[Samba] accidentally upgraded DC to 4.17.3 ... didn't work

Stefan G. Weichinger lists at xunil.at
Tue Nov 22 10:34:06 UTC 2022 

Am 22.11.22 um 10:59 schrieb Stefan G. Weichinger via samba:
> Am 22.11.22 um 10:00 schrieb Andrew Bartlett:
>> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba
>> wrote:
>>> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba:
>>>
>>>> but I don't have it OK yet:
>>>
>>> Update: seems OK now
>>>
>>> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now.
>>>
>>> Vacation starts on thursday ...
>>
>> It really comes down to how much you trust your users.  Remember that
>> each of them is domain admin in Samba 4.16.2
> 
> Hmm, yes, that sounds scary. Although the users there should be 
> trustworthy.
> 
> I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 soon.

On 4.17.3 now on one DC.

The DCs recently also became Kea-DHCP-servers, so they have interfaces 
in various VLANs.

That seems to mess with winbind ...

# wbinfo -u
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

I added this to smb.conf:

bind interfaces only = yes
interfaces = lo enp0s31f6

.. to only let the DC run in the LAN.

Restarted samba-ad-dc.service, doesn't help.

systemd-resolved is disabled and stoppped



journal shows:

Nov 22 11:25:33 adc2 samba[303310]:   /usr/sbin/samba_dnsupdate: ; TSIG 
error with server: tsig verify failure
Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.849094,  0] 
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
Nov 22 11:25:33 adc2 samba[303310]:   /usr/sbin/samba_dnsupdate: ; TSIG 
error with server: tsig verify failure
Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.920546,  0] 
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
Nov 22 11:25:33 adc2 samba[303310]:   dnsupdate_nameupdate_done: Failed 
DNS update with exit code 20

-

DRS replication seems to work, though

random tests:

# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret

# wbinfo --ping-dc
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

-

winbindd is running according to journal and "ps avx"

More information about the samba mailing list