Web lists-archives.com

Re: [Samba] Replication problems bdc to pdc




Hello Rowland,
    thank You for a quick response.


On 11. 12. 2017 15:48, Rowland Penny via samba wrote:
On Mon, 11 Dec 2017 14:33:48 +0100
Jiří Knotek via samba<samba@xxxxxxxxxxxxxxx>  wrote:

Hello,

Replication from backup Active Directory Domain Controler to primary
Active Directory Domain Controler does not work, reporting error '
WERR_BADFILE '. The reverse works.
You do not have a backup AD DC, or a primary AD DC, you just have two
AD DCs

OK, thank you for correcting the nomenclature

   * Linux: Raspbian, debian stretch lite
   * Samba version 4.5.12-Debian
   * DNS: BIND9_DLZ 9.10.x
   * Installed packages: ntp ntpdate samba smbclient winbind libcups2
     samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user

root@ry11citdc:~# samba-tool drs replicate_ry11citsdc_  ry11citdc dc=ry11cit,dc=local
Replicate from ry11citdc to ry11citsdc was successful.
root@ry11citdc:~# samba-tool drs replicate ry11citdc_ry11citsdc_  dc=ry11cit,dc=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)


There is something strange here, you seem to be running the commands on
the same DC, the first time it works, then it cannot find the command,
then after you switched the order of the DCs to replicate to & from,
it throws an error

I copied it badly, I corrected it. The second command demonstrates malfunctioning replication.

First Active Directory Domain Controler:

krb5.conf:

[libdefaults]
      default_realm = RY11CIT.LOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = true

You only need the above
OK, i corrected it.

named.conf:------------------------

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

named.conf.options:-----------------------

options {
      directory "/var/cache/bind";

      dnssec-validation auto;

      auth-nxdomain no;    # conform to RFC1035
      listen-on-v6 { none; };
      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
You haven't set any forwarders.

My network has only 10 stations and can not access the Internet. I just need Windows domain users. Bind9 I chose for future use.
smb.conf:------------------------------

# Global parameters
[global]
      netbios name = RY11CITDC
      realm = RY11CIT.LOCAL
      workgroup = RY11CIT
      server role = active directory domain controller

Why haven't you got a 'server services' line ?
you should have if you are using Bind9

Because of "https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html"; they write that "Default: //|server services|/ = |s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns| /".

But according to "https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC"; here I will add "server services = -dns". It is correct?

Another (Standby) Active Directory Domain Controler:
What do mean by 'standby' ?
Standby server is an expression using SCADA / HMI SW CitectSCADA. It's a DC backup, here one DC.
krb5.conf:

[libdefaults]
      default_realm = RY11CIT.LOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = true

You only need the above
OK, i corrected it.


[realms]
  named.conf.options:-----------------------
options {
      directory "/var/cache/bind";

      dnssec-validation auto;

      auth-nxdomain no;    # conform to RFC1035
      listen-on-v6 { none; };
      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

Still no forwarders
My network has only 10 stations and can not access the Internet. I just need Windows domain users. Bind9 I chose for future use.

smb.conf:------------------------------

# Global parameters
[global]
      netbios name = RY11CITSDC
      realm = RY11CIT.LOCAL
      workgroup = RY11CIT

      server role = active directory domain controller

Again there is no 'server services' line
Because of "https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html"; they write that "Default: //|server services|/ = |s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns| /".

But according to "https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC"; here I will add "server services = -dns". It is correct?
Finally, I see that you are not aware that using '.local' is a bad
idea.
My network has only 10 stations and can not access the Internet. I thought that .local is just a name. Do you recommend a different name?

Rowland

Unfortunately, the changes made did not correct replication from ry11citsdc to ry11citdc. Do you have any other advice or do you need more information?

Thanks J.Knotek

--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: jiri.knotek@xxxxxxxxxx <mailto:jiri.knotek@xxxxxxxxxx>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba