Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




On Tue, 20 Jun 2017 18:52:49 +0200
Prunk Dump <prunkdump@xxxxxxxxx> wrote:

> Hello.
> 
> I upgraded Debian from "Jessie" to "Strech" following the Debian
> Upgrade Handbook. I'am not using special repositories, just the Debian
> stable branch. Everything is updated with "apt-get upgrade" and
> "apt-get dist-upgrade".
> 
> This upgrade is really mandatory because after two years of Debian
> Jessie I have encountered many difficulties with the samba version. By
> two times the Debian security team was not able to apply security
> patch to the base stable Samba version. So two times Samba version
> change and put my network down. So I can't keep the Jessie Samba
> Version for two years more I want to maintain good security.

Not sure if upgrading to an unreleased Debian version is a good idea,
you could do what I am doing, use Louis Van Belle's packages on Jessie.

> 
> But now I'am very disappointed.
> I don't understand why all my DCs have a bad
> "/var/lib/samba/private/secret.keytab"
> I don't understand why Kerberos authentication does not works inside
> Samba but works with "kinit" (like in the previous log have sent).

I don't understand it either, but I feel it must down to at least one
of the packages that got upgraded and that are used by Samba. Perhaps
Louis can comment here, I feel he knows more about what is required to
get the latest version of Samba working on Debian.

> 
> I'm lost. I don't know what to do...
> 
> -> How can I regererate the "/var/lib/samba/private/secret.keytab"
> with all the 5 encryptions ?

This is something Andrew is going to have to help you with, but I
think he gave a hint about using 'chgtdcpass'

> 
> -> On the DC that have all the FSMO roles have made a "samba-tool
> dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide).
> Do I need to do this on the others DCs ? Or is this better to first
> restoring replication ?

This should fix any faults in db on this machine, replication should
then send any changes to the other DCs, but I can see no reason not to
run the command on the other DCs

> 
> -> Do I need to do a manual directory replication ?
> 

I wouldn't at this stage, but if you can fix it on one DC and the fixes
don't get replicated, this may be something to consider later.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba