[Samba] Replace primary DC

aere_premium.0k at icloud.com aere_premium.0k at icloud.com
Fri May 2 23:05:25 UTC 2025 

Le 30/04/2025 à 10:01, Rowland Penny via samba a écrit :
> That 'Bad SMB2 (sign_algo_id=1) signature for message' shows that
> something is trying to connect without using SMBv2 signing, probably
> 'guest' access or using SMBv1 (or both), though this usually will not
> have anything to do with your main problem.

Thank you for your help, it allowed me to look somewhere else and it 
seems our main DNS doesn't forward our domain queries to the DCs. Which 
apparently it did before.

The thing is, my work study student had the great idea (at that time) to 
open our DC to internet, using DST-NAT from one of our public IP to DC1. 
When I reinstalled the DCs, I removed its public IP and everything went 
crazy. SSTP not working because let's encrypt wouldn't verify the 
domain, users not resolving because their DNS were not directly the DC, 
etc… Our users being remote sometimes, it was a good idea (as the VPN 
was using a host in the domain).

Now our main router forwards our domain's query to the DCs, because if 
we put DCs statically, users can't resolve anything when they're home… 
What are the best practices in this situation please ? (all our users 
have a laptop they bring home and can use personally when not working)

> What are the clients and what is in the DCs smb.conf file ?

If it's still relevant, i've attached DC1 smb.conf. They're all the same 
except netbios name.

BTW, i'm getting other strange logs I don't fully understand, see 
attachments. I don't know if they are the results of a misconfiguration 
or "normal" because of a client's misconfiguration, or something else.

Thanks again
-------------- next part --------------
# Global parameters
[global]
#	log level = 5
#	dsdb:schema update allowed = true
	dns forwarder = 10.190.0.1
	interfaces = lo eth0
	bind interfaces only = Yes
	netbios name = DC1
	realm = TECH.EXAMPLE.COM
	server role = active directory domain controller
	workgroup = EXAMPLE
	idmap_ldb:use rfc2307 = yes
	ldap server require strong auth = no
	tls enabled = yes
	tls keyfile = /etc/ssl/private/cert.key
	tls certfile = /etc/ssl/private/cert.pem
	tls cafile =
	ntlm auth = mschapv2-and-ntlmv2-only

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/tech.example.com/scripts
	read only = No
-------------- next part --------------
May 02 23:37:29 dc2 samba[307]: [2025/05/02 23:37:29.074284,  0] lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
May 02 23:37:29 dc2 samba[307]:   ldb: No objectClass found in replPropertyMetaData for CN=DC1\0ACNF:9104447d-6bb3-4eed-9be2-dc11490576be,OU=Domain Controllers,DC=tech,DC=example,DC=com!
May 02 23:37:29 dc2 samba[307]: 
May 02 23:37:29 dc2 samba[307]: [2025/05/02 23:37:29.074426,  0] source4/dsdb/repl/drepl_out_helpers.c:1186(dreplsrv_op_pull_source_apply_changes_trigger)
May 02 23:37:29 dc2 samba[307]:   Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
May 02 23:37:29 dc2 samba[307]: [2025/05/02 23:37:29.317324,  0] lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
May 02 23:37:29 dc2 samba[307]:   ldb: No objectClass found in replPropertyMetaData for CN=DC1\0ACNF:afa024e8-eea4-41e1-ac0a-2bb0fedc9b33,CN=Servers,CN=190bis,CN=Sites,CN=Configuration,DC=tech,DC=example,DC=com!
May 02 23:37:29 dc2 samba[307]: 
May 02 23:37:29 dc2 samba[307]: [2025/05/02 23:37:29.317407,  0] source4/dsdb/repl/drepl_out_helpers.c:1186(dreplsrv_op_pull_source_apply_changes_trigger)
May 02 23:37:29 dc2 samba[307]:   Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
-------------- next part --------------
May 02 21:52:23 dc4 samba[321]: [2025/05/02 21:52:23.395134,  0] source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
May 02 21:52:23 dc4 samba[321]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 110
May 02 22:02:23 dc4 samba[321]: [2025/05/02 22:02:23.412475,  0] source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
May 02 22:02:23 dc4 samba[321]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 110
May 02 22:22:23 dc4 samba[321]: [2025/05/02 22:22:23.584219,  0] source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
May 02 22:22:23 dc4 samba[321]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 110
May 02 22:52:23 dc4 samba[321]: [2025/05/02 22:52:23.920566,  0] source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
May 02 22:52:23 dc4 samba[321]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 110
May 02 23:22:24 dc4 samba[321]: [2025/05/02 23:22:24.226965,  0] source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
May 02 23:22:24 dc4 samba[321]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 110

More information about the samba mailing list