Web lists-archives.com

Re: [Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown




Hai Sven,  

> -----Oorspronkelijk bericht-----
> Van: Sven Schwedas [mailto:sven.schwedas@xxxxxx] 
> Verzonden: dinsdag 5 september 2017 17:13
> Aan: L.P.H. van Belle
> CC: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Server GC/name.dom/dom is not 
> registered with our KDC: Miscellaneous failure (see text): 
> Server (GC/name/dom@DOM) unknown
> 
> On 2017-09-05 16:52, L.P.H. van Belle wrote:
> > Yes, if you flexible with reinstalling, you could..
> 
> I don't want another quick and dirty solution that turns out 
> to break half a year down the line, I'm fine with nuking half 
> my DCs if that means getting to a clean state.
No,  i dont want a quick and dirty solution for you. You need to get a good fix. 

> 
> Besides, recreating containers is faster than manually 
> messing around in /var/lib on each one of them.
> 
> > I suggest the following, move fsmo roles to villach-dc and 
> check database replications.
> 
> DB replication is already spewing errors, what am I to look out for?
Ok, get my check db script, run it from any dc. And post me the output. 
https://github.com/thctlo/samba4/blob/master/samba-check-db-repl.sh 
With the output, we should be able to see which servers have the best replicated database. 
( the script uses the standaard samba tools, but all in one go) 

> 
> > Remove the most faulty one first, graz-dc-1b, from the 
> domain. ( check 
> > and cleanup DNS and AD! Very important )
> 
> What to check for? What to clean up?
Ah, thats hard to tell, this depends a bit on the errors.
I search/look for the left overs, first with RSAT tools and samba-tool, then with ApacheStudio. 
I look for hostnames/UUID/ things like that, but this is only done if all other options did not work. 
But it depends on the errors/warnings i see/get. 

> 
> > You dont have to reinstall the complete os, just cleanup as 
> told, and reprovisioning that server again. 
> 
> Adding a new DC with the same hostname as the old DC is what 
> got me into trouble last time. I'll pass up on that offer.
Ok, but i know the correct steps to do this, its all in the correct order and when to remove where/what. 
I can save you the time to reinstall the OS, you can re-use the os, just dont reuse the same hostname.
But, if its not an option for you anymore, thats ok, that what you want. 

> 
> >>> Then remove a failty server and re-add it as a new installed DC.
> >>> ( the good DS with FSMO)
> >>> First backup: /var/lib/samba/private/secrets.keytab
> >>> Remove the incorrect entries from keytab file with ktutil rkt 
> >>> /var/lib/samba/private/secrets.keytab
> >>> list -e -t
> >>
> >> Might as well just nuke graz-dc-sem and add a complete new DC from 
> >> scratch, no?
> > No, and yes, but i preffer no, not needed (yet). 
> > Start with the keytab cleanup
> > Check the dns record if the uuid A PTR and hostnames 
> resolve to the correct server. 
> > If thats the case, then no, cleanup of keytab is, i think, 
> sufficient. 
> 
> Just to confirm the order: Clean up the keytab, if that 
> doesn't work, start removing servers?
Almost. Backup then ...   Cleanup keytab of the server. 

> 
> > Yes, if its really a mess. ;-)
> > Then, first a an new DC, then remove, just make sure you 
> always have 2 
> > dc's up and running (correctly)
> 
> Servers in Villach seem to run fine, thank $DEITY, so I'll 
> leave them alone for now.
Ok, thats good, run the check-db script and post the complete output for me. 

> 
> >>> Now re-provision and you should have correct working DC's again. 
> >>>
> >>> ! Before re-provisioning, make sure all OLD records dns and
> >> AD are gone. 
> >>
> >> I still have undeleteable replication records from the last time I 
> >> had to nuke a DC, nobody replied to my emails on that issue.
> > 
> > Ok, now, im out of office in about 10 min, but mail that 
> subject for me again> I'll have a look.
> 
> First message on that topic:
> https://lists.samba.org/archive/samba/2017-March/207429.html
Ok, this one, track down both uuid's, checkout which which hostname belongs with these.
Basicly https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC 
In based on the Demoteing wiki example. 
I do the same steps as shown there. Now the last three pictures on the site shows where to look. 
At the site and Service, go through very folder, and check if it is as it should be. 

https://lists.samba.org/archive/samba/2017-March/207460.html
Between 2 and 3, there the problem starts
>>  – I noticed a typo in the server's `netbios name` setting, corrected it, and restarted the DC. 
3. Yes, for the new hostname, the old hostname is as left over in the ADDC DB and/or DNS. 

This name GRAZ-DC-BIS, and the name with the typo. The GUID for these is where to look info. 

Step 6. ah the point of origin of you problems with of the current post? 

7. dnsmasq? Ok, i just hope these are not running on the DC's. 

> Last message, where I mentioned the replication bug:
> https://lists.samba.org/archive/samba/2017-April/207918.html
> 
> > Own and if you dont use it, ApacheDirectoryStudio can help 
> a lot with cleanup of these kind of things. 
> 
> Currently I'm using the ADSI MMC snap-in, any downsides 
> compared to ADS?
I dont know, never used ADS :-/ 

Track done these : GUID's, the hostname's, ipnumbers A and PTR records 
7e4973ba-4093-4523-a70f-7caa4845e34d 
d613fa11-064b-4bcc-ab01-20264f870f47
(how, see Verifying and Creating the objectGUID Record  https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record) 
And as suggested, do this first through the RSAT tools or samba-tools, try removing them with these tools first. 
(how https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC) 
Open the Active Directory Users and Computers application and set it to advanced view. 

Now, i think the last left overs can be removed with : Active Directory Sites and Services and DNS manager. 
And now check them all, every folder, take your time. 

Then when its done, i run samba-tool dbcheck again per server.
> 
> > But just make sure you know what you delete, for you mess 
> up the AD even more. 
> 
> That why I'm not touching anything without a full list.
Yes, good, im pro that, the more info we get the better we can help you. 


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba