[Samba] Active Directory Domain Corruption.

Zombie Ryushu zombie_ryushu at yahoo.com
Tue May 31 13:19:43 UTC 2022 

On 5/31/22 09:13, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>>
>> Basically normal Samba and Domain AD Logins fail with
>>
>> NT_STATUS_INVALID_SID
>>
>> A Bug report has been opened at:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=15079
>>
>> Kerberos KDC and LDAP functionality still works, but not much else
>> does. I believe that some sort of corruption has entered the
>> database.
>> My other two DCs are unaffected. Please review the errors in the bug
>> reports and advise.
> Please provide the output from 'testparm -s' as requested.
>
> Also, you do not have a primary DC, you just have a DC that holds the
> FSMO roles including the PDC_Emulator. If you have a problem with just
> one DC, then demote it and add a new one, even if it is the DC holding
> the FSMO roles.
>
> Rowland
>
>
>
The DC Did have the FSMO Roles, but I tried  to demote the DC and rejoin 
it. The DC Won't Demote normally. It will refuse to transfer roles. a 
Secondary DC has Seized the roles, nut the Primary DC thinks it still 
has them when it does not.

I also tried the  Demote as a Dead DC procedure. That worked but after 
Re-join the original DC was still corrupt.

lpcfg_do_global_parameter: WARNING: The "domain logons" option is 
deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
        domain logons = Yes
        domain master = Yes
        ntlm auth = ntlmv1-permitted
        os level = 40
        passdb backend = samba_dsdb
        preferred master = Yes
        realm = PUKEY
        server min protocol = NT1
        server role = active directory domain controller
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc
        tls cafile = tls/ca.crt
        tls certfile = tls/olympia.pukey.crt
        tls keyfile = tls/olympia.pukey.key
        winbind nss info = rfc2307
        workgroup = PUKEY-NT
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr


[netlogon]
        path = /var/lib/samba/sysvol/pukey/scripts
        read only = No


[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


[homes]
        comment = Home Directories
        create mask = 0700
        directory mask = 0700
        read only = No


[pdf-gen]
        comment = PDF Generator (only valid users)
        lpq command = /bin/true
        lprm command = lprm -P'%p' %j
        path = /var/tmp
        printable = Yes
        print command = /usr/share/samba/scripts/print-pdf "%s" "%H" 
"//%L/%u" "%m" "%I" "%J" &
        printing = bsd


[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        guest ok = Yes
        path = /var/spool/samba
        printable = Yes


[print$]
        guest ok = Yes
        inherit permissions = Yes
        path = /var/lib/samba/printers
        write list = @adm root


[Public]
        comment = Public Files
        path = /opt/var/public/
        read only = No

More information about the samba mailing list