[Samba] Unable to contact RPC server on a new DC

Rowland Penny rpenny at samba.org
Fri Jun 9 17:51:25 UTC 2023

On 09/06/2023 18:11, Andrey Repin via samba wrote:
> Greetings, Rowland Penny via samba!

>> OK, you have these lines on the DC:
>>           winbind nss info = rfc2307
>>           winbind use default domain = Yes
>>           idmap config darkdragon : unix_nss_info = yes
>>           idmap config darkdragon : unix_primary_group = yes
>>           idmap config darkdragon : range = 2048-131071
>>           idmap config darkdragon : schema_mode = rfc2307
>>           idmap config darkdragon : backend = ad
>>           idmap config * : range = 1024-2047
>>           idmap config * : schema_mode = rfc2307
>>           idmap config * : backend = tdb
>> Why ? They do nothing on a DC.
>> Why do you have 'auto services = homes' without actually having a 'homes' share ?
>> Turning to the Unix domain member, why are you using SMBv1 aka 'NT1', the DC isn't
> Because DC1 used it. Consider it a legacy. Why would Win7 (RSAT) do not
> connect? THAT is the main question.

If you do not require SMBv1, then I suggest you remove it.

>> Why do you have a netlogon share on the Unix domain member ?
> An oversight, I presume. (it's the baremetal host, on which I ran some
> experiments in the past)

A Unix domain member never used a netlogon share, they are meant to be 
only on a DC (AD or PDC).

>> Why are you using Wins ? AD does not use Wins, it uses DNS.
> I tried to normalize network discovery. Iе's VERY slow ATM. Minutes to get a
> list of hosts in a workgroup.

I take it by 'network discovery' you mean dns, rather than the 'Network 
Discovery' service that has replaced 'Network Browsing' on Windows.

If you dns is slow, you need to find out why, I take it that you are 
using the DC's as the nameservers for your domain clients.

>> Why do you have this line: 'idmap config * : schema_mode = rfc2307'
> Why not?

Because it isn't required and it this first time that I have seen it in 
that context, being used with the default domain.

>> Finally, you have the 'winbind enum' lines set to yes on both machines,
> I tried to normalize network discovery. See above.

Setting those can actually slow things down and there aren't required 
for AD to work, 'getent passwd USERNAME' will always show a users data.

>> this should only be done for testing purposes, Samba will quite correctly without the lines.
> If these settings are irrelevant for their respective placement, you could
> have just stated that instead of an extensive questioning.

I have to ask questions, to try and understand why you are setting 
things in the way you are doing. That is my only reason to ask 
questions, to get answers, so I can then formulate a way out of your 

> I appreciate your attention, though. I'll meditate on these settings again,
> once the system is up and running.
>> When you created your new DC, did you sync Sysvol and idmap.ldb from the existing DC ?
> Shouldn't that be done naturally when DC joined the domain/when roles were
> claimed? Sysvol is nearly empty though. I did not go far enough to create any
> custom rules for this domain. Yet.
> Also, why this is not mentioned on the wiki?

When you provision a new domain, the first domain gets everything set 
up. When you join another DC, the main database is replicated, but 
Sysvol and idmap.ldb aren't. Samba, at present, has no method to sync 
Sysvol automatically, so you have to do it manually. The join creates a 
base idmap.ldb , but this works exactly the same as the first DC, ID's 
are allocated mostly on a 'first come' basis, this means the users and 
groups on separate DC's can and will get different ID's, so you need to 
sync idmap.ldb between DC's, usually from the DC that has the 
PDC_Emulator FSMO role.
I thought this was all mentioned in the wiki.


More information about the samba mailing list