[Samba] Active Directory Domain Corruption.

Tue May 31 14:05:58 UTC 2022

On 5/31/22 09:47, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
>
>> The DC Did have the FSMO Roles, but I tried  to demote the DC and
>> rejoin
>> it. The DC Won't Demote normally. It will refuse to transfer roles.
>> a
>> Secondary DC has Seized the roles, nut the Primary DC thinks it
>> still
>> has them when it does not.
>>
>> I also tried the  Demote as a Dead DC procedure. That worked but
>> after
>> Re-join the original DC was still corrupt.
> You shouldn't have re-joined the DC, you should have re-installed it,
> preferably with a new name.
>
>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
>> deprecated
>> Loaded services file OK.
>> Weak crypto is allowed
>>
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> # Global parameters
>> [global]
>>          domain logons = Yes
>>          domain master = Yes
>>          ntlm auth = ntlmv1-permitted
>>          os level = 40
>>          passdb backend = samba_dsdb
>>          preferred master = Yes
>>          realm = PUKEY
>>          server min protocol = NT1
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc
>>          tls cafile = tls/ca.crt
>>          tls certfile = tls/olympia.pukey.crt
>>          tls keyfile = tls/olympia.pukey.key
>>          winbind nss info = rfc2307
>>          workgroup = PUKEY-NT
>>          rpc_server:tcpip = no
>>          rpc_daemon:spoolssd = embedded
>>          rpc_server:spoolss = embedded
>>          rpc_server:winreg = embedded
>>          rpc_server:ntsvcs = embedded
>>          rpc_server:eventlog = embedded
>>          rpc_server:srvsvc = embedded
>>          rpc_server:svcctl = embedded
>>          rpc_server:default = external
>>          winbindd:use external pipes = true
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config * : backend = tdb
>>          map archive = No
>>          vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/pukey/scripts
>>          read only = No
>>
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
> I suggest you move all the shares to a Unix domain member.
>
> I also suggest you remove these lines:
>
>          domain logons = Yes
>          domain master = Yes
>          preferred master = Yes
>          winbind nss info = rfc2307
>          os level = 40
>
> They is no point to them on a Samba AD DC.
>
> Why do you have these lines:
>
>          ntlm auth = ntlmv1-permitted
>          server min protocol = NT1
>
> Do you really need them ?
>
> Finally, what happened to 'dnsupdate' from the 'server services' line ?
>
> Rowland
>
>
>
I use a normal Bind Server for DNS,

         ntlm auth = ntlmv1-permitted
         server min protocol = NT1

These are there so that Ghost Commander on Android works.
I have a secondary smb.conf that is configured for an NT Domain that just is for running NMB so Ghost Commander on Android sees a Browse list.

It's outside the scope of this problem. Samba doesn't really update Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ from working. I just use flat Zone Files.