Web lists-archives.com

Re: [Samba] Replication problems bdc to pdc




See inline comments:

On Wed, 13 Dec 2017 10:13:52 +0100
Jiří Knotek via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello Rowland,
> 
>      thank you for advice. I reconfigure both AC-DCs again with new
> data and send updated data. Unfortunately, the result is the same.
> I'm also sending a listing from
> 
> samba-setup-checkup.sh.
> 
>   * Linux: Raspbian, debian stretch lite
>   * Samba version 4.5.12-Debian
>   * DNS: BIND9_DLZ 9.10.x
>   * Installed packages: ntp ntpdate samba smbclient winbind libcups2 
> samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user
> 
> *root@ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc 
> ry11citdc dc=ry11cit,dc=lan*
> Replicate from ry11citdc to ry11citsdc was successful.
> 
> *root@ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc 
> ry11citsdc dc=ry11cit,dc=lan*
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 368, in run
>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
> source_dsa_guid, NC, req_options)
>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> 83, in sendDsReplicaSync
>      raise drsException("DsReplicaSync failed %s" % estr)
> 
> 
> *root@ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh*
> Check hostnames : Mismatch in hostname definitions
> please check :
> HOST_NAME_SHORT: ry11citdc
> HOST_NAME_DOMAIN:
> HOST_NAME_FQDN: ry11citdc
> HOST_IP1: 10.44.1.10
> HOST_IP2: Only one interface detected
> HOST_GATEWAY: 10.44.1.1
> HOST_PRIMARY_INTERFACE: 10.44.1.1
> eth0
> HOST_RESOLV_DOMAIN: domain ry11cit.lan
> HOST_RESOLV_SEARCH: search ry11cit.lan
> HOST_RESOLV_NAMESERV1: 10.44.1.10
> HOST_RESOLV_NAMESERV2: 10.44.1.9
> HOST_RESOLV_NAMESERV3:
> Possible error detected in /etc/hosts, mismatch FQDN and detected IP 
> 10.44.1.10 for the host.
> expected was : 10.44.1.10 ry11citdc ry11citdc
> Checking detected host ipnumbers from resolv.conf and default gateway
> Ping gateway ip : 10.44.1.1 : Error
> ping nameserver1: 10.44.1.10 : Ok
> ping nameserver2: 10.44.1.9 : Ok
> Check ping google dns : 8.8.8.8 : Error
> Checking file owner..
> -rw-r--r-- pi pi         /etc/samba/smb.conf
> Checking file owner..
> -rw-r--r-- pi pi         /etc/samba/lmhosts
> Checking file owner..
> Missing file /etc/samba/smbpasswd
> drwxr-xr-x root root     /usr/bin
> drwxr-xr-x root root     /var/cache/samba
> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
> drwxr-xr-x root root     /var/run/samba
> drwxr-x--- root adm      /var/log/samba
> drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
> drwxr-xr-x root root     /var/run/samba
> drwxr-xr-x root root     /var/lib/samba/private
> drwxr-xr-x root root     /usr/sbin
> drwxr-xr-x root root     /var/lib/samba
> DCS 2(SERVFAIL
> DC1 2(SERVFAIL
> DC2
> ERROR: Invalid IP address '2(SERVFAIL'!
> Samba AD DC info:             =  detected (command and where to look)
> This server hostname          = ry11citdc (hostname -s and /etc/hosts 
> and DNS server)
> This server FQDN (hostname)   = ry11citdc (hostname -f and /etc/hosts 
> and DNS server)
> This server primary dnsdomain =  (hostname -d and /etc/resolv.conf
> and DNS server)
> This server IP address(ses)   = 10.44.1.10  Only one interface
> detected (hostname -i (-I) and /etc/networking/interfaces and DNS
> server The DC with FSMO roles        = RY11CITDC (samba-tool fsmo
> show) The DC (with FSMO) Site name  = Default-First-Site-Name
> (samba-tool fsmo show)
> The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo
> show) The Kerberos REALM name used  = RY11CIT.LAN    (kinit
> and /etc/krb5.conf and resolving)
> The Ipadres of DC 2(SERVFAIL        = 2(SERVFAIL)
> SAMBA_SERVER_ROLE: active directory domain controller
> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, 
> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, 
> backupkey, dnsserver
> 
> 
> *I did not come to the way the hostname -d command would return the 
> domain name. How can I do that? In addition, there are host, lmhost, 
> resolv.conf, and so on**
> *
> 
> Please help, I don 't know the advice.
> 
> System integrator Jiří Knotek
> 
> 
> "Primary" Active Directory Domain 
> Controler:---------------------------------------------------------------------------------------------------
> 
> ----------------------------------------------------------------------------------------------------------------------------------------------------- 
> 
> 
> hostname:-----------------
> ry11citdc.ry11cit.lan

This should be just the short hostname
In this case 'ry11citdc'

> 
> hosts:---------------
> 127.0.0.1    localhost localhost.localdomain
> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan

This should be:

127.0.0.1    localhost
10.44.1.10   ry11citdc.ry11cit.lan ry11citdc

> 
> resolv.conf.head:-------------------
> domain ry11cit.lan
> search ry11cit.lan

What is 'resolv.conf.head' ?
Do you have the resolvconf package installed ?
if so, remove it and the create an /etc/resolv.conf file with this
content:

search ry11cit.lan
nameserver 10.44.1.10

> 
> systemctl.conf"--------------------
> net.ipv4.ip_forward=1
> net.ipv6.conf.all.disable_ipv6=1
> 
> 
> 
> krb5.conf:------------
> 
> [libdefaults]
>      default_realm = RY11CIT.LAN
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> named.conf:------------------------
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> named.conf.options:-----------------------
> 
> options {
>      directory "/var/cache/bind";
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> lmhost:--------------------------
> 127.0.0.1   localhost
> 10.44.1.10  ry11citdc
> 10.44.1.9   ry11citsdc
> 

not required

> smb.conf:------------------------------
> 
> # Global parameters
> [global]
>      netbios name = RY11CITDC
>      realm = RY11CIT.LAN
>      server services = -dns
>      workgroup = RY11CIT
>      server role = active directory domain controller
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/ry11cit.lan/scripts
>      read only = No
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> Samba Provision---------------:
> 
>      samba-tool domain provision --realm=RY11CIT.LAN --domain=RY11CIT 
> --server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....'
> 
> "Backup / Standby" Active Directory Domain 
> Controler:--------------------------------------------------------------------------------------------------- 
> 
> 
> ----------------------------------------------------------------------------------------------------------------------------------------------------- 
> 
> 
> hostname:-----------------
> ry11citsdc.ry11cit.lan

should be just 'ry11citsdc'

> 
> hosts:---------------
> 127.0.0.1    localhost localhost.localdomain
> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan

should be:

127.0.0.1    localhost
10.44.1.9   ry11citsdc.ry11cit.lan ry11citsdc

> 
> resolv.conf.head:-------------------
> domain ry11cit.lan
> search ry11cit.lan
> 

/etc/resolv.conf should be:

search ry11cit.lan
nameserver 10.44.1.9

> systemctl.conf"--------------------
> net.ipv4.ip_forward=1
> net.ipv6.conf.all.disable_ipv6=1
> 
> 
> 
> krb5.conf:------------
> 
> [libdefaults]
>      default_realm = RY11CIT.LAN
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> named.conf:------------------------
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> named.conf.options:-----------------------
> 
> options {
>      directory "/var/cache/bind";
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> lmhost:--------------------------
> 127.0.0.1   localhost
> 10.44.1.10  ry11citdc
> 10.44.1.9   ry11citsdc
> 

Not required

> smb.conf:------------------------------
> 
> # Global parameters
> [global]
>      netbios name = RY11CITSDC
>      realm = RY11CIT.LAN
>      server services = -dns
>      workgroup = RY11CIT
>      server role = active directory domain controller
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/ry11cit.lan/scripts
>      read only = No
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> Samba join---------------:
> 
>         samba-tool domain join RY11CIT DC -Uadministrator 
> --realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....'
> 

You haven't provisioned with '--use-rfc2307'
I suggest you go and read this:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba