Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch

On Tue, 20 Jun 2017 18:52:49 +0200
Prunk Dump <prunkdump@xxxxxxxxx> wrote:

> Hello.
> I upgraded Debian from "Jessie" to "Strech" following the Debian
> Upgrade Handbook. I'am not using special repositories, just the Debian
> stable branch. Everything is updated with "apt-get upgrade" and
> "apt-get dist-upgrade".
> This upgrade is really mandatory because after two years of Debian
> Jessie I have encountered many difficulties with the samba version. By
> two times the Debian security team was not able to apply security
> patch to the base stable Samba version. So two times Samba version
> change and put my network down. So I can't keep the Jessie Samba
> Version for two years more I want to maintain good security.

Not sure if upgrading to an unreleased Debian version is a good idea,
you could do what I am doing, use Louis Van Belle's packages on Jessie.

> But now I'am very disappointed.
> I don't understand why all my DCs have a bad
> "/var/lib/samba/private/secret.keytab"
> I don't understand why Kerberos authentication does not works inside
> Samba but works with "kinit" (like in the previous log have sent).

I don't understand it either, but I feel it must down to at least one
of the packages that got upgraded and that are used by Samba. Perhaps
Louis can comment here, I feel he knows more about what is required to
get the latest version of Samba working on Debian.

> I'm lost. I don't know what to do...
> -> How can I regererate the "/var/lib/samba/private/secret.keytab"
> with all the 5 encryptions ?

This is something Andrew is going to have to help you with, but I
think he gave a hint about using 'chgtdcpass'

> -> On the DC that have all the FSMO roles have made a "samba-tool
> dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide).
> Do I need to do this on the others DCs ? Or is this better to first
> restoring replication ?

This should fix any faults in db on this machine, replication should
then send any changes to the other DCs, but I can see no reason not to
run the command on the other DCs

> -> Do I need to do a manual directory replication ?

I wouldn't at this stage, but if you can fix it on one DC and the fixes
don't get replicated, this may be something to consider later.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba