Re: [Samba] Samba AD DC through VPN. No DRS replication
- Date: Sun, 05 May 2019 01:28:06 +0300
- From: Andrey Zvorygin via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba AD DC through VPN. No DRS replication
Hello all. Please help me with my problem.
I have organization with branches connected through internet by VPN. First branch (B00) have two Dc's in 172.16.0.0/16 network and second branch (B01) have one DC in 172.17.0.0/16 network.
All three Dc's built from sources (4.10.2) on freshly installed Debian Stretch. I am using BIND9_DLZ backend.
So, 2 Dc's located in one building (B00) works flawless: DDNS updates, drs repl and so on. But when I join new DC at second building, nothing works on this new DC. I can't connect to it from RSAT, cannot make drs replication.
When I try samba-tool drs showrepl -d 3, I've got this message:
Server ldap/B01DC01.CORP.COMPANY.RU@xxxxxxxxxxxxxxx is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/B01DC01.CORP.COMPANY.RU@xxxxxxxxxxxxxxx) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/B01DC01.CORP.COMPANY.RU failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
When I try to ldbsearch -H ldap://b00dc01 servicePrincipalName=ldap/B01DC01.corp.company.ru, I've got zero search results.
My smb.conf is pretty simple on all nodes:
hosts allow = ALL
server min protocol = NT1
lanman auth = Yes
ntlm auth = Yes
netbios name = B00DC01
realm = CORP.COMPANY.RU
server role = active directory domain controller
server services = -dns
workgroup = CORP
idmap_ldb:use rfc2307 = yes
path = /usr/local/samba/var/locks/sysvol
read only = No
path = /usr/local/samba/var/locks/sysvol/corp.company.ru/scripts
read only = No
Please help me to fix this issue and finally join remote DC corretly.
To unsubscribe from this list go to the following URL and read the