Hallo Zusammen,
derzeit versuche ich 2 Samba DCs zum laufen zu kriegen.
Ich habe
Beide DCs nach Wiki eingerichtet inkl. DRS und workaround Rsync Sysvol Replication.
Bei dem Versuch ein Remote Online Backup via Sh Skript durchzuführen stieß ich auf dem 2. DC e.g. DC1 DB Pull Backup auf einige Fehler. Ich habe den 2. DC erneut gejoint, selbes Szenario. Samba komplett gewiped, installiert und erneut gejoined und nun läuft die Replikation nicht mehr durch.
user create auf DC1 → DC2 sieht den user
umgekehrt nicht.
smb.conf dc01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | # Global parameters [global] min protocol = NT1 dns forwarder = 8.8.8.8 netbios name = DC01 realm = MY.DOMAIN server role = active directory domain controller workgroup = MY idmap_ldb:use rfc2307 = yes map to guest = Bad User log file = /var/log/samba/%m log level = 3 template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/MY.DOMAIN/scripts read only = No #--------------------Location---------------------------- [U2-Sono] path = /var/lib/samba/shares/Location/U2/Sono read only = no [U1-Sono] path = /var/lib/samba/shares/Location/U1/Sono read only = no [U1-Kolposkop] path = /var/lib/samba/shares/Location/U1/Kolposkop read only = no [U1-Fetview] path = /var/lib/samba/shares/Location/U1/Fetview read only = no [CTG] path = /var/lib/samba/shares/Location/CTG read only = no [Scan] path = /var/lib/samba/shares/Location/Scan read only = no |
smb.conf dc02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | # Global parameters [global] dns forwarder = 8.8.8.8 netbios name = DC02 realm = MY.DOMAIN server role = active directory domain controller workgroup = MY idmap_ldb:use rfc2307 = yes map to guest = Bad User log file = /var/log/samba/%m log level = 3 template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes name resolve order = bcast host [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/MY.DOMAIN/scripts read only = No |
krb5.conf ( identisch )
1 2 3 4 5 6 7 8 9 10 11 12 13 | [libdefaults] default_realm = MY.DOMAIN dns_lookup_realm = false dns_lookup_kdc = true [realms] MY.DOMAIN = { default_domain = MY.DOMAIN } [domain_realm] DC02 = MY.DOMAIN DC01 = MY.DOMAIN |
drs replicate von dc01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | root@dc01:~# sudo samba-tool drs replicate dc02 dc01 DC=MY,DC=DOMAIN ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:dc02[,seal] resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20> Server ldap/dc02@MY.DOMAIN is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/dc02@MY.DOMAIN) unknown gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/dc02 failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20> Server ldap/dc02@MY.DOMAIN is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/dc02@MY.DOMAIN) unknown gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/dc02 failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Replicate from dc01 to dc02 was successful. |
drs replicate nach dc01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | sudo samba-tool drs replicate dc01 dc02 DC=MY,DC=DOMAIN ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:dc01[,seal] ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 577, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 92, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) |
drs kcc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | administrator@DC02:~$ sudo samba-tool drs kcc ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:DC02.MY.DOMAIN[,seal] resolve_lmhosts: Attempting lmhosts lookup for name DC02.MY.DOMAIN<0x20> resolve_lmhosts: Attempting lmhosts lookup for name DC02.MY.DOMAIN<0x20> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.0.1.9 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.0.1.9 Server ldap/DC02.MY.DOMAIN@MY.DOMAIN is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/DC02.MY.DOMAIN@MY.DOMAIN) unknown gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/DC02.MY.DOMAIN failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Consistency check on DC02.MY.DOMAIN successful. |
logs
%m
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | [2022/05/03 14:10:41.139176, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:10:41.141486, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' [2022/05/03 14:10:45.959845, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2022/05/03 14:10:46.151133, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2022/05/03 14:10:46.151982, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:10:46.154285, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' [2022/05/03 14:10:50.968238, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2022/05/03 14:10:51.158450, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2022/05/03 14:10:51.159275, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:10:51.161536, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' [2022/05/03 14:10:55.979012, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2022/05/03 14:10:56.171453, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2022/05/03 14:10:56.172296, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:10:56.174550, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' [2022/05/03 14:11:00.986482, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2022/05/03 14:11:01.175019, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2022/05/03 14:11:01.175870, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:11:01.178036, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' [2022/05/03 14:11:05.990270, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2022/05/03 14:11:06.178580, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2022/05/03 14:11:06.179408, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:11:06.181716, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' [2022/05/03 14:11:11.075929, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2022/05/03 14:11:11.263154, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2022/05/03 14:11:11.263998, 1] ../../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum> [2022/05/03 14:11:11.266176, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: dcesrv_bind_nak' |
smbd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | 2022/05/03 13:49:46.897388, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.897429, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 17469 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.897475, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.897503, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 1197 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.897569, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.897597, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 17484 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.897699, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.897755, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 17486 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.897863, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.897906, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 1134 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.898097, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.898151, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 1198 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.898384, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.898439, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 1159 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.898471, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.898509, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 1263 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND [2022/05/03 13:49:46.898667, 3] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2022/05/03 13:49:46.898727, 3] ../../source3/lib/messages.c:925(send_all_fn) send_all_fn: messaging_send_buf to 17437 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND |
Welche Ausgaben wären noch eingrenzend?
Ich habe mich zu diversen Meldungen in Foren und dem Mailing Archive belesen und diese ausprobiert. Ohne erfolg. Muss ich hier die idmap db rüberziehen? Ich bin kurz davor den DC neu aufzusetzen. Ich vermute steckengeblieben Attribute o. eine Fehlende tdb/ldb.. Evtl. hat hier noch jemand eine Idee
Gruß