[Samba] Unable to contact RPC server on a new DC
arepin at hostkey.com
Sun Jun 11 11:54:51 UTC 2023
Hello Rowland Penny,
Friday, June 9, 2023, 8:51:25 PM, you wrote:
> On 09/06/2023 18:11, Andrey Repin via samba wrote:
>> Greetings, Rowland Penny via samba!
>>> OK, you have these lines on the DC:
>>> winbind nss info = rfc2307
>>> winbind use default domain = Yes
>>> idmap config darkdragon : unix_nss_info = yes
>>> idmap config darkdragon : unix_primary_group = yes
>>> idmap config darkdragon : range = 2048-131071
>>> idmap config darkdragon : schema_mode = rfc2307
>>> idmap config darkdragon : backend = ad
>>> idmap config * : range = 1024-2047
>>> idmap config * : schema_mode = rfc2307
>>> idmap config * : backend = tdb
>>> Why ? They do nothing on a DC.
>>> Why do you have 'auto services = homes' without actually having a 'homes' share ?
>>> Turning to the Unix domain member, why are you using SMBv1 aka 'NT1', the DC isn't
>> Because DC1 used it. Consider it a legacy. Why would Win7 (RSAT) do not
>> connect? THAT is the main question.
> If you do not require SMBv1, then I suggest you remove it.
>>> Why do you have a netlogon share on the Unix domain member ?
>> An oversight, I presume. (it's the baremetal host, on which I ran some
>> experiments in the past)
> A Unix domain member never used a netlogon share, they are meant to be only
> on a DC (AD or PDC).
If that does not affect DC behavior, it is irrelevant to the problem.
>>> Why are you using Wins ? AD does not use Wins, it uses DNS.
>> I tried to normalize network discovery. Iе's VERY slow ATM. Minutes to
>> get a list of hosts in a workgroup.
> I take it by 'network discovery' you mean dns, rather than the 'Network
> Discovery' service that has replaced 'Network Browsing' on Windows.
I mean netbios workgroup listing.
> If you dns is slow, you need to find out why, I take it that you are using
> the DC's as the nameservers for your domain clients.
Not related to DNS at all.
>>> Why do you have this line: 'idmap config * : schema_mode = rfc2307'
>> Why not?
> Because it isn't required and it this first time that I have seen it in
> that context, being used with the default domain.
I followed the guide where domain was set up like that. And it worked for me
for over a decade. I guess it is either harmless or a default used internally.
>>> Finally, you have the 'winbind enum' lines set to yes on both machines,
>> I tried to normalize network discovery. See above.
> Setting those can actually slow things down and there aren't required for
> AD to work, 'getent passwd USERNAME' will always show a users data.
>>> this should only be done for testing purposes, Samba will quite correctly without the lines.
>> If these settings are irrelevant for their respective placement, you could
>> have just stated that instead of an extensive questioning.
> I have to ask questions, to try and understand why you are setting things
> in the way you are doing. That is my only reason to ask questions, to get
> answers, so I can then formulate a way out of your problem.
>> I appreciate your attention, though. I'll meditate on these settings again,
>> once the system is up and running.
>>> When you created your new DC, did you sync Sysvol and idmap.ldb from the existing DC ?
>> Shouldn't that be done naturally when DC joined the domain/when roles were
>> claimed? Sysvol is nearly empty though. I did not go far enough to create any
>> custom rules for this domain. Yet.
>> Also, why this is not mentioned on the wiki?
> When you provision a new domain, the first domain gets everything set up.
> When you join another DC, the main database is replicated, but Sysvol and
> idmap.ldb aren't. Samba, at present, has no method to sync Sysvol
> automatically, so you have to do it manually. The join creates a base
> idmap.ldb , but this works exactly the same as the first DC, ID's are
> allocated mostly on a 'first come' basis, this means the users and groups on
> separate DC's can and will get different ID's, so you need to sync idmap.ldb
> between DC's, usually from the DC that has the PDC_Emulator FSMO role.
> I thought this was all mentioned in the wiki.
Shouldn't this be taken from LDAP, since I use WINBIND mappings?
More information about the samba