[Samba] Active Directory Domain Corruption.

Markus Dellermann saml at use.startmail.com
Tue May 31 18:43:12 UTC 2022 

Hi,
Am Dienstag, 31. Mai 2022, 16:43:45 CEST schrieb Zombie Ryushu via samba:
> On 5/31/22 10:19, Rowland Penny via samba wrote:
> > On Tue, 2022-05-31 at 10:05 -0400, Zombie Ryushu via samba wrote:
> >> On 5/31/22 09:47, Rowland Penny via samba wrote:
> >>> On Tue, 2022-05-31 at 09:19 -0400, Zombie Ryushu via samba wrote:
> >>>> The DC Did have the FSMO Roles, but I tried  to demote the DC and
> >>>> rejoin
> >>>> it. The DC Won't Demote normally. It will refuse to transfer
> >>>> roles.
> >>>> a
> >>>> Secondary DC has Seized the roles, nut the Primary DC thinks it
> >>>> still
> >>>> has them when it does not.
> >>>> 
> >>>> I also tried the  Demote as a Dead DC procedure. That worked but
> >>>> after
> >>>> Re-join the original DC was still corrupt.
> >>> 
> >>> You shouldn't have re-joined the DC, you should have re-installed
> >>> it,
> >>> preferably with a new name.
> >>> 
> >>>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> >>>> deprecated
> >>>> Loaded services file OK.
> >>>> Weak crypto is allowed
> >>>> 
> >>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
> >>>> 
> >>>> # Global parameters
> >>>> [global]
> >>>> 
> >>>>           domain logons = Yes
> >>>>           domain master = Yes
> >>>>           ntlm auth = ntlmv1-permitted
> >>>>           os level = 40
> >>>>           passdb backend = samba_dsdb
> >>>>           preferred master = Yes
> >>>>           realm = PUKEY
> >>>>           server min protocol = NT1
> >>>>           server role = active directory domain controller
> >>>>           server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
> >>>> 
> >>>> drepl,
> >>>> winbind, ntp_signd, kcc
> >>>> 
> >>>>           tls cafile = tls/ca.crt
> >>>>           tls certfile = tls/olympia.pukey.crt
> >>>>           tls keyfile = tls/olympia.pukey.key
> >>>>           winbind nss info = rfc2307
> >>>>           workgroup = PUKEY-NT
> >>>>           rpc_server:tcpip = no
> >>>>           rpc_daemon:spoolssd = embedded
> >>>>           rpc_server:spoolss = embedded
> >>>>           rpc_server:winreg = embedded
> >>>>           rpc_server:ntsvcs = embedded
> >>>>           rpc_server:eventlog = embedded
> >>>>           rpc_server:srvsvc = embedded
> >>>>           rpc_server:svcctl = embedded
> >>>>           rpc_server:default = external
> >>>>           winbindd:use external pipes = true
> >>>>           idmap_ldb:use rfc2307 = yes
> >>>>           idmap config * : backend = tdb
> >>>>           map archive = No
> >>>>           vfs objects = dfs_samba4 acl_xattr
> >>>> 
> >>>> [netlogon]
> >>>> 
> >>>>           path = /var/lib/samba/sysvol/pukey/scripts
> >>>>           read only = No
> >>>> 
> >>>> [sysvol]
> >>>> 
> >>>>           path = /var/lib/samba/sysvol
> >>>>           read only = No
> >>> 
> >>> I suggest you move all the shares to a Unix domain member.
> >>> 
> >>> I also suggest you remove these lines:
> >>>           domain logons = Yes
> >>>           domain master = Yes
> >>>           preferred master = Yes
> >>>           winbind nss info = rfc2307
> >>>           os level = 40
> >>> 
> >>> They is no point to them on a Samba AD DC.
> >>> 
> >>> Why do you have these lines:
> >>>           ntlm auth = ntlmv1-permitted
> >>>           server min protocol = NT1
> >>> 
> >>> Do you really need them ?
> >>> 
> >>> Finally, what happened to 'dnsupdate' from the 'server services'
> >>> line ?
> >>> 
> >>> Rowland
> >> 
> >> I use a normal Bind Server for DNS,
> > 
> > But you still need 'dnsupdate' in the 'server services' line, it has
> > nothing to do with Bind9.
> > 
> >>           ntlm auth = ntlmv1-permitted
> >>           server min protocol = NT1
> >> 
> >> These are there so that Ghost Commander on Android works.
> >> I have a secondary smb.conf that is configured for an NT Domain that
> >> just is for running NMB so Ghost Commander on Android sees a Browse
> >> list.
> > 
> > I suggest you use a Unix domain member for 'Ghost Commander'
> > 
> >> It's outside the scope of this problem. Samba doesn't really update
> >> Bind right now. Bind runs in a Chroot and that prevents the Bind DLZ
> >> from working. I just use flat Zone Files.
> > 
> > Take Bind9 out of the chroot, this is quite possibly one of your main
> > problems. Do not use flatfiles, they do not work with BIND_DLZ, are
> > deprecated and could be removed at any time. Active directory
> > absolutely requires good DNS.
> > 
> > Rowland
> 
> Currently its set to None, and DNS is working. That's not the issue for
> the other two DCs. I don't know how to take Bind out of it's chroot on
> OpenSuse.
> 
Its in
/etc/sysconfig/named
#NAMED_RUN_CHROOTED="no"

> This is not a DNS problem anyway. If it were the other two DCs wouldn't
> be working.

If i understand right, your DCs are running on openSUSE?
This is normaly "mit-kerberos-based"
Don`t know, if this also a problem in your case

Markus

More information about the samba mailing list