[Samba] Active Directory Domain Corruption.
Rowland Penny
rpenny at samba.org
Tue May 31 14:19:33 UTC 2022
On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
> On 5/31/22 09:47, Rowland Penny via samba wrote:
> > On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
> >
> > > The DC Did have the FSMO Roles, but I tried to demote the DC and
> > > rejoin
> > > it. The DC Won't Demote normally. It will refuse to transfer
> > > roles.
> > > a
> > > Secondary DC has Seized the roles, nut the Primary DC thinks it
> > > still
> > > has them when it does not.
> > >
> > > I also tried the Demote as a Dead DC procedure. That worked but
> > > after
> > > Re-join the original DC was still corrupt.
> > You shouldn't have re-joined the DC, you should have re-installed
> > it,
> > preferably with a new name.
> >
> > > lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> > > deprecated
> > > Loaded services file OK.
> > > Weak crypto is allowed
> > >
> > > Server role: ROLE_ACTIVE_DIRECTORY_DC
> > >
> > > # Global parameters
> > > [global]
> > > domain logons = Yes
> > > domain master = Yes
> > > ntlm auth = ntlmv1-permitted
> > > os level = 40
> > > passdb backend = samba_dsdb
> > > preferred master = Yes
> > > realm = PUKEY
> > > server min protocol = NT1
> > > server role = active directory domain controller
> > > server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
> > > drepl,
> > > winbind, ntp_signd, kcc
> > > tls cafile = tls/ca.crt
> > > tls certfile = tls/olympia.pukey.crt
> > > tls keyfile = tls/olympia.pukey.key
> > > winbind nss info = rfc2307
> > > workgroup = PUKEY-NT
> > > rpc_server:tcpip = no
> > > rpc_daemon:spoolssd = embedded
> > > rpc_server:spoolss = embedded
> > > rpc_server:winreg = embedded
> > > rpc_server:ntsvcs = embedded
> > > rpc_server:eventlog = embedded
> > > rpc_server:srvsvc = embedded
> > > rpc_server:svcctl = embedded
> > > rpc_server:default = external
> > > winbindd:use external pipes = true
> > > idmap_ldb:use rfc2307 = yes
> > > idmap config * : backend = tdb
> > > map archive = No
> > > vfs objects = dfs_samba4 acl_xattr
> > >
> > >
> > > [netlogon]
> > > path = /var/lib/samba/sysvol/pukey/scripts
> > > read only = No
> > >
> > >
> > > [sysvol]
> > > path = /var/lib/samba/sysvol
> > > read only = No
> > >
> > I suggest you move all the shares to a Unix domain member.
> >
> > I also suggest you remove these lines:
> >
> > domain logons = Yes
> > domain master = Yes
> > preferred master = Yes
> > winbind nss info = rfc2307
> > os level = 40
> >
> > They is no point to them on a Samba AD DC.
> >
> > Why do you have these lines:
> >
> > ntlm auth = ntlmv1-permitted
> > server min protocol = NT1
> >
> > Do you really need them ?
> >
> > Finally, what happened to 'dnsupdate' from the 'server services'
> > line ?
> >
> > Rowland
> >
> >
> >
> I use a normal Bind Server for DNS,
But you still need 'dnsupdate' in the 'server services' line, it has
nothing to do with Bind9.
>
> ntlm auth = ntlmv1-permitted
> server min protocol = NT1
>
> These are there so that Ghost Commander on Android works.
> I have a secondary smb.conf that is configured for an NT Domain that
> just is for running NMB so Ghost Commander on Android sees a Browse
> list.
I suggest you use a Unix domain member for 'Ghost Commander'
>
> It's outside the scope of this problem. Samba doesn't really update
> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
> from working. I just use flat Zone Files.
Take Bind9 out of the chroot, this is quite possibly one of your main
problems. Do not use flatfiles, they do not work with BIND_DLZ, are
deprecated and could be removed at any time. Active directory
absolutely requires good DNS.
Rowland
More information about the samba
mailing list