Can't change AD IP address

Okay, we reversed the database in the text file and ran the following:

config setprop dns NameServers (dns ip1,dns ip2,etc no spaces between commas) to change those properties and we ran:

signal-event interface-update
signal-event nethserver-dnsmasq-save

That has fixed the /etc/dnsmasq.conf

But… the last part, clearing out the DNS entries for 192.168.2.10 with the
systemd-run -t -M nsdc /usr/sbin/samba_dnsupdate --versbose

gives the same error as I said above.
also, the web interface is often taking forever to load, like it’s stalled or didn’t know where to send back request data. for 10 minutes, it’s non responsive then it’s okay. The Error 113 still remains.

I think the problem may be that the samba_dnsupdate tries to contact (domainname) as the address which it thinks is 192.168.2.10 instead of 192.168.1.5. Need to find a way to fix this. Have a few hack ideas but there has to be an elegant way to do this. I feel it’s close.

This is the problem: it can’t reach the kdc host.

We should ensure the kdc is actually running: try to ping its IP, check if its TCP ports are open.

Also the command could be wrong, miss some config options or similar…

If that’s the case the problem could be reproduced :thinking:

I found a LOT of people had this error for different reasons on Samba forums. Many had options I tried including adding “domain_realms” section. Several suggested adding the “dns” option in the “services” smb.conf paramter but as this uses a template system that would take some digging and that seems unnecessary here.

I did ping the interface, 192.168.1.5 and get responses back so something is running on that IP. I’ll confirm that someone didn’t have a VM running on that IP but I’ve been assured by the net admin that it’s free.

The only place this address exists in in the dns cache files (which the last command is trying to clear). I can look into the samba_dnsupdate command but it looks similar to the samba_dnsupdate command examples I saw on forums.

Could you run a port scanner against it?

nmap 192.168.1.5

Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-06 17:05 EST
Nmap scan report for 192.168.1.5
Host is up (0.00054s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

1 Like

Oh, it may be important to note, there are no users or groups in the accounts button. Not sure why. What does that mean do you think?

Something else, did some tests and ran this:
knit (domain user name). This appears to give no error after I give the password. Would that imply that kerberos is in fact running in some way?

Update on IP change procedure:

  • Fixed the path of krb5.conf
  • Install additional dependency for samba_dnsupdate command

This is what I’ve changed:

https://github.com/NethServer/nethserver-dc/commit/e04431233398f04022f8a3bf7c245889e0edbd3e

In other words

  • You have to edit /var/lib/machines/nsdc/var/lib/samba/private/krb5.conf (instead of /var/lib/machines/nsdc/etc/krb5.conf - wrong)

  • Before running samba_dnsupdate, install bind-utils in the nsdc container chroot:

      yum --installroot=/var/lib/machines/nsdc/ install bind-utils
    

Thanks for your help!

Okay, added the “realms” entry in the /var/lib/machines/nsdc/var/lib/samba/private/krb5.conf and installed bind-utils as instructed. Different results this time: here is what I got back after running

systemd-run -t -M nsdc /usr/sbin/samba_dnsupdate --verbose

systemd-run -t -M nsdc /usr/sbin/samba_dnsupdate --verbose

Running as unit run-10525.service.
Press ^] three times within 1s to disconnect TTY.
IPs: [‘192.168.1.5’]
Looking for DNS entry A nsdc-dc2.(domainname) 192.168.1.5 as nsdc-dc2.(domainname).
Failed to find matching DNS entry A nsdc-dc2.(domainname) 192.168.1.5
need update: A nsdc-dc2.(domainname) 192.168.1.5
Looking for DNS entry A (domainname) 192.168.1.5 as (domainname).
Failed to find matching DNS entry A (domainname) 192.168.1.5
need update: A (domainname) 192.168.1.5
Looking for DNS entry SRV _ldap._tcp.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.dc._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.1937ac0b-e18f-47d3-a7a5-e1d2407e9c25.domains._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.1937ac0b-e18f-47d3-a7a5-e1d2407e9c25.domains._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.1937ac0b-e18f-47d3-a7a5-e1d2407e9c25.domains._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _kerberos._tcp.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kerberos._udp.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._udp.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._udp.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.dc._msdcs.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kpasswd._tcp.(domainname) nsdc-dc2.(domainname) 464 as _kpasswd._tcp.(domainname).
Checking 0 100 464 nsdc-dc2.(domainname). against SRV _kpasswd._tcp.(domainname) nsdc-dc2.(domainname) 464
Looking for DNS entry SRV _kpasswd._udp.(domainname) nsdc-dc2.(domainname) 464 as _kpasswd._udp.(domainname).
Checking 0 100 464 nsdc-dc2.(domainname). against SRV _kpasswd._udp.(domainname) nsdc-dc2.(domainname) 464
Looking for DNS entry CNAME abeb7b7a-7973-4f5f-a30b-b51d492965a5._msdcs.(domainname) nsdc-dc2.(domainname) as abeb7b7a-7973-4f5f-a30b-b51d492965a5._msdcs.(domainname).
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.Default-First-Site-Name._sites.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.pdc._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.pdc._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry A gc._msdcs.(domainname) 192.168.1.5 as gc._msdcs.(domainname).
Failed to find matching DNS entry A gc._msdcs.(domainname) 192.168.1.5
need update: A gc._msdcs.(domainname) 192.168.1.5
Looking for DNS entry SRV _gc._tcp.(domainname) nsdc-dc2.(domainname) 3268 as _gc._tcp.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _gc._tcp.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268 as _ldap._tcp.gc._msdcs.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _ldap._tcp.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 3268 as _gc._tcp.Default-First-Site-Name._sites.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _gc._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry A DomainDnsZones.(domainname) 192.168.1.5 as DomainDnsZones.(domainname).
Failed to find matching DNS entry A DomainDnsZones.(domainname) 192.168.1.5
need update: A DomainDnsZones.(domainname) 192.168.1.5
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.DomainDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry A ForestDnsZones.(domainname) 192.168.1.5 as ForestDnsZones.(domainname).
Failed to find matching DNS entry A ForestDnsZones.(domainname) 192.168.1.5
need update: A ForestDnsZones.(domainname) 192.168.1.5
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.ForestDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry A nsdc-dc2.(domainname) 192.168.2.10 as nsdc-dc2.(domainname).
need delete: A nsdc-dc2.(domainname) 192.168.2.10
Looking for DNS entry A (domainname) 192.168.2.10 as (domainname).
need delete: A (domainname) 192.168.2.10
Looking for DNS entry A gc._msdcs.(domainname) 192.168.2.10 as gc._msdcs.(domainname).
need delete: A gc._msdcs.(domainname) 192.168.2.10
Looking for DNS entry A DomainDnsZones.(domainname) 192.168.2.10 as DomainDnsZones.(domainname).
need delete: A DomainDnsZones.(domainname) 192.168.2.10
Looking for DNS entry A ForestDnsZones.(domainname) 192.168.2.10 as ForestDnsZones.(domainname).
need delete: A ForestDnsZones.(domainname) 192.168.2.10
5 DNS updates and 5 DNS deletes needed
delete (nsupdate): A nsdc-dc2.(domainname) 192.168.2.10
Calling nsupdate for A nsdc-dc2.(domainname) 192.168.2.10 (delete)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
nsdc-dc2.(domainname). 0 NONE A 192.168.2.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
delete (nsupdate): A (domainname) 192.168.2.10
Calling nsupdate for A (domainname) 192.168.2.10 (delete)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
(domainname). 0 NONE A 192.168.2.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
delete (nsupdate): A gc._msdcs.(domainname) 192.168.2.10
Calling nsupdate for A gc._msdcs.(domainname) 192.168.2.10 (delete)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.(domainname). 0 NONE A 192.168.2.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
delete (nsupdate): A DomainDnsZones.(domainname) 192.168.2.10
Calling nsupdate for A DomainDnsZones.(domainname) 192.168.2.10 (delete)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.(domainname). 0 NONE A 192.168.2.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
delete (nsupdate): A ForestDnsZones.(domainname) 192.168.2.10
Calling nsupdate for A ForestDnsZones.(domainname) 192.168.2.10 (delete)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.(domainname). 0 NONE A 192.168.2.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A nsdc-dc2.(domainname) 192.168.1.5
Calling nsupdate for A nsdc-dc2.(domainname) 192.168.1.5 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
nsdc-dc2.(domainname). 900 IN A 192.168.1.5

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A (domainname) 192.168.1.5
Calling nsupdate for A (domainname) 192.168.1.5 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
(domainname). 900 IN A 192.168.1.5

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A gc._msdcs.(domainname) 192.168.1.5
Calling nsupdate for A gc._msdcs.(domainname) 192.168.1.5 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.(domainname). 900 IN A 192.168.1.5

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A DomainDnsZones.(domainname) 192.168.1.5
Calling nsupdate for A DomainDnsZones.(domainname) 192.168.1.5 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.(domainname). 900 IN A 192.168.1.5

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A ForestDnsZones.(domainname) 192.168.1.5
Calling nsupdate for A ForestDnsZones.(domainname) 192.168.1.5 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.(domainname). 900 IN A 192.168.1.5

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 10 entries

Don’t know if a TSIG error is a problem. I’ll take a look a the server and let you know what I find.

Okay, I ran the samba_dnsupdate a 2nd time and it says no update is necessary now so it may have worked. However, we still a have the message “AccountProvider_Error_113” in red bold in the top and the Users & Groups sections has blank entries in users and groups. The accunts (I made 3) still exist as I verified with kinit command. Glad I could help shake the trees but we are still not successfully changed the Samba AD IP address so that it functions. Again, thanks for your quick response. Any other ideas?

Update: I’m under some pressure to get this resolved so I’m going to try a “Factory Reset” as outlined in your Nethserve 7 Rc2 documentation and see if we can create the domain. No one in the office is using it yet fortunately. I’ll let you know what happens there.

This wipes all our work :cry:

Do you read additional information in /var/log/messages?

I know, but I’m under pressure now and I’m told to try this or recreate the server from scratch while putting back the router with full production settings as it was working before the IP change. I am happy to repeat the conditions on a virtual machine, but I need to get the production server in full operation first. I’m not done, just under the gun. I’ll create a VM later and repeat the conditions. .

1 Like

Looked in the logs. Mostly stuff on network traffic to computers using the Internet. A few on DNS updates (probably from the samba_dnsupdate. I have to be careful what post from that log at this point. but here are some entries that look relevant:

Feb 7 10:18:50 dc2 systemd: Starting Start/stop ntopng program…
Feb 7 10:18:50 dc2 logger: ntopng start
Feb 7 10:18:50 dc2 kernel: device br0 entered promiscuous mode
Feb 7 10:18:50 dc2 kernel: device enp2s0 entered promiscuous mode
Feb 7 10:18:50 dc2 ntopng: [main.cpp:261] ERROR: Unable to store PID in file /v
ar/run/ntopng/ntopng.pid
Feb 7 10:18:51 dc2 ntopng: [NetworkInterface.cpp:1059] WARNING: If you have TSO
/GRO enabled, please disable it
Feb 7 10:18:51 dc2 ntopng: [NetworkInterface.cpp:1061] WARNING: Use: sudo ethtool -K br0 gro off gso off tso off
Feb 7 10:18:52 dc2 ntopng: [NetworkInterface.cpp:1059] WARNING: If you have TSO/GRO enabled, please disable it
Feb 7 10:18:52 dc2 ntopng: [NetworkInterface.cpp:1061] WARNING: Use: sudo ethtool -K enp2s0 gro off gso off tso off
Feb 7 10:18:55 dc2 ntopng: Starting ntopng: Unable to start ntopng[FAILED]
Feb 7 10:18:55 dc2 systemd: Started Start/stop ntopng program.
Feb 7 10:18:55 dc2 esmith::event[11932]: [INFO] ntopng restart
Feb 7 10:18:55 dc2 systemd: Reloading.
Feb 7 10:18:55 dc2 systemd: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Feb 7 10:18:55 dc2 systemd: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Feb 7 10:18:55 dc2 esmith::event[11932]: [INFO] service redis-ntopng restart
Feb 7 10:18:55 dc2 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Feb 7 10:18:55 dc2 systemd: Stopping Redis persistent key-value database NTOPNG…
Feb 7 10:18:55 dc2 redis-shutdown: Could not connect to Redis at 127.0.0.1:6379: Connection refused
Feb 7 10:18:55 dc2 systemd: redis.service: control process exited, code=exited status=1
Feb 7 10:18:55 dc2 systemd: Unit redis.service entered failed state.
Feb 7 10:18:55 dc2 systemd: redis.service failed.
Feb 7 10:18:55 dc2 systemd: Started Redis persistent key-value database NTOPNG.
Feb 7 10:18:55 dc2 systemd: Starting Redis persistent key-value database NTOPNG…
Feb 7 10:18:55 dc2 esmith::event[11932]: [INFO] redis-ntopng restart
Feb 7 10:18:55 dc2 esmith::event[11932]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [7.886949]
Feb 7 10:18:55 dc2 esmith::event[11932]: Event: nethserver-ntopng-update SUCCESS
Feb 7 10:18:55 dc2 esmith::event[12045]: Event: nethserver-mail-smarthost-update
Feb 7 10:18:55 dc2 esmith::event[12045]: Migrating existing database configuration
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database certificates
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database networks
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database routes
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database accounts
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database hosts
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database proxypass
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database fwrules
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database fwservices
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database portforward
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database tc
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database dhcp
Feb 7 10:18:56 dc2 esmith::event[12045]: Migrating existing database vpn
Feb 7 10:18:56 dc2 esmith::event[12045]: Action: /etc/e-smith/events/nethserver-mail-smarthost-update/S00initialize-default-databases SUCCESS [0.767285]
Feb 7 10:18:56 dc2 esmith::event[12045]: expanding /etc/postfix/main.cf
Feb 7 10:18:56 dc2 esmith::event[12045]: expanding /etc/postfix/sasl_passwd
Feb 7 10:18:56 dc2 esmith::event[12045]: expanding /etc/postfix/tls_policy
Feb 7 10:18:56 dc2 esmith::event[12045]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.257731]
Feb 7 10:18:57 dc2 esmith::event[12045]: Action: /etc/e-smith/events/nethserver-mail-smarthost-update/S20nethserver-mail-postmap-update SUCCESS [0.461454]
Feb 7 10:18:57 dc2 systemd: Reloading.
Feb 7 10:18:57 dc2 systemd: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Feb 7 10:18:57 dc2 systemd: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Feb 7 10:18:57 dc2 esmith::event[12045]: [INFO] service postfix restart
Feb 7 10:18:57 dc2 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Feb 7 10:18:57 dc2 systemd: Stopping Postfix Mail Transport Agent…
Feb 7 10:18:57 dc2 systemd: Starting Postfix Mail Transport Agent…
Feb 7 10:18:57 dc2 systemd: Started Postfix Mail Transport Agent.
Feb 7 10:18:57 dc2 esmith::event[12045]: [INFO] postfix restart
Feb 7 10:18:57 dc2 esmith::event[12045]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.515769]
Feb 7 10:18:57 dc2 esmith::event[12045]: Event: nethserver-mail-smarthost-update SUCCESS
Feb 7 10:18:57 dc2 esmith::event[12157]: Event: nethserver-smartd-update
Feb 7 10:18:57 dc2 esmith::event[12157]: Migrating existing database configuration
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database certificates
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database networks
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database routes
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database accounts
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database hosts
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database proxypass
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database fwrules
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database fwservices
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database portforward
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database tc
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database dhcp
Feb 7 10:18:58 dc2 esmith::event[12157]: Migrating existing database vpn
Feb 7 10:18:58 dc2 esmith::event[12157]: Action: /etc/e-smith/events/nethserver-smartd-update/S00initialize-default-databases SUCCESS [0.777731]
Feb 7 10:18:58 dc2 systemd: Reloading.
Feb 7 10:18:58 dc2 systemd: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Feb 7 10:18:58 dc2 systemd: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Feb 7 10:18:58 dc2 esmith::event[12157]: [INFO] service smartd restart
Feb 7 10:18:58 dc2 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Feb 7 10:18:58 dc2 systemd: Stopping Self Monitoring and Reporting Technology (SMART) Daemon…
Feb 7 10:18:58 dc2 smartd[1004]: smartd received signal 15: Terminated
Feb 7 10:18:58 dc2 smartd[1004]: smartd is exiting (exit status 0)
Feb 7 10:18:58 dc2 systemd: Started Self Monitoring and Reporting Technology (SMART) Daemon.
Feb 7 10:18:58 dc2 systemd: Starting Self Monitoring and Reporting Technology (SMART) Daemon…
Feb 7 10:18:58 dc2 esmith::event[12157]: [INFO] smartd restart
Feb 7 10:18:58 dc2 esmith::event[12157]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.21381]
Feb 7 10:18:58 dc2 smartd[12176]: smartd 6.2 2013-07-26 r3841 [x86_64-linux-3.10.0-514.6.1.el7.x86_64] (local build)
Feb 7 10:18:58 dc2 smartd[12176]: Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org
Feb 7 10:18:58 dc2 smartd[12176]: Opened configuration file /etc/smartmontools/smartd.conf
Feb 7 10:18:58 dc2 smartd[12176]: Configuration file /etc/smartmontools/smartd.conf was parsed, found DEVICESCAN, scanning devices
Feb 7 10:18:58 dc2 smartd[12176]: Device: /dev/sda, type changed from ‘scsi’ to ‘sat’
Feb 7 10:18:58 dc2 smartd[12176]: Device: /dev/sda [SAT], opened
Feb 7 10:18:58 dc2 smartd[12176]: Device: /dev/sda [SAT], HGST HUS724020ALE640, S/N:PK2138P2G4D7TJ, WWN:5-000cca-24bc1ff79, FW:MJ6OA580, 2.00 TB
Feb 7 10:18:58 dc2 smartd[12176]: Device: /dev/sda [SAT], not found in smartd database.
Feb 7 10:18:58 dc2 esmith::event[12177]: Event: nethserver-hosts-update
Feb 7 10:18:59 dc2 esmith::event[12177]: Migrating existing database configuration

Don’t know if any of this helps.

BTW: I’ve done the factory reset which then gave an error “Account provider error: invalid DN. Check Base DN, Groups DN and Users DN in Accounts provider configuration” no option to start the server. So I uninstalled the Samba AD package. reinstalled it. The “Account provider error: invalid DN. Check Base DN, Groups DN and Users DN in Accounts provider configuration” is still there. all installs/uninstalls here were done with the web interface. On going to the “accounts provider” and clicking the "make bridge “check box (which had the correct IP of 192.168.1.5” and clicking “Start Samba”, I now get “Account provider error: invalid credentials (49)” in red on the “accounts provider” section. “Users and Groups” shows the same and here is the results in the “Domain Accounts”

NetBIOS domain name: (DOMAINNAME 15 chars)
LDAP server: 192.168.1.5
LDAP server name: nsdc-dc2.(domainname)
Realm: (domainname)
Bind Path: dc=(DOMAINNAME ROOT),dc=INT
LDAP port: 389
Server time: Tue, 07 Feb 2017 10:47:51 EST
KDC server: 192.168.1.5
Server time offset: 0
Last machine account password change: Thu, 02 Feb 2017 10:35:28 EST

kerberos_kinit_password DC2$@(domainname) failed: Client not found in Kerberos database
kerberos_kinit_password DC2$@(domainname) failed: Client not found in Kerberos database
Join to domain is not valid: Improperly formed account name
kerberos_kinit_password DC2$@(domainname) failed: Client not found in Kerberos database
kerberos_kinit_password DC2$@(domainname) failed: Client not found in Kerberos database
kerberos_kinit_password DC2$@(domainname) failed: Client not found in Kerberos database
kerberos_kinit_password DC2$@(domainname) failed: Client not found in Kerberos database

So like last time this factory reset didn’t do what is expected. Think it needs to be reviewed by the dev team. as this is the 2nd time this has failed for me.

I’ve given all I can on this for now and I have to reset this server from scratch. I really hope you guys can review the factory reset as well as change IP procedures. Maybe they worked in 6.x but in 7 it seems to need more testing. I’ll give what time I can on this in my spare hours after I get this server running.

For the purposes of documentation here are the full settings and procedure before switching green IP:

Configuration
External Interface (motherboard gigbit nic): Static: ISP assigned 192.168.1.3 (for testing) with gateway 192.168.1.1 (router)
Internal Interface (add on Dlink gigabit card): 192.168.2.2, gateway: 192.168.2.2, DNS 192.168.2.2 (external DNS)
Disk Config: Root/Swap on RAID 10, boot on raid 1

installed base
updated to latest updates using web interface
Installed Samba, File Server, Samba AD, Cups, Bandwidth monitor, basic firewall, simple bandwidth monitor, OpenVPN,statistics and UPS Support, nextserver, jabber server

Set up The Samba AD, created 3 users, joined the domain with one laptop. Set up firewall rules to allow OpenVPN users to access network while using VPN. set backup of data to remove NAS. Tested OpenVPN access, and Internet access and Jabber server. All working as expected.

The next Saturday net admin switched the external IP to match ISP setting and moved the green interface from 192.168.2.2 to 192.168.1.1 and added entries in DHCP with reservations.

Later I discovered (of course) the domain AD was none functional. . That in a nutshell is how the server was setup (real, not VM) before we changed the Green interface. We had a few servers we needed to keep in the same subnet and our tests had to be isolated so that is why we changed the green interface (otherwise it would have conflicted with our router).

1 Like

Thank you very much for your recap. I think many sysadmins would apply a similar approach: this “user story” definitely deserves a better support from NethServer!

For this reason I think we should improve the IP changing procedure for the DC.

Thanks to your experience and your help I fixed some errors in the documentation. Now we could design a web interface feature for it.

However we must remember that Samba Active Directory has some pitfalls in this scenario and that changing the IP address of a domain controller is dangerous in production environments.

I would add another scenario. I set up my server in my office and I need to use the network IPs to test the configuration out. The day after I deliver the server to the client and clearly I need to adapt the IP configuration with the new network. It turns out that I definitely need to change the DC container IP, right?
The only workaround that comes to my mind is, known in advance the client’s configuration, setting up a similar virtual network in my office.

3 Likes

Did this ever get implemented? I have just changed my ip space from 192.168.178 to 192.168.188 (don’t ask) and nethserver is running fine but AD is still using an address in 192.168.178. My AD has precisely 1 user so am more than happy to nuke AD and set up again from scratch. The oddest bit is that I can still login using my username/password on AD but when I go to users/groups it says there aren’t any (which is what I expected)


Seems so.

Any idea where I find the dialog? I tried Services->nsdc->Edit but doesn’t look at all like the dialog in the post (just have name, TCP ports, UDP ports and access

Many thanks

Andrew

Maybe from applications, than AD? IDK, i currently don’t use that feature so i don’t have so much experience on that.
Anyway… there’s still the “shell way”… :wink:
as stated by docs, dude
https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-dc.html#changing-the-ip-address-of-dc