Cannot resync DSS V6 on AD Domain after a "crash"

[bzazzera]

Hi all,

After a "crash" of my DSS v6 and XFS_Repair, I have to resync on a AD Domain but always the following error occurs "Database is empty or connection error"

In the logs I have the following messages for the connection with DC server:

"connect_to_domain_password_server: unable to open the domain client session to machine SERVER.DC.HOME Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT."

Do I have to erase the current Samba Database when resync with DC ?

Any other suggestion ?

Many thanks in advance.

Bruno.

[To-M]

You dont have to erase the current Samba Database, see if you can connect with PDC to see if you can connect to the ADS server, make sure that you log in as a Domain Admin and verify that in the DSS in the DNS settings you have the ADS server's IP. Also verify correct time on the DSS that matches the ADS servers time.

[bzazzera]

Hi Todd,

The IP of the DC is OK and we can ping it. The Administrator account and password are OK.
Also we have checked the DNS IP's (and reachable) and date/time : Everything is OK.

Any other idea ?

[To-M]

Try to use the PDC to see if your able to get the Users and Groups if you can then this means it is connecting and authenticating, then for the ADS see if there is anything blocking it or check the ADS logs.

[bzazzera]

Hi Tood,

What do you mean by : try to use PDC ?

Here is the content of ads.log :

--connection to ads---
spawn /usr/bin/kinit administrator@BROADCAST.XXX.FR
Password for administrator@BROADCAST.XXX.FR:
Mon Nov 11 15:58:18 CET 2013
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@BROADCAST.XXX.FR

Valid starting Expires Service principal
11/11/13 15:58:17 11/12/13 01:58:17 krbtgt/BROADCAST.XXX.FR@BROADCAST.XXX.FR
renew until 11/12/13 15:58:17


Kerberos 4 ticket cache: /tmp/tkt0
/usr/sbin/net ads join -U administrator%****
-----------
SHORT DOMAIN: BROADCAST
--------security.conf---------
security = ADS
password server = kerberos.server
realm = BROADCAST.XXX.FR
allow trusted domains = yes
--------hosts---------
10.231.235.103 kerberos.server BROADCAST.XXX.FR TFBROADDC1 TFBROADDC1.BROADCAST.XXX.FR #kerberos.server
--------krb5.conf---------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/krb5admin.log

[libdefaults]
default_realm = BROADCAST.XXX.FR

[realms]
BROADCAST.XXX.FR = {
kdc = kerberos.server
admin_server = dss91155613
default_domain = kerberos.server
}

[appdefaults]
pam = {
debug = false
forwardable = false
krb4_convert = false
}

--------net ads info---------
LDAP server: 10.231.235.102
LDAP server name: tfbroaddc2.broadcast.xxx.fr
Realm: BROADCAST.XXX.FR
Bind Path: dc=BROADCAST,dc=XXX,dc=FR
LDAP port: 389
Server time: Mon, 11 Nov 2013 15:58:22 CET
KDC server: 10.231.235.102
Server time offset: 0
--------wbinfo -D domena---------
Name : BROADCAST
Alt_Name : broadcast.xxx.fr
SID : S-1-5-21-719910283-167185162-3801991273
Active Directory : Yes
Native : Yes
Primary : Yes

[To-M]

On the DSS select Windows (PDC) NOT ADS.