[Samba] new dc does not allow login..?

L.P.H. van Belle belle at bazuin.nl
Fri Oct 23 08:42:04 UTC 2020 

To fix this, i would start with. 

First, set the first AD-DC its resolv.conf to 

SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
search  $(hostname -d) > resolv.conf.new
nameserver ${SERVER_IP} >> resolv.conf.new
nameserver 8.8.8.8 # because we want a fallback to internet, for now.  >> resolv.conf.new
mv /etc/resolv.conf{,.backup}
mv /etc/resolv.conf.new /etc/resolv.conf

Verify /etc/resolv.conf and reboot DC1. 

Wait few min untill DC1 is fully online again. 
Then on the second DC. 

SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
search  $(hostname -d) > resolv.conf.new
for x in `host $(hostname -d) |grep -Evi mail|grep -v ${SERVER_IP} |awk '{ print $NF }'` ; \
 do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done
nameserver ${SERVER_IP} >> resolv.conf.new

mv /etc/resolv.conf{,.backup}
mv /etc/resolv.conf.new /etc/resolv.conf

Verify /etc/resolv.conf and reboot DC2
Wait few min untill DC2 is fully online again. 

Now check replication again, should be fixed and if fixed. 
Correct resolv.conf again. 

SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
search  $(hostname -d) > resolv.conf.new
nameserver ${SERVER_IP} >> resolv.conf.new
for x in `host $(hostname -d) |grep -Evi mail|grep -v ${SERVER_IP} |awk '{ print $NF }'` ; \
 do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done

mv /etc/resolv.conf{,.backup-2}
mv /etc/resolv.conf.new /etc/resolv.conf

Above should help. 

If people dont see what i did here. 
DC1, points to itself for the DNS. 
DC2, when joining MUST HAVE DC1 as first DNS resolver. 
DC2, after the join and a reboot after the replication check, 
Only then you can change the resolver order. 

If you change resolv.conf to early, your not getting replication
And that results in missing things in the ad like.. 
Like the UUID as shown here. 
> Oct 22 16:17:17 cobra samba[824]:   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.177.18[49153,seal,krb5,target_hostname=53959b67-65fb-493d-8fde-4880ac599> 

And adding to that, if you use bind9 you have extra steps todo. 
But i cant tell if you use it. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 22 oktober 2020 22:00
> Aan: sambalist
> Onderwerp: Re: [Samba] new dc does not allow login..?
> 
> On 22/10/2020 20:52, Joachim Lindenberg wrote:
> > Boa is the other DC. There was a rule that DCs should use 
> another DC, but I think the arguments behind that 
> deteriorated over time..
> I think you are referring to 'islanding', but this doesn't 
> occur and I 
> am not sure it ever did.
> > samba-tool drs showrepl reports errros w/o the change to smb.conf
> 
> Then make the change. It may be that various dns records do not exist 
> and samba-dnsupdate needs to create them
> 
> I also think you may have to copy 'dns.keytab' from 
> /var/lib/samba/private/ to /var/lib/samba/binddns/
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list