Web lists-archives.com

Re: [Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown




Yes, if you flexible with reinstalling, you could..
(more below) 

> -----Oorspronkelijk bericht-----
> Van: Sven Schwedas [mailto:sven.schwedas@xxxxxx] 
> Verzonden: dinsdag 5 september 2017 16:32
> Aan: L.P.H. van Belle; samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Server GC/name.dom/dom is not 
> registered with our KDC: Miscellaneous failure (see text): 
> Server (GC/name/dom@DOM) unknown
> 
> On 2017-09-05 16:21, L.P.H. van Belle wrote:
> >> Keytabs look reasonable, as far as I can see, but why does 
> >> graz-dc-sem have the same SPN output as graz-dc-1b in 
> addition to its 
> >> own?
> > A snapshotted server/cloned server? I dont know but thats 
> not correct.
> 
> Nope, both were created clean. There used to be a 
> graz-dc-bis, but removing and re-adding it completely broke 
> replication, so I nuked it and created 1b to replace it. That 
> odyssey is in the list archives somewhere…

Very strange then if they where all created clean. 
removing and re-adding is possible, but not without rist. 

> 
> > I suggest, cleanup the DS with FSMO roles. 
> 
> Clean up as in move FSMO roles to a clean server (leaves only
> villach-dc-*) ?
Yes and no.  ;-) 

I suggest the following, move fsmo roles to villach-dc and check database replications.

Remove the most faulty one first, graz-dc-1b, from the domain. ( check and cleanup DNS and AD! Very important ) 

You dont have to reinstall the complete os, just cleanup as told, and reprovisioning that server again. 
Reboot and then wait, and check database replication again. 
! Do reboot ! 

And repeat for all servers you dont trust. 

That should bring you network back as it should be. 


> 
> > Then remove a failty server and re-add it as a new installed DC.
> > ( the good DS with FSMO)
> > First backup: /var/lib/samba/private/secrets.keytab
> > Remove the incorrect entries from keytab file with ktutil rkt 
> > /var/lib/samba/private/secrets.keytab
> > list -e -t
> 
> Might as well just nuke graz-dc-sem and add a complete new DC 
> from scratch, no?
No, and yes, but i preffer no, not needed (yet). 
Start with the keytab cleanup 
Check the dns record if the uuid A PTR and hostnames resolve to the correct server. 
If thats the case, then no, cleanup of keytab is, i think, sufficient. 

Yes, if its really a mess. ;-) 
Then, first a an new DC, then remove, just make sure you always have 2 dc's up and running (correctly)


> 
> > Check if dates here are related to other work you/someone did?
> > 
> > Now you can remove the failty one from the domain and 
> re-add it (with 
> > provisioning) Backup and cleanup /etc/samba/smb.conf  (rename)
> > /var/cache/samba	   ( remove all files from folder) 
> > /var/lib/samba	   ( remove all files and directories 
> from folder) 
> > 
> > Now re-provision and you should have correct working DC's again. 
> > 
> > ! Before re-provisioning, make sure all OLD records dns and 
> AD are gone. 
> 
> I still have undeleteable replication records from the last 
> time I had to nuke a DC, nobody replied to my emails on that issue.

Ok, now, im out of office in about 10 min, but mail that subject for me again. 
I'll have a look. 
Own and if you dont use it, ApacheDirectoryStudio can help a lot with cleanup of these kind of things. 
But just make sure you know what you delete, for you mess up the AD even more. 


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba