Replication problems bdc to pdc

Hello,

Replication from backup Active Directory Domain Controler to primary
Active Directory Domain Controler does not work, reporting error '
WERR_BADFILE '. The reverse works.

  * Linux: Raspbian, debian stretch lite
  * Samba version 4.5.12-Debian
  * DNS: BIND9_DLZ 9.10.x
  * Installed packages: ntp ntpdate samba smbclient winbind libcups2
    samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user

root@ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc
dc=ry11cit,dc=local
Replicate from ry11citdc to ry11citsdc was successful.


root@ry11citdc:~# root@ry11citdc:~# samba-tool drs replicate ry11citsdc
ry11citdc dc=ry11cit,dc=local
-bash: root@ry11citdc:~#: command not found
root@ry11citdc:~# samba-tool drs replicate ry11citdc ry11citsdc
dc=ry11cit,dc=local
*ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')**
**  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run**
**    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)**
**  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync**
**    raise drsException("DsReplicaSync failed %s" % estr)*

Please help, I don 't know the advice.

System integrator Jiří Knotek


Primary Active Directory Domain
Controler:---------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------------------------------------

krb5.conf:

[libdefaults]
     default_realm = RY11CIT.LOCAL
     dns_lookup_realm = false
     dns_lookup_kdc = true

[realms]
RY11CIT.LOCAL = {
     kdc = ry11citdc.ry11cit.local
     admin_server = ry11citdc.ry11cit.local
     default_domain = ry11cit.local
}

named.conf:------------------------

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

named.conf.options:-----------------------

options {
     directory "/var/cache/bind";

     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

smb.conf:------------------------------

# Global parameters
[global]
     netbios name = RY11CITDC
     realm = RY11CIT.LOCAL
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.local/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No


Samba Provision---------------:

     samba-tool domain provision --realm=RY11CIT.LOCAL --domain=RY11CIT
--server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....'

samba_dnsupdate --verbose --all-names
:-------------------------------------------------------------------------

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ry11citdc.ry11cit.local. 900    IN    A    10.44.1.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ry11cit.local.        900    IN    NS ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.ry11cit.local.    900    IN    NS ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ry11cit.local.        900    IN    A    10.44.1.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ry11cit.local. 900    IN    SRV    0 100 389
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.ry11cit.local. 900    IN SRV    0 100 389
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local.
900 IN SRV 0 100 389 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.ry11cit.local. 900 IN    SRV    0 100 88
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.ry11cit.local. 900 IN    SRV    0 100 88
ry11citdc.ry11cit.local.

IPs: ['10.44.1.10']
force update: A ry11citdc.ry11cit.local 10.44.1.10
force update: NS ry11cit.local ry11citdc.ry11cit.local
force update: NS _msdcs.ry11cit.local ry11citdc.ry11cit.local
force update: A ry11cit.local 10.44.1.10
force update: SRV _ldap._tcp.ry11cit.local ry11citdc.ry11cit.local 389
force update: SRV _ldap._tcp.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
force update: SRV
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
force update: SRV _kerberos._tcp.ry11cit.local ry11citdc.ry11cit.local 88
force update: SRV _kerberos._udp.ry11cit.local ry11citdc.ry11cit.local 88
force update: SRV _kerberos._tcp.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 88
force update: SRV _kpasswd._tcp.ry11cit.local ry11citdc.ry11cit.local 464
force update: SRV _kpasswd._udp.ry11cit.local ry11citdc.ry11cit.local 464
force update: CNAME
8913e341-f5d8-4619-8cf6-e5e1bd5e7b26._msdcs.ry11cit.local
ry11citdc.ry11cit.local
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 88
force update: SRV _ldap._tcp.pdc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
force update: A gc._msdcs.ry11cit.local 10.44.1.10
force update: SRV _gc._tcp.ry11cit.local ry11citdc.ry11cit.local 3268
force update: SRV _ldap._tcp.gc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 3268
force update: A DomainDnsZones.ry11cit.local 10.44.1.10
force update: SRV _ldap._tcp.DomainDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
force update: A ForestDnsZones.ry11cit.local 10.44.1.10
force update: SRV _ldap._tcp.ForestDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/ry11citdc.ry11cit.local as
RY11CITDC$
update(nsupdate): A ry11citdc.ry11cit.local 10.44.1.10
Calling nsupdate for A ry11citdc.ry11cit.local 10.44.1.10 (add)
update(nsupdate): NS ry11cit.local ry11citdc.ry11cit.local
Calling nsupdate for NS ry11cit.local ry11citdc.ry11cit.local (add)
update(nsupdate): NS _msdcs.ry11cit.local ry11citdc.ry11cit.local
Calling nsupdate for NS _msdcs.ry11cit.local ry11citdc.ry11cit.local (add)
update(nsupdate): A ry11cit.local 10.44.1.10
Calling nsupdate for A ry11cit.local 10.44.1.10 (add)
update(nsupdate): SRV _ldap._tcp.ry11cit.local ry11citdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV _ldap._tcp.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV _kerberos._tcp.ry11cit.local
ry11citdc.ry11cit.local 88
Calling nsupdate for SRV _kerberos._tcp.ry11cit.local
ry11citdc.ry11cit.local 88 (add)
update(nsupdate): SRV _kerberos._udp.ry11cit.local
ry11citdc.ry11cit.local 88
Calling nsupdate for SRV _kerberos._udp.ry11cit.local
ry11citdc.ry11cit.local 88 (add)
update(nsupdate): SRV _kerberos._tcp.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 88
Calling nsupdate for SRV _kerbeOutgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.ry11cit.local.    900 IN SRV 0 100 88
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.ry11cit.local. 900 IN    SRV    0 100 464
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.ry11cit.local. 900 IN    SRV    0 100 464
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
8913e341-f5d8-4619-8cf6-e5e1bd5e7b26._msdcs.ry11cit.local. 900 IN
CNAME    ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local. 900 IN    SRV 0
100 389 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local. 900
IN SRV 0 100 389 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local. 900 IN
SRV    0 100 88 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local.
900 IN SRV 0 100 88 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.ry11cit.local. 900 IN SRV    0 100 389
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.ry11cit.local. 900    IN    A    10.44.1.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.ry11cit.local.    900    IN    SRV    0 100 3268
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.ry11cit.local. 900    IN SRV    0 100 3268
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.ry11cit.local. 900 IN SRV 0 100
3268 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local. 900
IN SRV 0 100 3268 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.ry11cit.local. 900 IN    A    10.44.1.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.ry11cit.local. 900 IN    SRV 0 100 389
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local.
900 IN SRV 0 100 389 ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.ry11cit.local. 900 IN    A    10.44.1.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.ry11cit.local. 900 IN    SRV 0 100 389
ry11citdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local.
900 IN SRV 0 100 389 ry11citdc.ry11cit.local.

ros._tcp.dc._msdcs.ry11cit.local ry11citdc.ry11cit.local 88 (add)
update(nsupdate): SRV _kpasswd._tcp.ry11cit.local
ry11citdc.ry11cit.local 464
Calling nsupdate for SRV _kpasswd._tcp.ry11cit.local
ry11citdc.ry11cit.local 464 (add)
update(nsupdate): SRV _kpasswd._udp.ry11cit.local
ry11citdc.ry11cit.local 464
Calling nsupdate for SRV _kpasswd._udp.ry11cit.local
ry11citdc.ry11cit.local 464 (add)
update(nsupdate): CNAME
8913e341-f5d8-4619-8cf6-e5e1bd5e7b26._msdcs.ry11cit.local
ry11citdc.ry11cit.local
Calling nsupdate for CNAME
8913e341-f5d8-4619-8cf6-e5e1bd5e7b26._msdcs.ry11cit.local
ry11citdc.ry11cit.local (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 88
Calling nsupdate for SRV
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 88 (add)
update(nsupdate): SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 88
Calling nsupdate for SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 88 (add)
update(nsupdate): SRV _ldap._tcp.pdc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): A gc._msdcs.ry11cit.local 10.44.1.10
Calling nsupdate for A gc._msdcs.ry11cit.local 10.44.1.10 (add)
update(nsupdate): SRV _gc._tcp.ry11cit.local ry11citdc.ry11cit.local 3268
Calling nsupdate for SRV _gc._tcp.ry11cit.local ry11citdc.ry11cit.local
3268 (add)
update(nsupdate): SRV _ldap._tcp.gc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 3268
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 3268 (add)
update(nsupdate): SRV
_gc._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 3268
Calling nsupdate for SRV
_gc._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citdc.ry11cit.local 3268 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 3268
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local
ry11citdc.ry11cit.local 3268 (add)
update(nsupdate): A DomainDnsZones.ry11cit.local 10.44.1.10
Calling nsupdate for A DomainDnsZones.ry11cit.local 10.44.1.10 (add)
update(nsupdate): SRV _ldap._tcp.DomainDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): A ForestDnsZones.ry11cit.local 10.44.1.10
Calling nsupdate for A ForestDnsZones.ry11cit.local 10.44.1.10 (add)
update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local
ry11citdc.ry11cit.local 389 (add)


Backup (Standby) Active Directory Domain
Controler:---------------------------------------------------------------------------------------------------

krb5.conf:

[libdefaults]
     default_realm = RY11CIT.LOCAL
     dns_lookup_realm = false
     dns_lookup_kdc = true

[realms]
RY11CIT.LOCAL = {
     kdc = ry11citsdc.ry11cit.local
     admin_server = ry11citsdc.ry11cit.local
     default_domain = ry11cit.local
}

named.conf:------------------------

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

named.conf.options:-----------------------

options {
     directory "/var/cache/bind";

     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

smb.conf:------------------------------

# Global parameters
[global]
     netbios name = RY11CITSDC
     realm = RY11CIT.LOCAL
     workgroup = RY11CIT

     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.local/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No


Samba join:----------------------------

samba-tool domain join RY11CIT DC -Uadministrator --realm=RY11CIT.LOCAL
--dns-backend=BIND9_DLZ --adminpass='.....'


samba_dnsupdate --verbose --all-names
:-------------------------------------------------------------------------

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ry11citsdc.ry11cit.local. 900    IN    A    10.44.1.9

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ry11cit.local.        900    IN    NS    ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.ry11cit.local.    900    IN    NS ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ry11cit.local.        900    IN    A    10.44.1.9

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ry11cit.local. 900    IN    SRV    0 100 389
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.ry11cit.local. 900    IN SRV    0 100 389
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local.
900 IN SRV 0 100 389 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.ry11cit.local. 900 IN    SRV    0 100 88
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.ry11cit.local. 900 IN    SRV    0 100 88
ry11citsdc.ry11cit.local.

IPs: ['10.44.1.9']
force update: A ry11citsdc.ry11cit.local 10.44.1.9
force update: NS ry11cit.local ry11citsdc.ry11cit.local
force update: NS _msdcs.ry11cit.local ry11citsdc.ry11cit.local
force update: A ry11cit.local 10.44.1.9
force update: SRV _ldap._tcp.ry11cit.local ry11citsdc.ry11cit.local 389
force update: SRV _ldap._tcp.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: SRV
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: SRV _kerberos._tcp.ry11cit.local ry11citsdc.ry11cit.local 88
force update: SRV _kerberos._udp.ry11cit.local ry11citsdc.ry11cit.local 88
force update: SRV _kerberos._tcp.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 88
force update: SRV _kpasswd._tcp.ry11cit.local ry11citsdc.ry11cit.local 464
force update: SRV _kpasswd._udp.ry11cit.local ry11citsdc.ry11cit.local 464
force update: CNAME
a5df439f-014c-455a-a12b-1c84b6fa466e._msdcs.ry11cit.local
ry11citsdc.ry11cit.local
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 88
force update: A gc._msdcs.ry11cit.local 10.44.1.9
force update: SRV _gc._tcp.ry11cit.local ry11citsdc.ry11cit.local 3268
force update: SRV _ldap._tcp.gc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 3268
force update: A DomainDnsZones.ry11cit.local 10.44.1.9
force update: SRV _ldap._tcp.DomainDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: A ForestDnsZones.ry11cit.local 10.44.1.9
force update: SRV _ldap._tcp.ForestDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
28 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/ry11citdc.ry11cit.local as
RY11CITSDC$
update(nsupdate): A ry11citsdc.ry11cit.local 10.44.1.9
Calling nsupdate for A ry11citsdc.ry11cit.local 10.44.1.9 (add)
update(nsupdate): NS ry11cit.local ry11citsdc.ry11cit.local
Calling nsupdate for NS ry11cit.local ry11citsdc.ry11cit.local (add)
update(nsupdate): NS _msdcs.ry11cit.local ry11citsdc.ry11cit.local
Calling nsupdate for NS _msdcs.ry11cit.local ry11citsdc.ry11cit.local (add)
update(nsupdate): A ry11cit.local 10.44.1.9
Calling nsupdate for A ry11cit.local 10.44.1.9 (add)
update(nsupdate): SRV _ldap._tcp.ry11cit.local ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV _ldap._tcp.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.34eb2e7d-db48-48bc-8b5c-0cb16db7afa7.domains._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV _kerberos._tcp.ry11cit.local
ry11citsdc.ry11cit.local 88
Calling nsupdate for SRV _kerberos._tcp.ry11cit.local
ry11citsdc.ry11cit.local 88 (add)
update(nsupdate): SRV _kerberos._udp.ry11cit.local
ry11citsdc.ry11cit.local 88
Calling nsupdate for SRV _kerberos._udp.ry11cit.local
ry11citsdc.ry11cit.local 88 (add)
update(nsupdate): SRV _kerberos._tcp.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 88
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.ry11cit.local
ry11citsdc.ry11ciOutgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.ry11cit.local.    900 IN SRV 0 100 88
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.ry11cit.local. 900 IN    SRV    0 100 464
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.ry11cit.local. 900 IN    SRV    0 100 464
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a5df439f-014c-455a-a12b-1c84b6fa466e._msdcs.ry11cit.local. 900 IN
CNAME    ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local. 900 IN SRV 0
100 389 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local. 900
IN SRV 0 100 389 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local. 900 IN
SRV    0 100 88 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local.
900 IN SRV 0 100 88 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.ry11cit.local. 900    IN    A    10.44.1.9

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.ry11cit.local.    900    IN    SRV    0 100 3268
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.ry11cit.local. 900    IN SRV    0 100 3268
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.ry11cit.local. 900 IN SRV 0 100
3268 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local. 900
IN SRV 0 100 3268 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.ry11cit.local. 900 IN    A    10.44.1.9

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.ry11cit.local. 900 IN    SRV 0 100 389
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local.
900 IN SRV 0 100 389 ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.ry11cit.local. 900 IN    A    10.44.1.9

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.ry11cit.local. 900 IN    SRV 0 100 389
ry11citsdc.ry11cit.local.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local.
900 IN SRV 0 100 389 ry11citsdc.ry11cit.local.

t.local 88 (add)
update(nsupdate): SRV _kpasswd._tcp.ry11cit.local
ry11citsdc.ry11cit.local 464
Calling nsupdate for SRV _kpasswd._tcp.ry11cit.local
ry11citsdc.ry11cit.local 464 (add)
update(nsupdate): SRV _kpasswd._udp.ry11cit.local
ry11citsdc.ry11cit.local 464
Calling nsupdate for SRV _kpasswd._udp.ry11cit.local
ry11citsdc.ry11cit.local 464 (add)
update(nsupdate): CNAME
a5df439f-014c-455a-a12b-1c84b6fa466e._msdcs.ry11cit.local
ry11citsdc.ry11cit.local
Calling nsupdate for CNAME
a5df439f-014c-455a-a12b-1c84b6fa466e._msdcs.ry11cit.local
ry11citsdc.ry11cit.local (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 88
Calling nsupdate for SRV
_kerberos._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 88 (add)
update(nsupdate): SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 88
Calling nsupdate for SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 88 (add)
update(nsupdate): A gc._msdcs.ry11cit.local 10.44.1.9
Calling nsupdate for A gc._msdcs.ry11cit.local 10.44.1.9 (add)
update(nsupdate): SRV _gc._tcp.ry11cit.local ry11citsdc.ry11cit.local 3268
Calling nsupdate for SRV _gc._tcp.ry11cit.local ry11citsdc.ry11cit.local
3268 (add)
update(nsupdate): SRV _ldap._tcp.gc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 3268
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 3268 (add)
update(nsupdate): SRV
_gc._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 3268
Calling nsupdate for SRV
_gc._tcp.Default-First-Site-Name._sites.ry11cit.local
ry11citsdc.ry11cit.local 3268 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 3268
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ry11cit.local
ry11citsdc.ry11cit.local 3268 (add)
update(nsupdate): A DomainDnsZones.ry11cit.local 10.44.1.9
Calling nsupdate for A DomainDnsZones.ry11cit.local 10.44.1.9 (add)
update(nsupdate): SRV _ldap._tcp.DomainDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): A ForestDnsZones.ry11cit.local 10.44.1.9
Calling nsupdate for A ForestDnsZones.ry11cit.local 10.44.1.9 (add)
update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ry11cit.local
ry11citsdc.ry11cit.local 389 (add)

--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: [hidden email] <mailto:[hidden email]>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 11 Dec 2017 14:33:48 +0100
Jiří Knotek via samba <[hidden email]> wrote:

> Hello,
>
> Replication from backup Active Directory Domain Controler to primary
> Active Directory Domain Controler does not work, reporting error '
> WERR_BADFILE '. The reverse works.

You do not have a backup AD DC, or a primary AD DC, you just have two
AD DCs

There is something strange here, you seem to be running the commands on
the same DC, the first time it works, then it cannot find the command,
then after you switched the order of the DCs to replicate to & from,
it throws an error

> First Active Directory Domain Controler:
>
> krb5.conf:
>
> [libdefaults]
>      default_realm = RY11CIT.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>

You only need the above

You haven't set any forwarders.

Why haven't you got a 'server services' line ?
you should have if you are using Bind9


 
>
> Another (Standby) Active Directory Domain Controler:

What do mean by 'standby' ?

>
> krb5.conf:
>
> [libdefaults]
>      default_realm = RY11CIT.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>

You only need the above


> [realms]

 named.conf.options:-----------------------
Still no forwarders

Again there is no 'server services' line

Finally, I see that you are not aware that using '.local' is a bad
idea.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hello Rowland,
     thank You for a quick response.


On 11. 12. 2017 15:48, Rowland Penny via samba wrote:
OK, thank you for correcting the nomenclature

I copied it badly, I corrected it. The second command demonstrates
malfunctioning replication.
OK, i corrected it.

My network has only 10 stations and can not access the Internet. I just
need Windows domain users. Bind9 I chose for future use.
Because of
"https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html" they
write that "Default: //|server services|/ = |s3fs rpc nbt wrepl ldap
cldap kdc drepl winbind ntp_signd kcc dnsupdate dns| /".

But according to
"https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC"
here I will add "server services = -dns". It is correct?
>
>  
>> Another (Standby) Active Directory Domain Controler:
> What do mean by 'standby' ?
Standby server is an expression using SCADA / HMI SW CitectSCADA. It's a
DC backup, here one DC.
>> krb5.conf:
>>
>> [libdefaults]
>>       default_realm = RY11CIT.LOCAL
>>       dns_lookup_realm = false
>>       dns_lookup_kdc = true
>>
> You only need the above
OK, i corrected it. My network has only 10 stations and can not access the Internet. I just
need Windows domain users. Bind9 I chose for future use. Because of
"https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html" they
write that "Default: //|server services|/ = |s3fs rpc nbt wrepl ldap
cldap kdc drepl winbind ntp_signd kcc dnsupdate dns| /".

But according to
"https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC"
here I will add "server services = -dns". It is correct?
>  
>
> Finally, I see that you are not aware that using '.local' is a bad
> idea.
My network has only 10 stations and can not access the Internet. I
thought that .local is just a name. Do you recommend a different name?
>
> Rowland
>  
>

Unfortunately, the changes made did not correct replication from
ry11citsdc to ry11citdc. Do you have any other advice or do you need
more information?

Thanks J.Knotek

--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: [hidden email] <mailto:[hidden email]>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 11 Dec 2017 21:59:58 +0100
Jiří Knotek via samba <[hidden email]> wrote:

> Hello Rowland,
>      thank You for a quick response.
>
>

> > You haven't set any forwarders.
>
> My network has only 10 stations and can not access the Internet. I
> just need Windows domain users. Bind9 I chose for future use.

OK, I can understand the lack of forwarders.

If you provisioned with '--dns-backend=BIND9_DLZ' , you would have
found a 'server services' line in smb.conf and it would have look this:

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate

Note the lack of 'dns' on the end, you can however write this as:

server services = -dns

Both lines mean the same thing, you are going to use BIND9_DLZ and not
to run the internal dns server. Without one of the two lines, the
internal dns server will be run and as you also seem to be running
Bind9, you will now have two dns servers trying to claim port 53.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hello Rowland,

     thank you for advice. I reconfigure both AC-DCs again with new data
and send updated data. Unfortunately, the result is the same. I'm also
sending a listing from

samba-setup-checkup.sh.

  * Linux: Raspbian, debian stretch lite
  * Samba version 4.5.12-Debian
  * DNS: BIND9_DLZ 9.10.x
  * Installed packages: ntp ntpdate samba smbclient winbind libcups2
samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user

*root@ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citsdc
ry11citdc dc=ry11cit,dc=lan*
Replicate from ry11citdc to ry11citsdc was successful.

*root@ry11citdc:/home/pi/Ry11# samba-tool drs replicate ry11citdc
ry11citsdc dc=ry11cit,dc=lan*
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)


*root@ry11citdc:/home/pi/Ry11# bash samba-setup-checkup.sh*
Check hostnames : Mismatch in hostname definitions
please check :
HOST_NAME_SHORT: ry11citdc
HOST_NAME_DOMAIN:
HOST_NAME_FQDN: ry11citdc
HOST_IP1: 10.44.1.10
HOST_IP2: Only one interface detected
HOST_GATEWAY: 10.44.1.1
HOST_PRIMARY_INTERFACE: 10.44.1.1
eth0
HOST_RESOLV_DOMAIN: domain ry11cit.lan
HOST_RESOLV_SEARCH: search ry11cit.lan
HOST_RESOLV_NAMESERV1: 10.44.1.10
HOST_RESOLV_NAMESERV2: 10.44.1.9
HOST_RESOLV_NAMESERV3:
Possible error detected in /etc/hosts, mismatch FQDN and detected IP
10.44.1.10 for the host.
expected was : 10.44.1.10 ry11citdc ry11citdc
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
ping nameserver1: 10.44.1.10 : Ok
ping nameserver2: 10.44.1.9 : Ok
Check ping google dns : 8.8.8.8 : Error
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS 2(SERVFAIL
DC1 2(SERVFAIL
DC2
ERROR: Invalid IP address '2(SERVFAIL'!
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citdc (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname)   = ry11citdc (hostname -f and /etc/hosts
and DNS server)
This server primary dnsdomain =  (hostname -d and /etc/resolv.conf and
DNS server)
This server IP address(ses)   = 10.44.1.10  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC 2(SERVFAIL        = 2(SERVFAIL)
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver


*I did not come to the way the hostname -d command would return the
domain name. How can I do that? In addition, there are host, lmhost,
resolv.conf, and so on**
*

Please help, I don 't know the advice.

System integrator Jiří Knotek


"Primary" Active Directory Domain
Controler:---------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------------------------------------


hostname:-----------------
ry11citdc.ry11cit.lan

hosts:---------------
127.0.0.1    localhost localhost.localdomain
10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan

resolv.conf.head:-------------------
domain ry11cit.lan
search ry11cit.lan

systemctl.conf"--------------------
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6=1



krb5.conf:------------

[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

named.conf:------------------------

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

named.conf.options:-----------------------

options {
     directory "/var/cache/bind";

     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

lmhost:--------------------------
127.0.0.1   localhost
10.44.1.10  ry11citdc
10.44.1.9   ry11citsdc

smb.conf:------------------------------

# Global parameters
[global]
     netbios name = RY11CITDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

Samba Provision---------------:

     samba-tool domain provision --realm=RY11CIT.LAN --domain=RY11CIT
--server-role=dc --dns-backend=BIND9_DLZ --adminpass='.....'

"Backup / Standby" Active Directory Domain
Controler:---------------------------------------------------------------------------------------------------


-----------------------------------------------------------------------------------------------------------------------------------------------------


hostname:-----------------
ry11citsdc.ry11cit.lan

hosts:---------------
127.0.0.1    localhost localhost.localdomain
10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan

resolv.conf.head:-------------------
domain ry11cit.lan
search ry11cit.lan

systemctl.conf"--------------------
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6=1



krb5.conf:------------

[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

named.conf:------------------------

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

named.conf.options:-----------------------

options {
     directory "/var/cache/bind";

     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

lmhost:--------------------------
127.0.0.1   localhost
10.44.1.10  ry11citdc
10.44.1.9   ry11citsdc

smb.conf:------------------------------

# Global parameters
[global]
     netbios name = RY11CITSDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

Samba join---------------:

        samba-tool domain join RY11CIT DC -Uadministrator
--realm=RY11CIT.LAN --dns-backend=BIND9_DLZ --adminpass='.....'


Thanks Jiri Knotek


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Great you use my script :-)
Now we know something is wrong, run this one.

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
And post the content to the list, that helps a lot.

Greetz,

Louis

 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Ow and..

Your hosts files are incorrect.
Layout should be :
ip hostname.fqdn hostname

So this should be :
> 10.44.1.10  ry11citdc.ry11cit.lan ry11citdc
> 10.44.1.9   ry11citsdc.ry11cit.lan ry11citsdc
Reboot both servers after the change.


Greetz,

Louis

ollect-debug-info.sh

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

See inline comments:

On Wed, 13 Dec 2017 10:13:52 +0100
Jiří Knotek via samba <[hidden email]> wrote:

This should be just the short hostname
In this case 'ry11citdc'

>
> hosts:---------------
> 127.0.0.1    localhost localhost.localdomain
> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan

This should be:

127.0.0.1    localhost
10.44.1.10   ry11citdc.ry11cit.lan ry11citdc

>
> resolv.conf.head:-------------------
> domain ry11cit.lan
> search ry11cit.lan

What is 'resolv.conf.head' ?
Do you have the resolvconf package installed ?
if so, remove it and the create an /etc/resolv.conf file with this
content:

search ry11cit.lan
nameserver 10.44.1.10

not required

should be just 'ry11citsdc'

>
> hosts:---------------
> 127.0.0.1    localhost localhost.localdomain
> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan

should be:

127.0.0.1    localhost
10.44.1.9   ry11citsdc.ry11cit.lan ry11citsdc

>
> resolv.conf.head:-------------------
> domain ry11cit.lan
> search ry11cit.lan
>

/etc/resolv.conf should be:

search ry11cit.lan
nameserver 10.44.1.9

Not required

You haven't provisioned with '--use-rfc2307'
I suggest you go and read this:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Wed, 13 Dec 2017 10:52:38 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

Correct, but wrong at the same time ;-)

You should only have the DCs own information in /etc/hosts, the DC
should find any other DCs by dns, not by /etc/hosts.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hallo Louis,

     thanks for the response.

Yes, change on ry11citsdc, now hostname -d works correctly. Somewhere I
saw the opposite entry. Thanks for the repair. Samba-setup-checkup.sh
follows:----------------------------------------------------

pi@ry11citsdc:~ $ bash /home/pi/Ry11/samba-setup-checkup.sh
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
ping nameserver1: 10.44.1.9 : Ok
ping nameserver2: 10.44.1.10 : Ok
Check ping google dns : 8.8.8.8 : Error
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: Permission denied

Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend
'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission
denied
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': Permission denied
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
438, in run
     credentials=creds, lp=lp)
   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in
__init__
     options=options)
   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
     self.connect(url, flags, options)
   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in
connect
     options=options)
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: Permission denied

Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend
'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission
denied
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': Permission denied
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
438, in run
     credentials=creds, lp=lp)
   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in
__init__
     options=options)
   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
     self.connect(url, flags, options)
   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in
connect
     options=options)
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: Permission denied

Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend
'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission
denied
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': Permission denied
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
438, in run
     credentials=creds, lp=lp)
   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in
__init__
     options=options)
   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
     self.connect(url, flags, options)
   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in
connect
     options=options)
DCS ry11citsdc.ry11cit.lan
ry11citdc.ry11cit.lan
DC1 ry11citsdc.ry11cit.lan
DC2 ry11citdc.ry11cit.lan
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citsdc (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname)   = ry11citsdc.ry11cit.lan (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.9  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        =  (samba-tool fsmo show)
The DC (with FSMO) Site name  =  (samba-tool fsmo show)
The Default Naming Context    =  (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC ry11citsdc.ry11cit.lan        = 10.44.1.9
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver


file
samba-debug-info.txt:---------------------------------------------------------------------------------------------

an error occurred while running:

pi@ry11citsdc:~ $ bash /home/pi/Ry11/samba-collect-debug-info.sh
Please wait, collecting debug info.
ERROR(runtime): uncaught exception - (-1073741606, 'Configuration
information could not be read from the domain controller, either because
the machine is unavailable or access has been
d                                enied.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
812, in run
     self.creds = credopts.get_credentials(self.lp)
   File "/usr/lib/python2.7/dist-packages/samba/getopt.py", line 212, in
get_credentials
     self.creds.set_machine_account(lp)
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt


Collected config  --- 2017-12-13-11:27 -----------

Hostname: ry11citsdc
DNS Domain: ry11cit.lan
FQDN: ry11citsdc.ry11cit.lan
ipaddress: 10.44.1.9

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
     link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
     link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.44.1.10 ry11citdc.ry11cit.lan ry11citdc
10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITSDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

//========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  See
https://www.isc.org/bind-keys
//========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  acl 2.2.52-3                     armhf        Access control list
utilities
ii  krb5-config 2.6                          all          Configuration
files for Kerberos Version 5
ii  krb5-user 1.15-1+deb9u1                armhf        basic programs
to authenticate using MIT Kerberos
ii  libacl1:armhf 2.2.52-3                     armhf        Access
control list shared library
ii  libgssapi-krb5-2:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries
ii  libkrb5support0:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries - Support library
ii  libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        shared
library for communication with SMB/CIFS servers
ii  libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
winbind client library
ii  python-samba 2:4.5.12+dfsg-2+deb9u1       armhf        Python
bindings for Samba
ii  samba 2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file,
print, and login server for Unix
ii  samba-common 2:4.5.12+dfsg-2+deb9u1       all          common files
used by both the Samba server and client
ii  samba-common-bin 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
common files used by both the server and the client
ii  samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
Directory Services Database
ii  samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
core libraries
ii  samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
Virtual FileSystem plugins
ii  smbclient 2:4.5.12+dfsg-2+deb9u1       armhf        command-line
SMB/CIFS clients for Unix
ii  winbind 2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve
user and group information from Windows NT servers
-----------

Thanks Jiri Knotek


On 13. 12. 2017 10:52, L.P.H. van Belle via samba wrote:
--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: [hidden email] <mailto:[hidden email]>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hai,

Both script where missing "run as root".
I've update the github versions.

Can you run that these again, but as root or with sudo.
And post the content again.


Greetz,

Louis



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hallo Louis,

I am sorry. I forgot to login as a root, I hurried.


10.44.1.10 is gateway on destination site, there is not available.


"Primary" Active Directory Domain Controler:
-------------------------------------------------------------------------------------------------------------

root@ry11citdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 10.44.1.10 : Ok
ping nameserver2: 10.44.1.9 : Ok
Check ping google dns : 8.8.8.8 : Error
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS ry11citdc.ry11cit.lan
DC1 ry11citdc.ry11cit.lan
DC2
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citdc (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname)   = ry11citdc.ry11cit.lan (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.10  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver


file samba-debug-info.txt:---------------------------------

Collected config  --- 2017-12-13-13:02 -----------

Hostname: ry11citdc
DNS Domain: ry11cit.lan
FQDN: ry11citdc.ry11cit.lan
ipaddress: 10.44.1.10

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
     link/ether b8:27:eb:69:ac:e4 brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.10/16 brd 10.44.255.255 scope global eth0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.44.1.10 ry11citdc.ry11cit.lan ry11citdc
10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

//========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  See
https://www.isc.org/bind-keys
//========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  acl 2.2.52-3                     armhf        Access control list
utilities
ii  krb5-config 2.6                          all          Configuration
files for Kerberos Version 5
ii  krb5-user 1.15-1+deb9u1                armhf        basic programs
to authenticate using MIT Kerberos
ii  libacl1:armhf 2.2.52-3                     armhf        Access
control list shared library
ii  libgssapi-krb5-2:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries
ii  libkrb5support0:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries - Support library
ii  libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        shared
library for communication with SMB/CIFS servers
ii  libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
winbind client library
ii  python-samba 2:4.5.12+dfsg-2+deb9u1       armhf        Python
bindings for Samba
ii  samba 2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file,
print, and login server for Unix
ii  samba-common 2:4.5.12+dfsg-2+deb9u1       all          common files
used by both the Samba server and client
ii  samba-common-bin 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
common files used by both the server and the client
ii  samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
Directory Services Database
ii  samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
core libraries
ii  samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
Virtual FileSystem plugins
ii  smbclient 2:4.5.12+dfsg-2+deb9u1       armhf        command-line
SMB/CIFS clients for Unix
ii  winbind 2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve
user and group information from Windows NT servers
-----------




"Backup / Standby" Active Directory Domain Controler:
-------------------------------------------------------------------------------------------------------------

root@ry11citsdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 10.44.1.9 : Ok
ping nameserver2: 10.44.1.10 : Ok
Check ping google dns : 8.8.8.8 : Error
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS ry11citsdc.ry11cit.lan
ry11citdc.ry11cit.lan
DC1 ry11citsdc.ry11cit.lan
DC2 ry11citdc.ry11cit.lan
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citsdc (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname)   = ry11citsdc.ry11cit.lan (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.9  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC ry11citsdc.ry11cit.lan        = 10.44.1.9
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
root@ry11citsdc:~#


file samba-debug-info.txt:---------------------------------

Collected config  --- 2017-12-13-12:45 -----------

Hostname: ry11citsdc
DNS Domain: ry11cit.lan
FQDN: ry11citsdc.ry11cit.lan
ipaddress: 10.44.1.9

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
     link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
     link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.44.1.10 ry11citdc.ry11cit.lan ry11citdc
10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITSDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

//========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  See
https://www.isc.org/bind-keys
//========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  acl 2.2.52-3                     armhf        Access control list
utilities
ii  krb5-config 2.6                          all          Configuration
files for Kerberos Version 5
ii  krb5-user 1.15-1+deb9u1                armhf        basic programs
to authenticate using MIT Kerberos
ii  libacl1:armhf 2.2.52-3                     armhf        Access
control list shared library
ii  libgssapi-krb5-2:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries
ii  libkrb5support0:armhf 1.15-1+deb9u1                armhf        MIT
Kerberos runtime libraries - Support library
ii  libsmbclient:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        shared
library for communication with SMB/CIFS servers
ii  libwbclient0:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
winbind client library
ii  python-samba 2:4.5.12+dfsg-2+deb9u1       armhf        Python
bindings for Samba
ii  samba 2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file,
print, and login server for Unix
ii  samba-common 2:4.5.12+dfsg-2+deb9u1       all          common files
used by both the Samba server and client
ii  samba-common-bin 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
common files used by both the server and the client
ii  samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
Directory Services Database
ii  samba-libs:armhf 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
core libraries
ii  samba-vfs-modules 2:4.5.12+dfsg-2+deb9u1       armhf        Samba
Virtual FileSystem plugins
ii  smbclient 2:4.5.12+dfsg-2+deb9u1       armhf        command-line
SMB/CIFS clients for Unix
ii  winbind 2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve
user and group information from Windows NT servers
-----------


On 13. 12. 2017 12:05, L.P.H. van Belle via samba wrote:
....

--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: [hidden email] <mailto:[hidden email]>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hai,

For both servers: /etc/hosts
127.0.0.1 localhost localhost.localdomain
Or
127.0.0.1 localhost
+ the dc's as shown now, thats ok, normaly only the DC itself, but it does not hurt if you add both dc's in there.

If you need users/groups on the DC's
/etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
For example you want to login with a "AD users" in the server with ssh.

Change the resolving ordere here to.
hosts:          files dns mdns4_minimal [NOTFOUND=return]
Or remove avahi-* completeley, then check if this is gone : mdns4_minimal [NOTFOUND=return]


Bind DNS is used and you did set :
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
But your forgot.
/etc/bind/named.conf.local
// adding the dlopen ( Bind DLZ ) module for samba.
include "/var/lib/samba/private/named.conf";


After these changes, first reboot the DC with FSMO roles then the second DC.

And check you replication again.


Greetz,

Louis




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hello Rowland,

See inline comments:

If I did not make a mistake somewhere, it's even worse. Additionally, replication does not work ry11citdc to ry11citsdc executed from ry11citdc:
---------------------------------------------------------------------------------------------------------------
root@ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc dc=ry11cit,dc=lan
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ry11citsdc failed - drsException: DRS connection to ry11citsdc failed: (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))
----------------------------------------------------------------------------------------------------------------
root@ry11citdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
/home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 10.44.1.10 : Ok
Check ping google dns : 8.8.8.8 : Error
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
Missing file /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS ry11citdc.ry11cit.lan
DC1 ry11citdc.ry11cit.lan
DC2
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citdc (hostname -s and /etc/hosts and DNS server)
This server FQDN (hostname)   = ry11citdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.10  Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf and resolving)
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver

----------------------------------------------------------------------------------------------------------------------

Collected config  --- 2017-12-13-15:16 -----------

Hostname: ry11citdc
DNS Domain: ry11cit.lan
FQDN: ry11citdc.ry11cit.lan
ipaddress: 10.44.1.10

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
     link/ether b8:27:eb:69:ac:e4 brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.10/16 brd 10.44.255.255 scope global eth0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.44.1.10 ry11citdc.ry11cit.lan ry11citdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns mdns4_minimal [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  See https://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii  acl                               2.2.52-3                     armhf        Access control list utilities
ii  krb5-config                       2.6                          all          Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                armhf        basic programs to authenticate using MIT Kerberos
ii  libacl1:armhf                     2.2.52-3                     armhf        Access control list shared library
ii  libgssapi-krb5-2:armhf            1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf                   1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries
ii  libkrb5support0:armhf             1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - Support library
ii  libsmbclient:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        shared library for communication with SMB/CIFS servers
ii  libwbclient0:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u1       armhf        Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u1       all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u1       armhf        Samba Directory Services Database
ii  samba-libs:armhf                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u1       armhf        Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u1       armhf        command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve user and group information from Windows NT servers
-----------


RY11CITSDC:
---------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------

root@ry11citsdc:~# samba-tool drs replicate ry11citdc ry11citsdc dc=ry11cit,dc=lan
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
-------------------------------------------------------------------------------------------------------------------

root@ry11citsdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
/home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 10.44.1.9 : Ok
Check ping google dns : 8.8.8.8 : Error
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
Missing file /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS ry11citsdc.ry11cit.lan
ry11citdc.ry11cit.lan
DC1 ry11citsdc.ry11cit.lan
DC2 ry11citdc.ry11cit.lan
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citsdc (hostname -s and /etc/hosts and DNS server)
This server FQDN (hostname)   = ry11citsdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.9  Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf and resolving)
The Ipadres of DC ry11citsdc.ry11cit.lan        = 10.44.1.9
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver

-----------------------------------------------------------------------------------------------------------------------

Collected config  --- 2017-12-13-15:22 -----------

Hostname: ry11citsdc
DNS Domain: ry11cit.lan
FQDN: ry11citsdc.ry11cit.lan
ipaddress: 10.44.1.9

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
     link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
     link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns mdns4_minimal [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITSDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  See https://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii  acl                               2.2.52-3                     armhf        Access control list utilities
ii  krb5-config                       2.6                          all          Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                armhf        basic programs to authenticate using MIT Kerberos
ii  libacl1:armhf                     2.2.52-3                     armhf        Access control list shared library
ii  libgssapi-krb5-2:armhf            1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf                   1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries
ii  libkrb5support0:armhf             1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - Support library
ii  libsmbclient:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        shared library for communication with SMB/CIFS servers
ii  libwbclient0:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u1       armhf        Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u1       all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u1       armhf        Samba Directory Services Database
ii  samba-libs:armhf                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u1       armhf        Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u1       armhf        command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve user and group information from Windows NT servers
-----------


On 13. 12. 2017 11:00, Rowland Penny via samba wrote: somewhere I've seen this, but of course I'll fix it
>
>> hosts:---------------
>> 127.0.0.1    localhost localhost.localdomain
>> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
>> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan
> This should be:
>
> 127.0.0.1    localhost
> 10.44.1.10   ry11citdc.ry11cit.lan ry11citdc
OK resolv.conf.head  is for manual records to withstand restart.
resolv.conf is compiled by the program resolvconf , nameserver is from
dhcpcd.conf, see the generated file resolv.conf:

# Generated by resolvconf
domain ry11cit.lan
search ry11cit.lan
nameserver 10.44.1.10
nameserver 10.44.1.9

OK, i will change


I placed it for warning v samba-setup-checkup.sh
OK
>
>> hosts:---------------
>> 127.0.0.1    localhost localhost.localdomain
>> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
>> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan
> should be:
>
> 127.0.0.1    localhost
> 10.44.1.9   ry11citsdc.ry11cit.lan ry11citsdc
OK
That might be useful, I will try later. But without this I can manage
domain users by windows tools.



> Rowland
>
>
Thanks Jiri Knotek
--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: [hidden email] <mailto:[hidden email]>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hello Rowland,

A small change has been made and replication works in both directions:
dhcpcd.conf requires both dns servers in reverse order.

RY11CITDC, /etc/dhcpcd.conf
--------------------------------------------------------------

.....

interface eth0
static ip_address=10.44.1.10/16
static routers=10.44.1.1
static domain_name_servers=10.44.1.9 10.44.1.10



RY11CITDC, /etc/dhcpcd.conf
--------------------------------------------------------------

......

interface eth0
static ip_address=10.44.1.9/16
static routers=10.44.1.1
static domain_name_servers=10.44.1.10 10.44.1.9


I hope this is the right solution and not just a happy mistake. Thank
you very much for explaining the basic configuration, I was in the
confusion.

Thanks Jiri Knotek



Hello Rowland,

See inline comments:

If I did not make a mistake somewhere, it's even worse. Additionally, replication does not work ry11citdc to ry11citsdc executed from ry11citdc:
---------------------------------------------------------------------------------------------------------------
root@ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc dc=ry11cit,dc=lan
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ry11citsdc failed - drsException: DRS connection to ry11citsdc failed: (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))
----------------------------------------------------------------------------------------------------------------
root@ry11citdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
/home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 10.44.1.10 : Ok
Check ping google dns : 8.8.8.8 : Error
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
Missing file /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS ry11citdc.ry11cit.lan
DC1 ry11citdc.ry11cit.lan
DC2
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citdc (hostname -s and /etc/hosts and DNS server)
This server FQDN (hostname)   = ry11citdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.10  Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf and resolving)
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver

----------------------------------------------------------------------------------------------------------------------

Collected config  --- 2017-12-13-15:16 -----------

Hostname: ry11citdc
DNS Domain: ry11cit.lan
FQDN: ry11citdc.ry11cit.lan
ipaddress: 10.44.1.10

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
     link/ether b8:27:eb:69:ac:e4 brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.10/16 brd 10.44.255.255 scope global eth0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.44.1.10 ry11citdc.ry11cit.lan ry11citdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns mdns4_minimal [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  Seehttp://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  Seehttps://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii  acl                               2.2.52-3                     armhf        Access control list utilities
ii  krb5-config                       2.6                          all          Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                armhf        basic programs to authenticate using MIT Kerberos
ii  libacl1:armhf                     2.2.52-3                     armhf        Access control list shared library
ii  libgssapi-krb5-2:armhf            1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf                   1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries
ii  libkrb5support0:armhf             1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - Support library
ii  libsmbclient:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        shared library for communication with SMB/CIFS servers
ii  libwbclient0:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u1       armhf        Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u1       all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u1       armhf        Samba Directory Services Database
ii  samba-libs:armhf                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u1       armhf        Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u1       armhf        command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve user and group information from Windows NT servers
-----------


RY11CITSDC:
---------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------

root@ry11citsdc:~# samba-tool drs replicate ry11citdc ry11citsdc dc=ry11cit,dc=lan
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
-------------------------------------------------------------------------------------------------------------------

root@ry11citsdc:~# bash /home/pi/Ry11/samba-setup-checkup.sh
/home/pi/Ry11/samba-setup-checkup.sh: line 134: HOST_: command not found
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 10.44.1.1 : Error
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 10.44.1.9 : Ok
Check ping google dns : 8.8.8.8 : Error
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- pi pi         /etc/samba/smb.conf
Checking file owner..
Missing file /etc/samba/lmhosts
Checking file owner..
Missing file /etc/samba/smbpasswd
drwxr-xr-x root root     /usr/bin
drwxr-xr-x root root     /var/cache/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf
drwxr-xr-x root root     /var/run/samba
drwxr-x--- root adm      /var/log/samba
drwxr-xr-x root root     /usr/lib/arm-linux-gnueabihf/samba
drwxr-xr-x root root     /var/run/samba
drwxr-xr-x root root     /var/lib/samba/private
drwxr-xr-x root root     /usr/sbin
drwxr-xr-x root root     /var/lib/samba
DCS ry11citsdc.ry11cit.lan
ry11citdc.ry11cit.lan
DC1 ry11citsdc.ry11cit.lan
DC2 ry11citdc.ry11cit.lan
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = ry11citsdc (hostname -s and /etc/hosts and DNS server)
This server FQDN (hostname)   = ry11citsdc.ry11cit.lan (hostname -f and /etc/hosts and DNS server)
This server primary dnsdomain = ry11cit.lan (hostname -d and /etc/resolv.conf and DNS server)
This server IP address(ses)   = 10.44.1.9  Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = RY11CITDC (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=ry11cit,DC=lan (samba-tool fsmo show)
The Kerberos REALM name used  = RY11CIT.LAN    (kinit and /etc/krb5.conf and resolving)
The Ipadres of DC ry11citsdc.ry11cit.lan        = 10.44.1.9
The Ipadres of DC ry11citdc.ry11cit.lan        = 10.44.1.10
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver

-----------------------------------------------------------------------------------------------------------------------

Collected config  --- 2017-12-13-15:22 -----------

Hostname: ry11citsdc
DNS Domain: ry11cit.lan
FQDN: ry11citsdc.ry11cit.lan
ipaddress: 10.44.1.9

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
     link/ether b8:27:eb:9d:64:eb brd ff:ff:ff:ff:ff:ff
     inet 10.44.1.9/16 brd 10.44.255.255 scope global eth0
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
     link/ether b8:27:eb:c8:31:be brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.44.1.9 ry11citsdc.ry11cit.lan ry11citsdc

-----------
Checking file: /etc/krb5.conf
[libdefaults]
     default_realm = RY11CIT.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns mdns4_minimal [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
     netbios name = RY11CITSDC
     realm = RY11CIT.LAN
     server services = -dns
     workgroup = RY11CIT
     server role = active directory domain controller

[netlogon]
     path = /var/lib/samba/sysvol/ry11cit.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  Seehttp://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // forwarders {
     //     0.0.0.0;
     // };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  Seehttps://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { none; };
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
     type hint;
     file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii  acl                               2.2.52-3                     armhf        Access control list utilities
ii  krb5-config                       2.6                          all          Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                armhf        basic programs to authenticate using MIT Kerberos
ii  libacl1:armhf                     2.2.52-3                     armhf        Access control list shared library
ii  libgssapi-krb5-2:armhf            1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf                   1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries
ii  libkrb5support0:armhf             1.15-1+deb9u1                armhf        MIT Kerberos runtime libraries - Support library
ii  libsmbclient:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        shared library for communication with SMB/CIFS servers
ii  libwbclient0:armhf                2:4.5.12+dfsg-2+deb9u1       armhf        Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u1       armhf        Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u1       armhf        SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u1       all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u1       armhf        Samba Directory Services Database
ii  samba-libs:armhf                  2:4.5.12+dfsg-2+deb9u1       armhf        Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u1       armhf        Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u1       armhf        command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.5.12+dfsg-2+deb9u1       armhf        service to resolve user and group information from Windows NT servers
-----------


On 13. 12. 2017 11:00, Rowland Penny via samba wrote: somewhere I've seen this, but of course I'll fix it
>> hosts:---------------
>> 127.0.0.1    localhost localhost.localdomain
>> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
>> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan
> This should be:
>
> 127.0.0.1    localhost
> 10.44.1.10   ry11citdc.ry11cit.lan ry11citdc
OK resolv.conf.head  is for manual records to withstand restart.
resolv.conf is compiled by the program resolvconf , nameserver is from
dhcpcd.conf, see the generated file resolv.conf:

# Generated by resolvconf
domain ry11cit.lan
search ry11cit.lan
nameserver 10.44.1.10
nameserver 10.44.1.9

OK, i will change


I placed it for warning v samba-setup-checkup.sh
OK
>> hosts:---------------
>> 127.0.0.1    localhost localhost.localdomain
>> 10.44.1.10    ry11citdc ry11citdc.ry11cit.lan
>> 10.44.1.9     ry11citsdc ry11citsdc.ry11cit.lan
> should be:
>
> 127.0.0.1    localhost
> 10.44.1.9   ry11citsdc.ry11cit.lan ry11citsdc
OK
That might be useful, I will try later. But without this I can manage
domain users by windows tools.



> Rowland
>
>
Thanks Jiri Knotek
--

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: [hidden email] <mailto:[hidden email]>
Web:www.gemapce.cz <http://www.gemapce.cz/>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba