[Samba] How to determine KCC/idmap error source
Rowland Penny
rpenny at samba.org
Tue May 3 13:30:58 UTC 2022
On Tue, 2022-05-03 at 14:09 +0200, Hakim Liso via samba wrote:
> Hello everyone,
> I am currently trying to get 2 Samba DCs to run.
But what OS and Samba version ?
> Both DCs set up according to Wiki incl. DRS and workaround Rsync
> Sysvol Replication.
> When trying to perform a remote online backup via Sh script
How are you trying to do the backup ? and are you aware that you
shouldn't backup an individual DC, you should only backup the domain.
> , I came across failures on the 2nd DC while pulling a backup of
> dc01. I re-joined the 2nd DC, same scenario. Samba completely wiped,
> installed and rejoined and now the replication doesn't work anymore.
>
> user create on DC1 → DC2 sees the user
>
> vice versa not.
It sounds like you have replication problems between DC2 and DC1
>
> Am i just missing out on something?
> smb.conf dc01
>
> # Global parameters
> [global]
> min protocol = NT1
Why are you using NT1
> dns forwarder = 8.8.8.8
> netbios name = DC01
> realm = MY.DOMAIN
> server role = active directory domain controller
> workgroup = MY
> idmap_ldb:use rfc2307 = yes
>
> map to guest = Bad User
'guest' on a DC ?
> log file = /var/log/samba/%m
> log level = 3
>
> template shell = /bin/bash
> winbind use default domain = true
The line above does nothing on a DC
> winbind offline logon = false
> winbind nss info = rfc2307
You do not require the two lines above on a DC
>
> winbind enum users = yes
> winbind enum groups = yes
If you have a lot of users the two lines above a bad idea and they are
not required anyway.
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
> read only = No
> #--------------------Location----------------------------
> [U2-Sono]
> path = /var/lib/samba/shares/Location/U2/Sono
> read only = no
> [U1-Sono]
> path = /var/lib/samba/shares/Location/U1/Sono
> read only = no
> [U1-Kolposkop]
> path = /var/lib/samba/shares/Location/U1/Kolposkop
> read only = no
> [U1-Fetview]
> path = /var/lib/samba/shares/Location/U1/Fetview
> read only = no
> [CTG]
> path = /var/lib/samba/shares/Location/CTG
> read only = no
> [Scan]
> path = /var/lib/samba/shares/Location/Scan
> read only = no
It isn't recommended to use a DC as a fileserver, I suggest you use a
Unix domain member instead.
>
> smb.conf dc02
> vergrößern
>
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8
> netbios name = DC02
> realm = MY.DOMAIN
> server role = active directory domain controller
> workgroup = MY
> idmap_ldb:use rfc2307 = yes
>
> map to guest = Bad User
> log file = /var/log/samba/%m
> log level = 3
>
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
>
> winbind enum users = yes
> winbind enum groups = yes
> name resolve order = bcast host
AD uses DNS, so you definitely shouldn't have the 'name resolv order'
line.
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
> read only = No
>
>
>
> drs replicate von dc01
>
> root at dc01:~# sudo samba-tool drs replicate dc02 dc01 DC=MY,DC=DOMAIN
> ldb_wrap open of secrets.ldb
>
> Using binding ncacn_ip_tcp:dc02[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
> Server ldap/dc02 at MY.DOMAIN is not registered with our
> KDC: Miscellaneous failure (see text): Server (ldap/dc02 at MY.DOMAIN)
> unknown
Is DC02 joined as a DC correctly (note that above it appears to be
called 'DC2'
> drs kcc
>
> administrator at DC02:~$ sudo samba-tool drs kcc
> Using binding ncacn_ip_tcp:DC02.MY.DOMAIN[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC02.MY.DOMAIN<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC02.MY.DOMAIN<0x20>
> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED
> from 10.0.1.9
> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED
> from 10.0.1.9
> Server ldap/DC02.MY.DOMAIN at MY.DOMAIN is not registered with our
> KDC: Miscellaneous failure (see text): Server (
> ldap/DC02.MY.DOMAIN at MY.DOMAIN) unknown
It really looks like the join isn't correct.
>
>
>
> Smbd log während sysvolcheck
> 2022/05/03 13:49:46.897388, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897429, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17469 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897475, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897503, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1197 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897569, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897597, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17484 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897699, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897755, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17486 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897863, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897906, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1134 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898097, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898151, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1198 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898384, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898439, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1159 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898471, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898509, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1263 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898667, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898727, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17437 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> Which commands could limit the failure source?
The GPO's are stored in two places, in Sysvol and in AD, it looks like
either Sysvol or AD is missing at least one GPO (probably Sysvol).
Rowland
More information about the samba
mailing list