Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch
- Date: Wed, 21 Jun 2017 08:30:30 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Im wondering also what happend here, i cant figure it out (yet).
I did read this now few times..
Baptiste, can you give me the following output.
( keep this order for the output please.
klist -ket /etc/krb5.keytab
klist -ket /var/lib/samba/private/secrets.keytab
Get this script, run it, and if you get errors post them.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 20 juni 2017 19:13
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from
> debian Jessie to Stretch
> On Tue, 20 Jun 2017 18:52:49 +0200
> Prunk Dump <prunkdump@xxxxxxxxx> wrote:
> > Hello.
> > I upgraded Debian from "Jessie" to "Strech" following the Debian
> > Upgrade Handbook. I'am not using special repositories, just
> the Debian
> > stable branch. Everything is updated with "apt-get upgrade" and
> > "apt-get dist-upgrade".
! I noticed that, samba-dsdb-modules in a "winbind" only install errors again.
Not a problem, but check if samba-dsdb-modules is installed on your DC after the upgrade.
Better, show me :
dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"
> > This upgrade is really mandatory because after two years of Debian
> > Jessie I have encountered many difficulties with the samba
> version. By
> > two times the Debian security team was not able to apply security
> > patch to the base stable Samba version. So two times Samba version
> > change and put my network down. So I can't keep the Jessie Samba
> > Version for two years more I want to maintain good security.
Can you point me to these 2?
> Not sure if upgrading to an unreleased Debian version is a
> good idea, you could do what I am doing, use Louis Van
> Belle's packages on Jessie.
Rowland, Debian Stretch is released 3 days ago ;-)
> > But now I'am very disappointed.
> > I don't understand why all my DCs have a bad
> > "/var/lib/samba/private/secret.keytab"
> > I don't understand why Kerberos authentication does not
> works inside
> > Samba but works with "kinit" (like in the previous log have sent).
We will figure this out, .. Just thinking..
kinit uses the defealt /etc/krb5.conf
System default normaly points to /etc/krb5.keytab
> I don't understand it either, but I feel it must down to at
> least one of the packages that got upgraded and that are used
> by Samba. Perhaps Louis can comment here, I feel he knows
> more about what is required to get the latest version of
> Samba working on Debian.
Im thinging, baptiste, your using nfsv4 kerberized?
Do cat /etc/idmap.conf for me also, are you using "[Static"] user namemappings like
principal@REALM = localusername
> > I'm lost. I don't know what to do...
> > -> How can I regererate the "/var/lib/samba/private/secret.keytab"
> > with all the 5 encryptions ?
First the info, then the fix.
> This is something Andrew is going to have to help you with,
> but I think he gave a hint about using 'chgtdcpass'
> > -> On the DC that have all the FSMO roles have made a "samba-tool
> > dbcheck --cross-ncs --fix --yes" (as say on the samba
> upgrade guide).
> > Do I need to do this on the others DCs ? Or is this better to first
> > restoring replication ?
Run my samba-check-db-repl.sh script then well see what needs fixing.
> This should fix any faults in db on this machine, replication
> should then send any changes to the other DCs, but I can see
> no reason not to run the command on the other DCs
> > -> Do I need to do a manual directory replication ?
> I wouldn't at this stage, but if you can fix it on one DC and
> the fixes don't get replicated, this may be something to
> consider later.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the