[Samba] Active Directory Domain Corruption.

Zombie Ryushu zombie_ryushu at yahoo.com
Wed Jun 1 09:17:17 UTC 2022


On 6/1/22 03:51, Markus Dellermann via samba wrote:
> Send this back to the list...
> Am Dienstag, 31. Mai 2022, 21:05:05 CEST schrieb Zombie Ryushu:
>> On 5/31/22 14:43, Markus Dellermann via samba wrote:
>>> Hi,
>>>
>>> Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via samba:
>>>> On 5/31/22 10:19, Rowland Penny via samba wrote:
>>>>> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
>>>>>> On 5/31/22 09:47, Rowland Penny via samba wrote:
>>>>>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
>>>>>>>> The DC Did have the FSMO Roles, but I tried  to demote the DC and
>>>>>>>> rejoin
>>>>>>>> it. The DC Won't Demote normally. It will refuse to transfer
>>>>>>>> roles.
>>>>>>>> a
>>>>>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
>>>>>>>> still
>>>>>>>> has them when it does not.
>>>>>>>>
>>>>>>>> I also tried the  Demote as a Dead DC procedure. That worked but
>>>>>>>> after
>>>>>>>> Re-join the original DC was still corrupt.
>>>>>>> You shouldn't have re-joined the DC, you should have re-installed
>>>>>>> it,
>>>>>>> preferably with a new name.
>>>>>>>
>>>>>>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
>>>>>>>> deprecated
>>>>>>>> Loaded services file OK.
>>>>>>>> Weak crypto is allowed
>>>>>>>>
>>>>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>>>>>
>>>>>>>> # Global parameters
>>>>>>>> [global]
>>>>>>>>
>>>>>>>>             domain logons = Yes
>>>>>>>>             domain master = Yes
>>>>>>>>             ntlm auth = ntlmv1-permitted
>>>>>>>>             os level = 40
>>>>>>>>             passdb backend = samba_dsdb
>>>>>>>>             preferred master = Yes
>>>>>>>>             realm = PUKEY
>>>>>>>>             server min protocol = NT1
>>>>>>>>             server role = active directory domain controller
>>>>>>>>             server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
>>>>>>>>
>>>>>>>> drepl,
>>>>>>>> winbind, ntp_signd, kcc
>>>>>>>>
>>>>>>>>             tls cafile = tls/ca.crt
>>>>>>>>             tls certfile = tls/olympia.pukey.crt
>>>>>>>>             tls keyfile = tls/olympia.pukey.key
>>>>>>>>             winbind nss info = rfc2307
>>>>>>>>             workgroup = PUKEY-NT
>>>>>>>>             rpc_server:tcpip = no
>>>>>>>>             rpc_daemon:spoolssd = embedded
>>>>>>>>             rpc_server:spoolss = embedded
>>>>>>>>             rpc_server:winreg = embedded
>>>>>>>>             rpc_server:ntsvcs = embedded
>>>>>>>>             rpc_server:eventlog = embedded
>>>>>>>>             rpc_server:srvsvc = embedded
>>>>>>>>             rpc_server:svcctl = embedded
>>>>>>>>             rpc_server:default = external
>>>>>>>>             winbindd:use external pipes = true
>>>>>>>>             idmap_ldb:use rfc2307 = yes
>>>>>>>>             idmap config * : backend = tdb
>>>>>>>>             map archive = No
>>>>>>>>             vfs objects = dfs_samba4 acl_xattr
>>>>>>>>
>>>>>>>> [netlogon]
>>>>>>>>
>>>>>>>>             path = /var/lib/samba/sysvol/pukey/scripts
>>>>>>>>             read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>>
>>>>>>>>             path = /var/lib/samba/sysvol
>>>>>>>>             read only = No
>>>>>>> I suggest you move all the shares to a Unix domain member.
>>>>>>>
>>>>>>> I also suggest you remove these lines:
>>>>>>>             domain logons = Yes
>>>>>>>             domain master = Yes
>>>>>>>             preferred master = Yes
>>>>>>>             winbind nss info = rfc2307
>>>>>>>             os level = 40
>>>>>>>
>>>>>>> They is no point to them on a Samba AD DC.
>>>>>>>
>>>>>>> Why do you have these lines:
>>>>>>>             ntlm auth = ntlmv1-permitted
>>>>>>>             server min protocol = NT1
>>>>>>>
>>>>>>> Do you really need them ?
>>>>>>>
>>>>>>> Finally, what happened to 'dnsupdate' from the 'server services'
>>>>>>> line ?
>>>>>>>
>>>>>>> Rowland
>>>>>> I use a normal Bind Server for DNS,
>>>>> But you still need 'dnsupdate' in the 'server services' line, it has
>>>>> nothing to do with Bind9.
>>>>>
>>>>>>             ntlm auth = ntlmv1-permitted
>>>>>>             server min protocol = NT1
>>>>>>
>>>>>> These are there so that Ghost Commander on Android works.
>>>>>> I have a secondary smb.conf that is configured for an NT Domain that
>>>>>> just is for running NMB so Ghost Commander on Android sees a Browse
>>>>>> list.
>>>>> I suggest you use a Unix domain member for 'Ghost Commander'
>>>>>
>>>>>> It's outside the scope of this problem. Samba doesn't really update
>>>>>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
>>>>>> from working. I just use flat Zone Files.
>>>>> Take Bind9 out of the chroot, this is quite possibly one of your main
>>>>> problems. Do not use flatfiles, they do not work with BIND_DLZ, are
>>>>> deprecated and could be removed at any time. Active directory
>>>>> absolutely requires good DNS.
>>>>>
>>>>> Rowland
>>>> Currently its set to None, and DNS is working. That's not the issue for
>>>> the other two DCs. I don't know how to take Bind out of it's chroot on
>>>> OpenSuse.
>>> Its in
>>> /etc/sysconfig/named
>>> #NAMED_RUN_CHROOTED="no"
>>>
>>>> This is not a DNS problem anyway. If it were the other two DCs wouldn't
>>>> be working.
>>> If i understand right, your DCs are running on openSUSE?
>>> This is normaly "mit-kerberos-based"
>>> Don`t know, if this also a problem in your case
>>>
>>> Markus
>> Yes, but this is a Database corruption issue, I need DNS worked on, but
>> lets hold off on that until things like this:
>>
>> #samba-tool dbcheck
>> Checking 321 objects
>> ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string
>>    File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py",
>> line 170, in run
>>      controls=controls, attrs=attrs)
>>    File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line
>> 255, in check_database
>>      error_count += self.check_object(object.dn, requested_attrs=attrs)
>>    File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line
>> 2601, in check_object
>>      expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> Is AppArmor running and have you tried aa-logprof ?
>
> As Rowland already pointed out you should go with heimdal-kerberos on a dc and
> try debian e.g. with Louis Packages.
> ( for openSUSE I use my alternative packages from opensuse-build-server but
> there maybe other options like sernets samba+ )
>
> Markus
>
>
>
* apparmor.service - Load AppArmor profiles
      Loaded: loaded (/usr/lib/systemd/system/apparmor.service; 
disabled; vendor preset: enabled)
      Active: inactive (dead)

I am not interested in switching Distributions.




More information about the samba mailing list