[Samba] ODP: Demoting AD DC failed, now it won't start up after ldb and tdb files removed
Krzysztof Kucybała
krzysieq at hotmail.com
Sat Apr 2 14:42:17 UTC 2022
Thanks a lot Andrew, it did help... kind of.
So I managed to rejoin the domain and restart samba services. But for some reason on the physical DC that I fixed with the help of Your instructions now winbind seems to be a bit off (which was my original problem and reason why I started meddling with it in the first place). Basically, the user ids and group ids are not what they should be. The box recognizes users, but their IDs are not what's in the database. For instance my account should be this (as depicted on any other box correctly in the domain):
localadmin at eonia:~$ id krzysieq
uid=1000016(krzysieq) gid=20002(adults) groups=20002(adults),20001(cansudo),20004(gdocs),20006(gaudio),20005(gphoto),20008(gstuff),20007(gvideo),20010(jirauser),20011(bitbucketuser),20012(bamboouser),3001(BUILTIN\users),3000(BUILTIN\administrators)
However, on my secondary, physical DC this same ask comes back with:
root at meraki:/etc# id krzysieq
uid=3000007(***\krzysieq) gid=100(users) groups=100(users),3000007(***\krzysieq),3000008(***\domain admins),3000009(***\gvideo),3000010(***\gdocs),3000011(***\gaudio),3000012(***\jirauser),3000013(***\cansudo),3000014(***\gstuff),3000015(***\gphoto),3000016(***\bamboouser),3000017(***\bitbucketuser),3000018(***\denied rodc password replication group),3000001(***\users),3000000(***\administrators)
The Id numbers are the ones stored in samba database, I'm not sure how's the idmapping kicking in. I masked out the domain name with *** of course. Below are my configs, first from a domain member where everything works as it should (eonia box in fact):
[global]
workgroup = ***
realm = ***.COM
security = ADS
winbind refresh tickets = Yes
map acl inherit = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = Yes
bind interfaces only = Yes
interfaces = lo enp3s0
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config ***:backend = ad
idmap config ***:schema_mode = rfc2307
idmap config ***:range = 10000 - 9999999
idmap config ***:unix_nss_info = Yes
idmap config ***:unix_primary_group = Yes
idmap cache time = 1
idmap negative cache time = 1
winbind cache time = 1
template shell = /bin/bash
template homedir = /home/%D/%U
username map = /etc/samba/user.map
server string = %h server (Samba, Debian)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = Yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = Yes
map to guest = bad user
vfs objects = dfs_samba4 acl_xattr recycle
local master = no
domain master = no
preferred master = no
os level = 0
And from the DC that is acting up:
# Global parameters
[global]
dns forwarder = 192.168.1.1
netbios name = MERAKI
realm = ***.COM
server role = active directory domain controller
workgroup = ***
idmap_ldb:user rfc2307 = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
unix extensions = Yes
vfs objects = dfs_samba4 acl_xattr recycle
local master = yes
preferred master = yes
domain master = yes
os level = 255
bind interfaces only = Yes
interfaces = lo enp3s0
For reference, the config from the primary dc that works off a VM (winbind is not configured there though, I don't log on to that box with domain accounts but I do need that option on the second physical DC)
[global]
dns forwarder = 192.168.1.1
netbios name = PRIMARYDC
realm = ***.COM
server role = active directory domain controller
workgroup = ***
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%D/%U
unix extensions = Yes
vfs objects = dfs_samba4 acl_xattr recycle
local master = yes
preferred master = no
domain master = no
os level = 128
Could You point out what is wrong please? I'm a bit clueless, especially that it all used to work fine a while back and I've not changed these configs. Appreciate any help.
Cheers,
Chris
________________________________
Od: Andrew Bartlett <abartlet at samba.org>
Wysłane: poniedziałek, 28 marca 2022 01:59
Do: Krzysztof Kucybała <krzysieq at hotmail.com>; samba at lists.samba.org <samba at lists.samba.org>
Temat: Re: [Samba] Demoting AD DC failed, now it won't start up after ldb and tdb files removed
On Sat, 2022-03-26 at 17:11 +0000, Krzysztof Kucybała via samba wrote:
>
> Could anyone suggest how do I get myself out of this mess that I had
> put myself into? 😊 I have another DC that seems to be running fine
> at the moment, I was hoping the one I was trying to clean up would
> just replicate itself off it again, but that doesn’t seem to be the
> case currently…. Any help will be very appreciated 😊
>
> Cheers,
You need to re-join the domain, Samba needs the database files you
removed and without them is totally lost.
That will clobber the old DC's entry in Active Directory, and because
you removed secrets.ldb/secrets.tdb the safety check won't stop you
doing the re-join.
It should work then.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list