[Samba] Active Directory Domain Corruption.

Zombie Ryushu zombie_ryushu at yahoo.com
Tue May 31 13:19:43 UTC 2022

On 5/31/22 09:13, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>> Basically normal Samba and Domain AD Logins fail with
>> A Bug report has been opened at:
>> https://bugzilla.samba.org/show_bug.cgi?id=15079
>> Kerberos KDC and LDAP functionality still works, but not much else
>> does. I believe that some sort of corruption has entered the
>> database.
>> My other two DCs are unaffected. Please review the errors in the bug
>> reports and advise.
> Please provide the output from 'testparm -s' as requested.
> Also, you do not have a primary DC, you just have a DC that holds the
> FSMO roles including the PDC_Emulator. If you have a problem with just
> one DC, then demote it and add a new one, even if it is the DC holding
> the FSMO roles.
> Rowland
The DC Did have the FSMO Roles, but I tried  to demote the DC and rejoin 
it. The DC Won't Demote normally. It will refuse to transfer roles. a 
Secondary DC has Seized the roles, nut the Primary DC thinks it still 
has them when it does not.

I also tried the  Demote as a Dead DC procedure. That worked but after 
Re-join the original DC was still corrupt.

lpcfg_do_global_parameter: WARNING: The "domain logons" option is 
Loaded services file OK.
Weak crypto is allowed


# Global parameters
        domain logons = Yes
        domain master = Yes
        ntlm auth = ntlmv1-permitted
        os level = 40
        passdb backend = samba_dsdb
        preferred master = Yes
        realm = PUKEY
        server min protocol = NT1
        server role = active directory domain controller
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc
        tls cafile = tls/ca.crt
        tls certfile = tls/olympia.pukey.crt
        tls keyfile = tls/olympia.pukey.key
        winbind nss info = rfc2307
        workgroup = PUKEY-NT
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr

        path = /var/lib/samba/sysvol/pukey/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

        comment = Home Directories
        create mask = 0700
        directory mask = 0700
        read only = No

        comment = PDF Generator (only valid users)
        lpq command = /bin/true
        lprm command = lprm -P'%p' %j
        path = /var/tmp
        printable = Yes
        print command = /usr/share/samba/scripts/print-pdf "%s" "%H" 
"//%L/%u" "%m" "%I" "%J" &
        printing = bsd

        browseable = No
        comment = All Printers
        create mask = 0700
        guest ok = Yes
        path = /var/spool/samba
        printable = Yes

        guest ok = Yes
        inherit permissions = Yes
        path = /var/lib/samba/printers
        write list = @adm root

        comment = Public Files
        path = /opt/var/public/
        read only = No

More information about the samba mailing list