[Samba] Issues demoting a samba DC.
Rowland Penny
rpenny at samba.org
Sun Jan 8 16:42:18 UTC 2023
On 08/01/2023 16:03, Michael Tokarev via samba wrote:
> 08.01.2023 18:54, Michael Tokarev wrote:
> ...
>> And nope, after removing this stale A gc._msdcs record from samba DNS, it
>> still does not work and still logs the same error message, apparenlty
>> when
>> trying to log in to the other DC for replication:
>>
>> [2023/01/08 18:50:43.390974, 0]
>> ../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> ncacn_ip_tcp:192.168.19.6[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_princi
>>
>> I'll try to strace it to find out what's going on.
>
> strace itself didin't help , but it gave me a clue, because at the very
> place
> where it logs this error, it opens the samba keytab file. And earlier I
> thought
> maybe after doing some DC stuff, I'll have to regenerate the keytabs?
>
> And indeed, there was an error in /etc/krb5.conf, - this file were still
> referring to the old DC which I just removed.
>
> Unfortunately, all guides I've read so far about samba and kerberos, are
> *wrong*.
> They say to create krb5.conf with the given contents, but this does not
> work
> at all when you have more than one realm in there, so by creating the new
> krb5.conf, you're breaking other realms. But this is a different issue.
>
>> Unfortunately I still don't know what does it *mean*, what exactly it
>> tries
>> to do when "binding to uuid"?
>
> (still no answer to this).
>
> Thanks,
>
> /mjt
>
>
Ah, I forgot that you are running your Samba AD DC's in an unsupported
way, for a start you really should only have one realm in krb5.conf on a DC.
I cannot help you further with this, an NT4-style DC != an AD DC and you
shouldn't try to run AD anything like NT4
Rowland
More information about the samba
mailing list