[Samba] accidentally upgraded DC to 4.17.3 ... didn't work

Rowland Penny rpenny at samba.org
Tue Nov 22 10:55:04 UTC 2022 


On 22/11/2022 10:34, Stefan G. Weichinger via samba wrote:
> Am 22.11.22 um 10:59 schrieb Stefan G. Weichinger via samba:
>> Am 22.11.22 um 10:00 schrieb Andrew Bartlett:
>>> On Tue, 2022-11-22 at 09:53 +0100, Stefan G. Weichinger via samba
>>> wrote:
>>>> Am 22.11.22 um 09:43 schrieb Stefan G. Weichinger via samba:
>>>>
>>>>> but I don't have it OK yet:
>>>>
>>>> Update: seems OK now
>>>>
>>>> I wonder if to stay at 4.16.2 on ADC2 and 4.16.6 on ADC1 for now.
>>>>
>>>> Vacation starts on thursday ...
>>>
>>> It really comes down to how much you trust your users.  Remember that
>>> each of them is domain admin in Samba 4.16.2
>>
>> Hmm, yes, that sounds scary. Although the users there should be 
>> trustworthy.
>>
>> I check that DNS/resolved-issue again and retry the upgrade to 4.17.3 
>> soon.
> 
> On 4.17.3 now on one DC.
> 
> The DCs recently also became Kea-DHCP-servers, so they have interfaces 
> in various VLANs.

My personal opinion of kea is that there first thought was 'how do we 
make this so complicated that users have to pay us to sort it out'. Your 
opinion may differ.

> 
> That seems to mess with winbind ...

But it shouldn't do, it should just hand out the same info that the 
isc-dhcp-server did, just with the possibility of IPv6 addresses.
I cannot understand why anyone uses IPv6 internally, do they really have 
more computers, printers etc working for the organisation than there are 
people on the planet ?

> 
> # wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> 
> I added this to smb.conf:
> 
> bind interfaces only = yes
> interfaces = lo enp0s31f6
> 
> .. to only let the DC run in the LAN.
> 
> Restarted samba-ad-dc.service, doesn't help.
> 
> systemd-resolved is disabled and stoppped
> 
> 
> 
> journal shows:
> 
> Nov 22 11:25:33 adc2 samba[303310]:   /usr/sbin/samba_dnsupdate: ; TSIG 
> error with server: tsig verify failure
> Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.849094,  0] 
> ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> Nov 22 11:25:33 adc2 samba[303310]:   /usr/sbin/samba_dnsupdate: ; TSIG 
> error with server: tsig verify failure
> Nov 22 11:25:33 adc2 samba[303310]: [2022/11/22 11:25:33.920546,  0] 
> ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> Nov 22 11:25:33 adc2 samba[303310]:   dnsupdate_nameupdate_done: Failed 
> DNS update with exit code 20
> 

Try adding this to the smb.conf and then restart Samba:

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

> -
> 
> DRS replication seems to work, though
> 
> random tests:
> 
> # wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the trust secret for domain (null) via RPC calls failed
> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not check secret
> 
> # wbinfo --ping-dc
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the NETLOGON for domain[] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> 
> -
> 
> winbindd is running according to journal and "ps avx"

That all sounds like dns problems.

Rowland

More information about the samba mailing list