[Samba] Issues demoting a samba DC.

Rowland Penny rpenny at samba.org
Sun Jan 8 16:42:18 UTC 2023

On 08/01/2023 16:03, Michael Tokarev via samba wrote:
> 08.01.2023 18:54, Michael Tokarev wrote:
> ...
>> And nope, after removing this stale A gc._msdcs record from samba DNS, it
>> still does not work and still logs the same error message, apparenlty 
>> when
>> trying to log in to the other DC for replication:
>> [2023/01/08 18:50:43.390974,  0] 
>> ../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>> ncacn_ip_tcp:[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_princi
>> I'll try to strace it to find out what's going on.
> strace itself didin't help , but it gave me a clue, because at the very 
> place
> where it logs this error, it opens the samba keytab file.  And earlier I 
> thought
> maybe after doing some DC stuff, I'll have to regenerate the keytabs?
> And indeed, there was an error in /etc/krb5.conf, - this file were still
> referring to the old DC which I just removed.
> Unfortunately, all guides I've read so far about samba and kerberos, are 
> *wrong*.
> They say to create krb5.conf with the given contents, but this does not 
> work
> at all when you have more than one realm in there, so by creating the new
> krb5.conf, you're breaking other realms.  But this is a different issue.
>> Unfortunately I still don't know what does it *mean*, what exactly it 
>> tries
>> to do when "binding to uuid"?
> (still no answer to this).
> Thanks,
> /mjt

Ah, I forgot that you are running your Samba AD DC's in an unsupported 
way, for a start you really should only have one realm in krb5.conf on a DC.

I cannot help you further with this, an NT4-style DC != an AD DC and you 
shouldn't try to run AD anything like NT4


More information about the samba mailing list