[Samba] Unable to contact RPC server on a new DC

Rowland Penny rpenny at samba.org
Sun Jun 11 12:12:03 UTC 2023



On 11/06/2023 12:54, Andrey Repin via samba wrote:

>>>> Why do you have a netlogon share on the Unix domain member ?
>>> An oversight, I presume. (it's the baremetal host, on which I ran some
>>> experiments in the past)
> 
>> A Unix domain member never used a netlogon share, they are meant to be only
>> on a DC (AD or PDC).
> 
> If that does not affect DC behavior, it is irrelevant to the problem.

It shouldn't be there and whilst it may have no effect on your current 
problem, it is best practice to advise removing it.

> 
>>>> Why are you using Wins ? AD does not use Wins, it uses DNS.
>>> I tried to normalize network discovery. Iе's VERY slow ATM. Minutes to
>>> get a list of hosts in a workgroup.
> 
>> I take it by 'network discovery' you mean dns, rather than the 'Network
>> Discovery' service that has replaced 'Network Browsing' on Windows.
> 
> I mean netbios workgroup listing.

NetBIOS requires SMBv1, you DC is not using SMBv1

> 
>> If you dns is slow, you need to find out why, I take it that you are using
>> the DC's as the nameservers for your domain clients.
> 
> Not related to DNS at all.

Does that mean you are using an external dns server, rather than the dns 
server supplied with each Samba DC ?

> 
>>>> Why do you have this line: 'idmap config * : schema_mode = rfc2307'
>>> Why not?
> 
>> Because it isn't required and it this first time that I have seen it in
>> that context, being used with the default domain.
> 
> I followed the guide where domain was set up like that. And it worked for me
> for over a decade. I guess it is either harmless or a default used internally.

Not sure what guide you followed and yes, it probably is harmless, but 
again best practice advises removing it.

> 
>>>> Finally, you have the 'winbind enum' lines set to yes on both machines,
>>> I tried to normalize network discovery. See above.
> 
>> Setting those can actually slow things down and there aren't required for
>> AD to work, 'getent passwd USERNAME' will always show a users data.
> 
>>>> this should only be done for testing purposes, Samba will quite correctly without the lines.
>>> If these settings are irrelevant for their respective placement, you could
>>> have just stated that instead of an extensive questioning.
> 
>> I have to ask questions, to try and understand why you are setting things
>> in the way you are doing. That is my only reason to ask questions, to get
>> answers, so I can then formulate a way out of your problem.
> 
>>> I appreciate your attention, though. I'll meditate on these settings again,
>>> once the system is up and running.
> 
>>>> When you created your new DC, did you sync Sysvol and idmap.ldb from the existing DC ?
>>> Shouldn't that be done naturally when DC joined the domain/when roles were
>>> claimed? Sysvol is nearly empty though. I did not go far enough to create any
>>> custom rules for this domain. Yet.
>>> Also, why this is not mentioned on the wiki?
> 
>> When you provision a new domain, the first domain gets everything set up.
>> When you join another DC, the main database is replicated, but Sysvol and
>> idmap.ldb aren't. Samba, at present, has no method to sync Sysvol
>> automatically, so you have to do it manually. The join creates a base
>> idmap.ldb , but this works exactly the same as the first DC, ID's are
>> allocated mostly on a 'first come' basis, this means the users and groups on
>> separate DC's can and will get different ID's, so you need to sync idmap.ldb
>> between DC's, usually from the DC that has the PDC_Emulator FSMO role.
>> I thought this was all mentioned in the wiki.
> 
> Shouldn't this be taken from LDAP, since I use WINBIND mappings?
> 
> 

Sorry, but no, DC's use a different ID mapping than any other Samba 
machines, the ID's are stored in idmap.ldb and allow groups to be 
'ID_TYPE_BOTH', that is, they can be users as well as groups. However, 
these ID's are issued on a first come basis, which means that user & 
group ID's can (and usually are) be different, depending on which DC you 
ask.

What OS are you using ?
I don't think you ever said.

Rowland




More information about the samba mailing list