Web lists-archives.com

Re: [Samba] Samba AD DC through VPN. No DRS replication

Hello all. Please help me with my problem.
I have organization with branches connected through internet by VPN. First branch (B00) have two Dc's in network and second branch (B01) have one DC in network.
All three Dc's built from sources (4.10.2) on freshly installed Debian Stretch. I am using BIND9_DLZ backend.
So, 2 Dc's located in one building (B00) works flawless: DDNS updates, drs repl and so on. But when I join new DC at second building, nothing works on this new DC. I can't connect to it from RSAT, cannot make drs replication.

When I try samba-tool drs showrepl -d 3, I've got this message:
Server ldap/B01DC01.CORP.COMPANY.RU@xxxxxxxxxxxxxxx is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/B01DC01.CORP.COMPANY.RU@xxxxxxxxxxxxxxx) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/B01DC01.CORP.COMPANY.RU failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER

When I try to ldbsearch -H ldap://b00dc01 servicePrincipalName=ldap/B01DC01.corp.company.ru, I've got zero search results.

My smb.conf is pretty simple on all nodes:
        hosts allow = ALL
        server min protocol = NT1
        lanman auth = Yes
        ntlm auth = Yes
        netbios name = B00DC01
        realm = CORP.COMPANY.RU
        server role = active directory domain controller
        server services = -dns
        workgroup = CORP
        idmap_ldb:use rfc2307 = yes

        path = /usr/local/samba/var/locks/sysvol
        read only = No

        path = /usr/local/samba/var/locks/sysvol/corp.company.ru/scripts
        read only = No

Please help me to fix this issue and finally join remote DC corretly.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba