[Samba] Active Directory Domain Corruption.

Zombie Ryushu zombie_ryushu at yahoo.com
Tue May 31 14:43:45 UTC 2022


On 5/31/22 10:19, Rowland Penny via samba wrote:
> On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
>> On 5/31/22 09:47, Rowland Penny via samba wrote:
>>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
>>>
>>>> The DC Did have the FSMO Roles, but I tried  to demote the DC and
>>>> rejoin
>>>> it. The DC Won't Demote normally. It will refuse to transfer
>>>> roles.
>>>> a
>>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
>>>> still
>>>> has them when it does not.
>>>>
>>>> I also tried the  Demote as a Dead DC procedure. That worked but
>>>> after
>>>> Re-join the original DC was still corrupt.
>>> You shouldn't have re-joined the DC, you should have re-installed
>>> it,
>>> preferably with a new name.
>>>
>>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
>>>> deprecated
>>>> Loaded services file OK.
>>>> Weak crypto is allowed
>>>>
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> # Global parameters
>>>> [global]
>>>>           domain logons = Yes
>>>>           domain master = Yes
>>>>           ntlm auth = ntlmv1-permitted
>>>>           os level = 40
>>>>           passdb backend = samba_dsdb
>>>>           preferred master = Yes
>>>>           realm = PUKEY
>>>>           server min protocol = NT1
>>>>           server role = active directory domain controller
>>>>           server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
>>>> drepl,
>>>> winbind, ntp_signd, kcc
>>>>           tls cafile = tls/ca.crt
>>>>           tls certfile = tls/olympia.pukey.crt
>>>>           tls keyfile = tls/olympia.pukey.key
>>>>           winbind nss info = rfc2307
>>>>           workgroup = PUKEY-NT
>>>>           rpc_server:tcpip = no
>>>>           rpc_daemon:spoolssd = embedded
>>>>           rpc_server:spoolss = embedded
>>>>           rpc_server:winreg = embedded
>>>>           rpc_server:ntsvcs = embedded
>>>>           rpc_server:eventlog = embedded
>>>>           rpc_server:srvsvc = embedded
>>>>           rpc_server:svcctl = embedded
>>>>           rpc_server:default = external
>>>>           winbindd:use external pipes = true
>>>>           idmap_ldb:use rfc2307 = yes
>>>>           idmap config * : backend = tdb
>>>>           map archive = No
>>>>           vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>>           path = /var/lib/samba/sysvol/pukey/scripts
>>>>           read only = No
>>>>
>>>>
>>>> [sysvol]
>>>>           path = /var/lib/samba/sysvol
>>>>           read only = No
>>>>
>>> I suggest you move all the shares to a Unix domain member.
>>>
>>> I also suggest you remove these lines:
>>>
>>>           domain logons = Yes
>>>           domain master = Yes
>>>           preferred master = Yes
>>>           winbind nss info = rfc2307
>>>           os level = 40
>>>
>>> They is no point to them on a Samba AD DC.
>>>
>>> Why do you have these lines:
>>>
>>>           ntlm auth = ntlmv1-permitted
>>>           server min protocol = NT1
>>>
>>> Do you really need them ?
>>>
>>> Finally, what happened to 'dnsupdate' from the 'server services'
>>> line ?
>>>
>>> Rowland
>>>
>>>
>>>
>> I use a normal Bind Server for DNS,
> But you still need 'dnsupdate' in the 'server services' line, it has
> nothing to do with Bind9.
>
>>           ntlm auth = ntlmv1-permitted
>>           server min protocol = NT1
>>
>> These are there so that Ghost Commander on Android works.
>> I have a secondary smb.conf that is configured for an NT Domain that
>> just is for running NMB so Ghost Commander on Android sees a Browse
>> list.
> I suggest you use a Unix domain member for 'Ghost Commander'
>
>> It's outside the scope of this problem. Samba doesn't really update
>> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
>> from working. I just use flat Zone Files.
> Take Bind9 out of the chroot, this is quite possibly one of your main
> problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> deprecated and could be removed at any time. Active directory
> absolutely requires good DNS.
>
> Rowland
>
>
>
Currently its set to None, and DNS is working. That's not the issue for 
the other two DCs. I don't know how to take Bind out of it's chroot on 
OpenSuse.

This is not a DNS problem anyway. If it were the other two DCs wouldn't 
be working.




More information about the samba mailing list