[Samba] Active Directory Domain Corruption.

Rowland Penny rpenny at samba.org
Tue May 31 13:47:26 UTC 2022 

On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
> 
> > 


> The DC Did have the FSMO Roles, but I tried  to demote the DC and
> rejoin 
> it. The DC Won't Demote normally. It will refuse to transfer roles.
> a 
> Secondary DC has Seized the roles, nut the Primary DC thinks it
> still 
> has them when it does not.
> 
> I also tried the  Demote as a Dead DC procedure. That worked but
> after 
> Re-join the original DC was still corrupt.

You shouldn't have re-joined the DC, you should have re-installed it,
preferably with a new name.

> 
> lpcfg_do_global_parameter: WARNING: The "domain logons" option is 
> deprecated
> Loaded services file OK.
> Weak crypto is allowed
> 
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> 
> # Global parameters
> [global]
>         domain logons = Yes
>         domain master = Yes
>         ntlm auth = ntlmv1-permitted
>         os level = 40
>         passdb backend = samba_dsdb
>         preferred master = Yes
>         realm = PUKEY
>         server min protocol = NT1
>         server role = active directory domain controller
>         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
> winbind, ntp_signd, kcc
>         tls cafile = tls/ca.crt
>         tls certfile = tls/olympia.pukey.crt
>         tls keyfile = tls/olympia.pukey.key
>         winbind nss info = rfc2307
>         workgroup = PUKEY-NT
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         vfs objects = dfs_samba4 acl_xattr
> 
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/pukey/scripts
>         read only = No
> 
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 

I suggest you move all the shares to a Unix domain member.

I also suggest you remove these lines:

        domain logons = Yes
        domain master = Yes
        preferred master = Yes
        winbind nss info = rfc2307
        os level = 40

They is no point to them on a Samba AD DC.

Why do you have these lines:

        ntlm auth = ntlmv1-permitted
        server min protocol = NT1

Do you really need them ?

Finally, what happened to 'dnsupdate' from the 'server services' line ?

Rowland

More information about the samba mailing list