[Samba] Active Directory Domain Corruption.

Markus Dellermann saml at use.startmail.com
Wed Jun 1 07:51:54 UTC 2022


Send this back to the list...
Am Dienstag, 31. Mai 2022, 21:05:05 CEST schrieb Zombie Ryushu:
> On 5/31/22 14:43, Markus Dellermann via samba wrote:
> > Hi,
> > 
> > Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via samba:
> >> On 5/31/22 10:19, Rowland Penny via samba wrote:
> >>> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
> >>>> On 5/31/22 09:47, Rowland Penny via samba wrote:
> >>>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
> >>>>>> The DC Did have the FSMO Roles, but I tried  to demote the DC and
> >>>>>> rejoin
> >>>>>> it. The DC Won't Demote normally. It will refuse to transfer
> >>>>>> roles.
> >>>>>> a
> >>>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
> >>>>>> still
> >>>>>> has them when it does not.
> >>>>>> 
> >>>>>> I also tried the  Demote as a Dead DC procedure. That worked but
> >>>>>> after
> >>>>>> Re-join the original DC was still corrupt.
> >>>>> 
> >>>>> You shouldn't have re-joined the DC, you should have re-installed
> >>>>> it,
> >>>>> preferably with a new name.
> >>>>> 
> >>>>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> >>>>>> deprecated
> >>>>>> Loaded services file OK.
> >>>>>> Weak crypto is allowed
> >>>>>> 
> >>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
> >>>>>> 
> >>>>>> # Global parameters
> >>>>>> [global]
> >>>>>> 
> >>>>>>            domain logons = Yes
> >>>>>>            domain master = Yes
> >>>>>>            ntlm auth = ntlmv1-permitted
> >>>>>>            os level = 40
> >>>>>>            passdb backend = samba_dsdb
> >>>>>>            preferred master = Yes
> >>>>>>            realm = PUKEY
> >>>>>>            server min protocol = NT1
> >>>>>>            server role = active directory domain controller
> >>>>>>            server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
> >>>>>> 
> >>>>>> drepl,
> >>>>>> winbind, ntp_signd, kcc
> >>>>>> 
> >>>>>>            tls cafile = tls/ca.crt
> >>>>>>            tls certfile = tls/olympia.pukey.crt
> >>>>>>            tls keyfile = tls/olympia.pukey.key
> >>>>>>            winbind nss info = rfc2307
> >>>>>>            workgroup = PUKEY-NT
> >>>>>>            rpc_server:tcpip = no
> >>>>>>            rpc_daemon:spoolssd = embedded
> >>>>>>            rpc_server:spoolss = embedded
> >>>>>>            rpc_server:winreg = embedded
> >>>>>>            rpc_server:ntsvcs = embedded
> >>>>>>            rpc_server:eventlog = embedded
> >>>>>>            rpc_server:srvsvc = embedded
> >>>>>>            rpc_server:svcctl = embedded
> >>>>>>            rpc_server:default = external
> >>>>>>            winbindd:use external pipes = true
> >>>>>>            idmap_ldb:use rfc2307 = yes
> >>>>>>            idmap config * : backend = tdb
> >>>>>>            map archive = No
> >>>>>>            vfs objects = dfs_samba4 acl_xattr
> >>>>>> 
> >>>>>> [netlogon]
> >>>>>> 
> >>>>>>            path = /var/lib/samba/sysvol/pukey/scripts
> >>>>>>            read only = No
> >>>>>> 
> >>>>>> [sysvol]
> >>>>>> 
> >>>>>>            path = /var/lib/samba/sysvol
> >>>>>>            read only = No
> >>>>> 
> >>>>> I suggest you move all the shares to a Unix domain member.
> >>>>> 
> >>>>> I also suggest you remove these lines:
> >>>>>            domain logons = Yes
> >>>>>            domain master = Yes
> >>>>>            preferred master = Yes
> >>>>>            winbind nss info = rfc2307
> >>>>>            os level = 40
> >>>>> 
> >>>>> They is no point to them on a Samba AD DC.
> >>>>> 
> >>>>> Why do you have these lines:
> >>>>>            ntlm auth = ntlmv1-permitted
> >>>>>            server min protocol = NT1
> >>>>> 
> >>>>> Do you really need them ?
> >>>>> 
> >>>>> Finally, what happened to 'dnsupdate' from the 'server services'
> >>>>> line ?
> >>>>> 
> >>>>> Rowland
> >>>> 
> >>>> I use a normal Bind Server for DNS,
> >>> 
> >>> But you still need 'dnsupdate' in the 'server services' line, it has
> >>> nothing to do with Bind9.
> >>> 
> >>>>            ntlm auth = ntlmv1-permitted
> >>>>            server min protocol = NT1
> >>>> 
> >>>> These are there so that Ghost Commander on Android works.
> >>>> I have a secondary smb.conf that is configured for an NT Domain that
> >>>> just is for running NMB so Ghost Commander on Android sees a Browse
> >>>> list.
> >>> 
> >>> I suggest you use a Unix domain member for 'Ghost Commander'
> >>> 
> >>>> It's outside the scope of this problem. Samba doesn't really update
> >>>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
> >>>> from working. I just use flat Zone Files.
> >>> 
> >>> Take Bind9 out of the chroot, this is quite possibly one of your main
> >>> problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> >>> deprecated and could be removed at any time. Active directory
> >>> absolutely requires good DNS.
> >>> 
> >>> Rowland
> >> 
> >> Currently its set to None, and DNS is working. That's not the issue for
> >> the other two DCs. I don't know how to take Bind out of it's chroot on
> >> OpenSuse.
> > 
> > Its in
> > /etc/sysconfig/named
> > #NAMED_RUN_CHROOTED="no"
> > 
> >> This is not a DNS problem anyway. If it were the other two DCs wouldn't
> >> be working.
> > 
> > If i understand right, your DCs are running on openSUSE?
> > This is normaly "mit-kerberos-based"
> > Don`t know, if this also a problem in your case
> > 
> > Markus
> 
> Yes, but this is a Database corruption issue, I need DNS worked on, but
> lets hold off on that until things like this:
> 
> #samba-tool dbcheck
> Checking 321 objects
> ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
> line 186, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py",
> line 170, in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line
> 255, in check_database
>     error_count += self.check_object(object.dn, requested_attrs=attrs)
>   File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line
> 2601, in check_object
>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Is AppArmor running and have you tried aa-logprof ?

As Rowland already pointed out you should go with heimdal-kerberos on a dc and 
try debian e.g. with Louis Packages.
( for openSUSE I use my alternative packages from opensuse-build-server but 
there maybe other options like sernets samba+ )

Markus





More information about the samba mailing list