[Samba] Active Directory Domain Corruption.
rpenny at samba.org
Tue May 31 13:47:26 UTC 2022
On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
> The DC Did have the FSMO Roles, but I tried to demote the DC and
> it. The DC Won't Demote normally. It will refuse to transfer roles.
> Secondary DC has Seized the roles, nut the Primary DC thinks it
> has them when it does not.
> I also tried the Demote as a Dead DC procedure. That worked but
> Re-join the original DC was still corrupt.
You shouldn't have re-joined the DC, you should have re-installed it,
preferably with a new name.
> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> # Global parameters
> domain logons = Yes
> domain master = Yes
> ntlm auth = ntlmv1-permitted
> os level = 40
> passdb backend = samba_dsdb
> preferred master = Yes
> realm = PUKEY
> server min protocol = NT1
> server role = active directory domain controller
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc
> tls cafile = tls/ca.crt
> tls certfile = tls/olympia.pukey.crt
> tls keyfile = tls/olympia.pukey.key
> winbind nss info = rfc2307
> workgroup = PUKEY-NT
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> vfs objects = dfs_samba4 acl_xattr
> path = /var/lib/samba/sysvol/pukey/scripts
> read only = No
> path = /var/lib/samba/sysvol
> read only = No
I suggest you move all the shares to a Unix domain member.
I also suggest you remove these lines:
domain logons = Yes
domain master = Yes
preferred master = Yes
winbind nss info = rfc2307
os level = 40
They is no point to them on a Samba AD DC.
Why do you have these lines:
ntlm auth = ntlmv1-permitted
server min protocol = NT1
Do you really need them ?
Finally, what happened to 'dnsupdate' from the 'server services' line ?
More information about the samba