[Samba] Issues demoting a samba DC.

Michael Tokarev mjt at tls.msk.ru
Sun Jan 8 16:03:46 UTC 2023

08.01.2023 18:54, Michael Tokarev wrote:
> And nope, after removing this stale A gc._msdcs record from samba DNS, it
> still does not work and still logs the same error message, apparenlty when
> trying to log in to the other DC for replication:
> [2023/01/08 18:50:43.390974,  0] ../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
> ncacn_ip_tcp:[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_princi
> I'll try to strace it to find out what's going on.

strace itself didin't help , but it gave me a clue, because at the very place
where it logs this error, it opens the samba keytab file.  And earlier I thought
maybe after doing some DC stuff, I'll have to regenerate the keytabs?

And indeed, there was an error in /etc/krb5.conf, - this file were still
referring to the old DC which I just removed.

Unfortunately, all guides I've read so far about samba and kerberos, are *wrong*.
They say to create krb5.conf with the given contents, but this does not work
at all when you have more than one realm in there, so by creating the new
krb5.conf, you're breaking other realms.  But this is a different issue.

> Unfortunately I still don't know what does it *mean*, what exactly it tries
> to do when "binding to uuid"?

(still no answer to this).



More information about the samba mailing list