[Samba] Problems with sysrepl
basti
mailinglist at unix-solution.de
Fri Sep 11 10:52:18 UTC 2020
root at dc1:~# cat /tmp/samba-debug-info.txt
Collected config --- 2020-09-11-12:35 -----------
Hostname: dc1
DNS Domain: samdom.example.com
FQDN: dc1.samdom.example.com
ipaddress: 193.137.1.133
-----------
Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok,
sample output:
Server: 193.137.1.133
Address: 193.137.1.133#53
_kerberos._tcp.samdom.example.com service = 0 100 88 dc1.samdom.example.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:43:08:92 brd ff:ff:ff:ff:ff:ff
inet 193.137.1.133/24 brd 193.137.1.255 scope global ens3
inet6 fe80::5054:ff:fe43:892/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.137.1.133 dc1.samdom.example.com dc1
193.137.1.135 dc2.samdom.example.com dc2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 193.137.1.133
search samdom.example.com
search net
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SAMDOM.EXAMPLE.COM = {
kdc = DC1.SAMDOM.EXAMPLE:COM
admin_server = DC1.SAMDOM.EXAMPLE.COM
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = SAMDOM.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = NET
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# Debug logging information
log level = 1
log file = /var/log/samba/log.M%
max log size = 50
debug timestamp = yes
# to connect via ldapvi
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = Yes
write list = root,Administrator, at Domain Admins
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
write list = root,Administrator, at Domain Admins
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
# samba bind_dlz
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
// samba
// see /var/lib/samba/bind-dns/named.txt
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
// category cname { null; };
};
zone "fsoc.de" {
type forward;
forwarders { 192.28.103.20; 62.156.190.20; };
forward only;
};
zone "fhd-mobil.de" {
type forward;
forwarders { 192.28.103.20; 62.156.190.20; };
forward only;
};
# abcpartner hat probleme mit dnssec //sf 2019-06-26
zone "abcpartner.de" {
type forward;
forwarders { 192.28.103.20; 62.156.190.20; };
forward only;
};
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : 1.137.193.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : _msdcs.samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.samdom.example.com
Samba DNS zone list Automated check :
zone : samdom.example.com ok, no Bind flat-files found
-----------
zone : 1.137.193.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.example.com ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii bind9 1:9.11.5.P4+dfsg-5.1 amd64
Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64
DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
-----------
root at dc1:~#
root at dc2:~# cat /tmp/samba-debug-info.txt
Collected config --- 2020-09-11-12:45 -----------
Hostname: dc2
DNS Domain: samdom.example.com
FQDN: dc2.samdom.example.com
ipaddress: 193.137.1.135
-----------
Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok,
sample output:
Server: 193.137.1.133
Address: 193.137.1.133#53
_kerberos._tcp.samdom.example.com service = 0 100 88 dc1.samdom.example.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.5 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:ad:91:42 brd ff:ff:ff:ff:ff:ff
inet 193.137.1.135/24 brd 193.137.1.255 scope global enp1s0
inet6 fe80::5054:ff:fead:9142/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
193.137.1.133 dc1.samdom.example.com dc1
193.137.1.135 dc2.samdom.example.com dc2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 193.137.1.133
search samdom.example.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SAMDOM.EXAMPLE.COM = {
kdc = dc1.samdom.example.com
admin_server = dc1.samdom.example.com
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC2
realm = SAMDOM.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = NET
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# Debug logging information
log level = 1
log file = /var/log/samba/log.M%
max log size = 50
debug timestamp = yes
# to connect via ldapvi
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = Yes
write list = root,Administrator, at Domain Admins
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
write list = root,Administrator, at Domain Admins
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
listen-on-v6 { any; };
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : 1.137.193.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com
pszZoneName : _msdcs.samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.samdom.example.com
Samba DNS zone list Automated check :
zone : samdom.example.com ok, no Bind flat-files found
-----------
zone : 1.137.193.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.example.com ok, no Bind flat-files found
-----------
Installed packages:
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1+deb10u2 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
-----------
root at dc2:~#
dc2 cant resolve _kerberos._tcp when use local dns on dc2.
i have fully reinstall debian on dc2. but error still esists.
any join with
samba-tool domain join samdom.example.com DC -U"NET\administrator"
--dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'
--server=dc1.samdom.example.com
i have no idea whats wrong here
On 11.09.20 11:55, L.P.H. van Belle via samba wrote:
> Get this,
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Run it, anonymize it and post it.
> For both AD-DC's.
>
> I want to see a full check on the base setup of the server.
> If you dont mind ;-)
>
> Greetz,
>
> Louis
>
More information about the samba
mailing list