[Samba] Unable to contact RPC server on a new DC

Andrey Repin arepin at hostkey.com
Sun Jun 11 11:54:51 UTC 2023

Hello Rowland Penny,

Friday, June 9, 2023, 8:51:25 PM, you wrote:

> On 09/06/2023 18:11, Andrey Repin via samba wrote:
>> Greetings, Rowland Penny via samba!

>>> OK, you have these lines on the DC:
>>>           winbind nss info = rfc2307
>>>           winbind use default domain = Yes
>>>           idmap config darkdragon : unix_nss_info = yes
>>>           idmap config darkdragon : unix_primary_group = yes
>>>           idmap config darkdragon : range = 2048-131071
>>>           idmap config darkdragon : schema_mode = rfc2307
>>>           idmap config darkdragon : backend = ad
>>>           idmap config * : range = 1024-2047
>>>           idmap config * : schema_mode = rfc2307
>>>           idmap config * : backend = tdb
>>> Why ? They do nothing on a DC.
>>> Why do you have 'auto services = homes' without actually having a 'homes' share ?
>>> Turning to the Unix domain member, why are you using SMBv1 aka 'NT1', the DC isn't
>> Because DC1 used it. Consider it a legacy. Why would Win7 (RSAT) do not
>> connect? THAT is the main question.

> If you do not require SMBv1, then I suggest you remove it.

>>> Why do you have a netlogon share on the Unix domain member ?
>> An oversight, I presume. (it's the baremetal host, on which I ran some
>> experiments in the past)

> A Unix domain member never used a netlogon share, they are meant to be only
> on a DC (AD or PDC).

If that does not affect DC behavior, it is irrelevant to the problem.

>>> Why are you using Wins ? AD does not use Wins, it uses DNS.
>> I tried to normalize network discovery. Iе's VERY slow ATM. Minutes to
>> get a list of hosts in a workgroup.

> I take it by 'network discovery' you mean dns, rather than the 'Network
> Discovery' service that has replaced 'Network Browsing' on Windows.

I mean netbios workgroup listing.

> If you dns is slow, you need to find out why, I take it that you are using
> the DC's as the nameservers for your domain clients.

Not related to DNS at all.

>>> Why do you have this line: 'idmap config * : schema_mode = rfc2307'
>> Why not?

> Because it isn't required and it this first time that I have seen it in
> that context, being used with the default domain.

I followed the guide where domain was set up like that. And it worked for me
for over a decade. I guess it is either harmless or a default used internally.

>>> Finally, you have the 'winbind enum' lines set to yes on both machines,
>> I tried to normalize network discovery. See above.

> Setting those can actually slow things down and there aren't required for
> AD to work, 'getent passwd USERNAME' will always show a users data.

>>> this should only be done for testing purposes, Samba will quite correctly without the lines.
>> If these settings are irrelevant for their respective placement, you could
>> have just stated that instead of an extensive questioning.

> I have to ask questions, to try and understand why you are setting things
> in the way you are doing. That is my only reason to ask questions, to get
> answers, so I can then formulate a way out of your problem.

>> I appreciate your attention, though. I'll meditate on these settings again,
>> once the system is up and running.

>>> When you created your new DC, did you sync Sysvol and idmap.ldb from the existing DC ?
>> Shouldn't that be done naturally when DC joined the domain/when roles were
>> claimed? Sysvol is nearly empty though. I did not go far enough to create any
>> custom rules for this domain. Yet.
>> Also, why this is not mentioned on the wiki?

> When you provision a new domain, the first domain gets everything set up.
> When you join another DC, the main database is replicated, but Sysvol and
> idmap.ldb aren't. Samba, at present, has no method to sync Sysvol
> automatically, so you have to do it manually. The join creates a base
> idmap.ldb , but this works exactly the same as the first DC, ID's are
> allocated mostly on a 'first come' basis, this means the users and groups on
> separate DC's can and will get different ID's, so you need to sync idmap.ldb
> between DC's, usually from the DC that has the PDC_Emulator FSMO role.
> I thought this was all mentioned in the wiki.

Shouldn't this be taken from LDAP, since I use WINBIND mappings?

Best regards,
Andrey Repin

More information about the samba mailing list