-samba
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Python bindings for Samba
> ii python3-attr 17.4.0-2
> all Attributes
> without boilerplate (Python 3)
> ii samba
> 2:4.9.18+dfsg-0.1bionic1 amd64
> SMB/CIFS file, print, and login server for Unix
> ii samba-common
> 2:4.9.18+dfsg-0.1bionic1 all
> common files used by both the Samba server and client
> ii samba-common-bin
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba Directory Services Database
> ii samba-libs:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba core libraries
> ii samba-vfs-modules:amd64
> 2:4.9.18+dfsg-0.1bionic1 amd64
> Samba Virtual FileSystem plugins
> ii winbind
> 2:4.9.18+dfsg-0.1bionic1 amd64
> service to resolve user and group information from Windows NT servers
>
> -----------
> === END dc0 ===
>
> === BEGIN dc1 ===
> Collected config --- 2020-02-28-08:28 -----------
>
> Hostname: dc1
> DNS Domain: msi.mydomain.com
> FQDN: dc1.msi.mydomain.com
> ipaddress: 172.23.93.26
>
> -----------
>
> Kerberos SRV _kerberos._tcp.msi.mydomain.com record
> verified ok, sample output:
> Server: 172.23.93.3
> Address: 172.23.93.3#53
>
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc0.msi.mydomain.com.
> _kerberos._tcp.msi.mydomain.com service = 0 100
> 88 dc1.msi.mydomain.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.3 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.3 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> "
> SUPPORT_URL="https://help.ubuntu.com/
> <https://help.ubuntu.com/> "
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/
> <https://bugs.launchpad.net/ubuntu/> "
>
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy
> <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> "
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.3 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
> state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc fq_codel state UP group default qlen 1000
> link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff
> inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3
> inet6 fe80::a00:27ff:fe3e:9b53/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 172.23.93.26 dc1.msi.mydomain.com dc1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> ADD Top: nameserver 172.23.93.26
> ADD nameserver 172.23.93.25
> nameserver 172.23.93.3 <<< and this is ?
> search msi.mydomain.com
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = MSI.MYDOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch
> functionality.
> # If you have the `glibc-doc-reference' and `info'
> packages installed, try:
> # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat systemd
> group: compat systemd
> shadow: compat
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return]
> dns myhostname
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = DC1
> realm = MSI.MYDOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap,
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MSI
>
> dns forwarder = 172.23.93.3
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> #winbind use default domain = true
> #winbind offline logon = false
> #winbind nss info = rfc2307
> #winbind enum users = yes
> #winbind enum groups = yes
> # This line added 200129 DFD.
> dns update command = /usr/sbin/samba_dnsupdate
> --use-samba-tool
>
> [netlogon]
> path = /var/lib/samba/sysvol/msi.mydomain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND
> DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz
> for information on the
> // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> acl "trusted" {
> 172.23.93.0/24;
> 127.0.0.1;
> };
>
> options {
> directory "/var/cache/bind";
> notify no;
> empty-zones-enable no;
> allow-query { trusted;};
> allow-recursion { trusted;};
> forwarders { 8.8.8.8; };
> allow-transfer { none;};
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 172.23.93.26; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> // If there is a firewall between you and
> nameservers you want
> // to talk to, you may need to fix the firewall
> to allow multiple
> // ports to talk. See
> http://www.kb.cert.org/vuls/id/800113
> <http://www.kb.cert.org/vuls/id/800113>
>
> // If your ISP provided one or more IP
> addresses for stable
> // nameservers, you probably want to use them
> as forwarders.
> // Uncomment the following block, and insert
> the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
>
>
> //============================================================
> ============
> // If BIND logs error messages about the root
> key being expired,
>