[Samba] Active Directory Domain Corruption.
Markus Dellermann
saml at use.startmail.com
Wed Jun 1 07:51:54 UTC 2022
Send this back to the list...
Am Dienstag, 31. Mai 2022, 21:05:05 CEST schrieb Zombie Ryushu:
> On 5/31/22 14:43, Markus Dellermann via samba wrote:
> > Hi,
> >
> > Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via samba:
> >> On 5/31/22 10:19, Rowland Penny via samba wrote:
> >>> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
> >>>> On 5/31/22 09:47, Rowland Penny via samba wrote:
> >>>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
> >>>>>> The DC Did have the FSMO Roles, but I tried to demote the DC and
> >>>>>> rejoin
> >>>>>> it. The DC Won't Demote normally. It will refuse to transfer
> >>>>>> roles.
> >>>>>> a
> >>>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
> >>>>>> still
> >>>>>> has them when it does not.
> >>>>>>
> >>>>>> I also tried the Demote as a Dead DC procedure. That worked but
> >>>>>> after
> >>>>>> Re-join the original DC was still corrupt.
> >>>>>
> >>>>> You shouldn't have re-joined the DC, you should have re-installed
> >>>>> it,
> >>>>> preferably with a new name.
> >>>>>
> >>>>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> >>>>>> deprecated
> >>>>>> Loaded services file OK.
> >>>>>> Weak crypto is allowed
> >>>>>>
> >>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
> >>>>>>
> >>>>>> # Global parameters
> >>>>>> [global]
> >>>>>>
> >>>>>> domain logons = Yes
> >>>>>> domain master = Yes
> >>>>>> ntlm auth = ntlmv1-permitted
> >>>>>> os level = 40
> >>>>>> passdb backend = samba_dsdb
> >>>>>> preferred master = Yes
> >>>>>> realm = PUKEY
> >>>>>> server min protocol = NT1
> >>>>>> server role = active directory domain controller
> >>>>>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
> >>>>>>
> >>>>>> drepl,
> >>>>>> winbind, ntp_signd, kcc
> >>>>>>
> >>>>>> tls cafile = tls/ca.crt
> >>>>>> tls certfile = tls/olympia.pukey.crt
> >>>>>> tls keyfile = tls/olympia.pukey.key
> >>>>>> winbind nss info = rfc2307
> >>>>>> workgroup = PUKEY-NT
> >>>>>> rpc_server:tcpip = no
> >>>>>> rpc_daemon:spoolssd = embedded
> >>>>>> rpc_server:spoolss = embedded
> >>>>>> rpc_server:winreg = embedded
> >>>>>> rpc_server:ntsvcs = embedded
> >>>>>> rpc_server:eventlog = embedded
> >>>>>> rpc_server:srvsvc = embedded
> >>>>>> rpc_server:svcctl = embedded
> >>>>>> rpc_server:default = external
> >>>>>> winbindd:use external pipes = true
> >>>>>> idmap_ldb:use rfc2307 = yes
> >>>>>> idmap config * : backend = tdb
> >>>>>> map archive = No
> >>>>>> vfs objects = dfs_samba4 acl_xattr
> >>>>>>
> >>>>>> [netlogon]
> >>>>>>
> >>>>>> path = /var/lib/samba/sysvol/pukey/scripts
> >>>>>> read only = No
> >>>>>>
> >>>>>> [sysvol]
> >>>>>>
> >>>>>> path = /var/lib/samba/sysvol
> >>>>>> read only = No
> >>>>>
> >>>>> I suggest you move all the shares to a Unix domain member.
> >>>>>
> >>>>> I also suggest you remove these lines:
> >>>>> domain logons = Yes
> >>>>> domain master = Yes
> >>>>> preferred master = Yes
> >>>>> winbind nss info = rfc2307
> >>>>> os level = 40
> >>>>>
> >>>>> They is no point to them on a Samba AD DC.
> >>>>>
> >>>>> Why do you have these lines:
> >>>>> ntlm auth = ntlmv1-permitted
> >>>>> server min protocol = NT1
> >>>>>
> >>>>> Do you really need them ?
> >>>>>
> >>>>> Finally, what happened to 'dnsupdate' from the 'server services'
> >>>>> line ?
> >>>>>
> >>>>> Rowland
> >>>>
> >>>> I use a normal Bind Server for DNS,
> >>>
> >>> But you still need 'dnsupdate' in the 'server services' line, it has
> >>> nothing to do with Bind9.
> >>>
> >>>> ntlm auth = ntlmv1-permitted
> >>>> server min protocol = NT1
> >>>>
> >>>> These are there so that Ghost Commander on Android works.
> >>>> I have a secondary smb.conf that is configured for an NT Domain that
> >>>> just is for running NMB so Ghost Commander on Android sees a Browse
> >>>> list.
> >>>
> >>> I suggest you use a Unix domain member for 'Ghost Commander'
> >>>
> >>>> It's outside the scope of this problem. Samba doesn't really update
> >>>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
> >>>> from working. I just use flat Zone Files.
> >>>
> >>> Take Bind9 out of the chroot, this is quite possibly one of your main
> >>> problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> >>> deprecated and could be removed at any time. Active directory
> >>> absolutely requires good DNS.
> >>>
> >>> Rowland
> >>
> >> Currently its set to None, and DNS is working. That's not the issue for
> >> the other two DCs. I don't know how to take Bind out of it's chroot on
> >> OpenSuse.
> >
> > Its in
> > /etc/sysconfig/named
> > #NAMED_RUN_CHROOTED="no"
> >
> >> This is not a DNS problem anyway. If it were the other two DCs wouldn't
> >> be working.
> >
> > If i understand right, your DCs are running on openSUSE?
> > This is normaly "mit-kerberos-based"
> > Don`t know, if this also a problem in your case
> >
> > Markus
>
> Yes, but this is a Database corruption issue, I need DNS worked on, but
> lets hold off on that until things like this:
>
> #samba-tool dbcheck
> Checking 321 objects
> ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
> line 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py",
> line 170, in run
> controls=controls, attrs=attrs)
> File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line
> 255, in check_database
> error_count += self.check_object(object.dn, requested_attrs=attrs)
> File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line
> 2601, in check_object
> expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Is AppArmor running and have you tried aa-logprof ?
As Rowland already pointed out you should go with heimdal-kerberos on a dc and
try debian e.g. with Louis Packages.
( for openSUSE I use my alternative packages from opensuse-build-server but
there maybe other options like sernets samba+ )
Markus
More information about the samba
mailing list