[Samba] Active Directory Domain Corruption.
Zombie Ryushu
zombie_ryushu at yahoo.com
Tue May 31 13:19:43 UTC 2022
On 5/31/22 09:13, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>>
>> Basically normal Samba and Domain AD Logins fail with
>>
>> NT_STATUS_INVALID_SID
>>
>> A Bug report has been opened at:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=15079
>>
>> Kerberos KDC and LDAP functionality still works, but not much else
>> does. I believe that some sort of corruption has entered the
>> database.
>> My other two DCs are unaffected. Please review the errors in the bug
>> reports and advise.
> Please provide the output from 'testparm -s' as requested.
>
> Also, you do not have a primary DC, you just have a DC that holds the
> FSMO roles including the PDC_Emulator. If you have a problem with just
> one DC, then demote it and add a new one, even if it is the DC holding
> the FSMO roles.
>
> Rowland
>
>
>
The DC Did have the FSMO Roles, but I tried to demote the DC and rejoin
it. The DC Won't Demote normally. It will refuse to transfer roles. a
Secondary DC has Seized the roles, nut the Primary DC thinks it still
has them when it does not.
I also tried the Demote as a Dead DC procedure. That worked but after
Re-join the original DC was still corrupt.
lpcfg_do_global_parameter: WARNING: The "domain logons" option is
deprecated
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
domain logons = Yes
domain master = Yes
ntlm auth = ntlmv1-permitted
os level = 40
passdb backend = samba_dsdb
preferred master = Yes
realm = PUKEY
server min protocol = NT1
server role = active directory domain controller
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
tls cafile = tls/ca.crt
tls certfile = tls/olympia.pukey.crt
tls keyfile = tls/olympia.pukey.key
winbind nss info = rfc2307
workgroup = PUKEY-NT
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/pukey/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
read only = No
[pdf-gen]
comment = PDF Generator (only valid users)
lpq command = /bin/true
lprm command = lprm -P'%p' %j
path = /var/tmp
printable = Yes
print command = /usr/share/samba/scripts/print-pdf "%s" "%H"
"//%L/%u" "%m" "%I" "%J" &
printing = bsd
[printers]
browseable = No
comment = All Printers
create mask = 0700
guest ok = Yes
path = /var/spool/samba
printable = Yes
[print$]
guest ok = Yes
inherit permissions = Yes
path = /var/lib/samba/printers
write list = @adm root
[Public]
comment = Public Files
path = /opt/var/public/
read only = No
More information about the samba
mailing list