[Samba] Active Directory Domain Corruption.
Rowland Penny
rpenny at samba.org
Wed Jun 1 09:42:37 UTC 2022
On Wed, 2022-06-01 at 05:17 -0400, Zombie Ryushu via samba wrote:
> On 6/1/22 03:51, Markus Dellermann via samba wrote:
> > Send this back to the list...
> > Am Dienstag, 31. Mai 2022, 21:05:05 CEST schrieb Zombie Ryushu:
> > > On 5/31/22 14:43, Markus Dellermann via samba wrote:
> > > > Hi,
> > > >
> > > > Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu
> > > > via samba:
> > > > > On 5/31/22 10:19, Rowland Penny via samba wrote:
> > > > > > On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba
> > > > > > wrote:
> > > > > > > On 5/31/22 09:47, Rowland Penny via samba wrote:
> > > > > > > > On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via
> > > > > > > > samba wrote:
> > > > > > > > > The DC Did have the FSMO Roles, but I tried to
> > > > > > > > > demote the DC and
> > > > > > > > > rejoin
> > > > > > > > > it. The DC Won't Demote normally. It will refuse to
> > > > > > > > > transfer
> > > > > > > > > roles.
> > > > > > > > > a
> > > > > > > > > Secondary DC has Seized the roles, nut the Primary DC
> > > > > > > > > thinks it
> > > > > > > > > still
> > > > > > > > > has them when it does not.
> > > > > > > > >
> > > > > > > > > I also tried the Demote as a Dead DC procedure. That
> > > > > > > > > worked but
> > > > > > > > > after
> > > > > > > > > Re-join the original DC was still corrupt.
> > > > > > > > You shouldn't have re-joined the DC, you should have
> > > > > > > > re-installed
> > > > > > > > it,
> > > > > > > > preferably with a new name.
> > > > > > > >
> > > > > > > > > lpcfg_do_global_parameter: WARNING: The "domain
> > > > > > > > > logons" option is
> > > > > > > > > deprecated
> > > > > > > > > Loaded services file OK.
> > > > > > > > > Weak crypto is allowed
> > > > > > > > >
> > > > > > > > > Server role: ROLE_ACTIVE_DIRECTORY_DC
> > > > > > > > >
> > > > > > > > > # Global parameters
> > > > > > > > > [global]
> > > > > > > > >
> > > > > > > > > domain logons = Yes
> > > > > > > > > domain master = Yes
> > > > > > > > > ntlm auth = ntlmv1-permitted
> > > > > > > > > os level = 40
> > > > > > > > > passdb backend = samba_dsdb
> > > > > > > > > preferred master = Yes
> > > > > > > > > realm = PUKEY
> > > > > > > > > server min protocol = NT1
> > > > > > > > > server role = active directory domain
> > > > > > > > > controller
> > > > > > > > > server services = s3fs, rpc, wrepl, ldap,
> > > > > > > > > cldap, kdc,
> > > > > > > > >
> > > > > > > > > drepl,
> > > > > > > > > winbind, ntp_signd, kcc
> > > > > > > > >
> > > > > > > > > tls cafile = tls/ca.crt
> > > > > > > > > tls certfile = tls/olympia.pukey.crt
> > > > > > > > > tls keyfile = tls/olympia.pukey.key
> > > > > > > > > winbind nss info = rfc2307
> > > > > > > > > workgroup = PUKEY-NT
> > > > > > > > > rpc_server:tcpip = no
> > > > > > > > > rpc_daemon:spoolssd = embedded
> > > > > > > > > rpc_server:spoolss = embedded
> > > > > > > > > rpc_server:winreg = embedded
> > > > > > > > > rpc_server:ntsvcs = embedded
> > > > > > > > > rpc_server:eventlog = embedded
> > > > > > > > > rpc_server:srvsvc = embedded
> > > > > > > > > rpc_server:svcctl = embedded
> > > > > > > > > rpc_server:default = external
> > > > > > > > > winbindd:use external pipes = true
> > > > > > > > > idmap_ldb:use rfc2307 = yes
> > > > > > > > > idmap config * : backend = tdb
> > > > > > > > > map archive = No
> > > > > > > > > vfs objects = dfs_samba4 acl_xattr
> > > > > > > > >
> > > > > > > > > [netlogon]
> > > > > > > > >
> > > > > > > > > path =
> > > > > > > > > /var/lib/samba/sysvol/pukey/scripts
> > > > > > > > > read only = No
> > > > > > > > >
> > > > > > > > > [sysvol]
> > > > > > > > >
> > > > > > > > > path = /var/lib/samba/sysvol
> > > > > > > > > read only = No
> > > > > > > > I suggest you move all the shares to a Unix domain
> > > > > > > > member.
> > > > > > > >
> > > > > > > > I also suggest you remove these lines:
> > > > > > > > domain logons = Yes
> > > > > > > > domain master = Yes
> > > > > > > > preferred master = Yes
> > > > > > > > winbind nss info = rfc2307
> > > > > > > > os level = 40
> > > > > > > >
> > > > > > > > They is no point to them on a Samba AD DC.
> > > > > > > >
> > > > > > > > Why do you have these lines:
> > > > > > > > ntlm auth = ntlmv1-permitted
> > > > > > > > server min protocol = NT1
> > > > > > > >
> > > > > > > > Do you really need them ?
> > > > > > > >
> > > > > > > > Finally, what happened to 'dnsupdate' from the 'server
> > > > > > > > services'
> > > > > > > > line ?
> > > > > > > >
> > > > > > > > Rowland
> > > > > > > I use a normal Bind Server for DNS,
> > > > > > But you still need 'dnsupdate' in the 'server services'
> > > > > > line, it has
> > > > > > nothing to do with Bind9.
> > > > > >
> > > > > > > ntlm auth = ntlmv1-permitted
> > > > > > > server min protocol = NT1
> > > > > > >
> > > > > > > These are there so that Ghost Commander on Android works.
> > > > > > > I have a secondary smb.conf that is configured for an NT
> > > > > > > Domain that
> > > > > > > just is for running NMB so Ghost Commander on Android
> > > > > > > sees a Browse
> > > > > > > list.
> > > > > > I suggest you use a Unix domain member for 'Ghost
> > > > > > Commander'
> > > > > >
> > > > > > > It's outside the scope of this problem. Samba doesn't
> > > > > > > really update
> > > > > > > Bind right now. Bind runs in a Chroot and that prevents
> > > > > > > the Bind DLZ
> > > > > > > from working. I just use flat Zone Files.
> > > > > > Take Bind9 out of the chroot, this is quite possibly one of
> > > > > > your main
> > > > > > problems. Do not use flatfiles, they do not work with
> > > > > > BIND_DLZ, are
> > > > > > deprecated and could be removed at any time. Active
> > > > > > directory
> > > > > > absolutely requires good DNS.
> > > > > >
> > > > > > Rowland
> > > > > Currently its set to None, and DNS is working. That's not the
> > > > > issue for
> > > > > the other two DCs. I don't know how to take Bind out of it's
> > > > > chroot on
> > > > > OpenSuse.
> > > > Its in
> > > > /etc/sysconfig/named
> > > > #NAMED_RUN_CHROOTED="no"
> > > >
> > > > > This is not a DNS problem anyway. If it were the other two
> > > > > DCs wouldn't
> > > > > be working.
> > > > If i understand right, your DCs are running on openSUSE?
> > > > This is normaly "mit-kerberos-based"
> > > > Don`t know, if this also a problem in your case
> > > >
> > > > Markus
> > > Yes, but this is a Database corruption issue, I need DNS worked
> > > on, but
> > > lets hold off on that until things like this:
> > >
> > > #samba-tool dbcheck
> > > Checking 321 objects
> > > ERROR(<class 'ValueError'>): uncaught exception - unable to parse
> > > dn string
> > > File "/usr/lib64/python3.6/site-
> > > packages/samba/netcmd/__init__.py",
> > > line 186, in _run
> > > return self.run(*args, **kwargs)
> > > File "/usr/lib64/python3.6/site-
> > > packages/samba/netcmd/dbcheck.py",
> > > line 170, in run
> > > controls=controls, attrs=attrs)
> > > File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py",
> > > line
> > > 255, in check_database
> > > error_count += self.check_object(object.dn,
> > > requested_attrs=attrs)
> > > File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py",
> > > line
> > > 2601, in check_object
> > > expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> > Is AppArmor running and have you tried aa-logprof ?
> >
> > As Rowland already pointed out you should go with heimdal-kerberos
> > on a dc and
> > try debian e.g. with Louis Packages.
> > ( for openSUSE I use my alternative packages from opensuse-build-
> > server but
> > there maybe other options like sernets samba+ )
> >
> > Markus
> >
> >
> >
> * apparmor.service - Load AppArmor profiles
> Loaded: loaded (/usr/lib/systemd/system/apparmor.service;
> disabled; vendor preset: enabled)
> Active: inactive (dead)
>
> I am not interested in switching Distributions.
>
That is your decision, but, from my point of view, you are doing
everything wrong:
You are using an experimental kerberos.
You are running Bind9 in a chroot.
You are running Bind9 with flatfiles.
You have turned off dnsupdate.
You are using a DC as a fileserver.
Rowland
More information about the samba
mailing list