Desde que actualicé a Debian Bullseye, los clientes nfs dejaron de funcionar:
# mount -vvt nfs4 -o sec=krb5 nfs11:/srv /mnt
mount.nfs4: timeout set for Wed Sep 15 20:25:49 2021
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=x.y.11.63,clientaddr=x.y.11.42'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs11:/srv
Cuando instalo el kernel 5.9 (linux-image-5.9.0-0.bpo.5-cloud-amd64) en el mismo sistema, funciona.
También probé:
- Kernel de prueba de Debian (kernel 5.14): no funciona
- Ubuntu 21.10 Impish (kernel 5.13): no funciona
- Ubuntu 20.04 Focal (kernel 5.4) - funciona
Siempre que todos los sistemas tengan una configuración NFS/Kerberos idéntica, mi conclusión: algo ha cambiado en el kernel que no permite montar recursos compartidos NFS/Kerberos.
- Mi KDC - Samba4 AD
- Mi configuración de Kerberos y NFS es bastante estándar, como en cualquier manual
- HOSTNAME$@REALM nfs/fqdn@REALM host/... los principios están en la pestaña de claves del cliente y del servidor
Puse RPCGSSDOPTS="-vvv"/etc/default/nfs-common para depurar. En los siguientes registros:
- nfs11 - mi servidor nfs de prueba (Debian 11, kernel 5.10)
- tst2 - mi cliente nfs de prueba (Debian 11)
Aquí está el syslog cuando el cliente intenta montar el recurso compartido nfs:
El cliente nfs se inició con el kernel 5.9 (se monta correctamente)
rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2' (nfs/clnt0)
rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[446]: Success getting keytab entry for '[email protected]'
rpc.gssd[446]: gssd_get_single_krb5_cred: principal '[email protected]' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN'
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: creating tcp client for server nfs11.my.domain
rpc.gssd[446]: DEBUG: port already set to 2049
rpc.gssd[446]: creating context with server [email protected]
rpc.gssd[446]: doing downcall: lifetime_rec=36000 [email protected]
rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2' (nfs/clnt0)
rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[446]: Success getting keytab entry for '[email protected]'
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: creating tcp client for server nfs11.my.domain
rpc.gssd[446]: DEBUG: port already set to 2049
rpc.gssd[446]: creating context with server [email protected]
rpc.gssd[446]: doing downcall: lifetime_rec=36000 [email protected]
nfsidmap[524]: key: 0x3b88d120 type: uid value: [email protected] timeout 600
nfsidmap[524]: nfs4_name_to_uid: calling nsswitch->name_to_uid
nfsidmap[524]: nss_getpwnam: name '[email protected]' domain 'my.domain': resulting localname 'root'
nfsidmap[524]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
nfsidmap[524]: nfs4_name_to_uid: final return value is 0
nfsidmap[525]: key: 0x317cb571 type: gid value: [email protected] timeout 600
nfsidmap[525]: nfs4_name_to_gid: calling nsswitch->name_to_gid
nfsidmap[525]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
nfsidmap[525]: nfs4_name_to_gid: final return value is 0
Cliente nfs arrancado con kernel 5.10 (no se monta)
rpc.gssd[450]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,3,1,2' (nfs/clnt3)
rpc.gssd[450]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[450]: Success getting keytab entry for '[email protected]'
rpc.gssd[450]: gssd_get_single_krb5_cred: principal '[email protected]' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN'
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server [email protected]
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server [email protected]
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nfs11.my.domain
rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[450]: Success getting keytab entry for '[email protected]'
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server [email protected]
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server [email protected]
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: ERROR: Failed to create machine krb5 context with any credentials cache for server nfs11.my.domain
rpc.gssd[450]: doing error downcall
Busqué mucho en Google y no encontré nada relacionado... Actualmente, como solución alternativa, ejecuto un kernel con versiones anteriores en todos los sistemas cliente nfs. Pero creo que es peligroso y algo me dice que puede romperse en cualquier momento.
¿Alguien ha experimentado tal problema? ¿Quizás debería ajustar algo para que coincida con los cambios en el kernel? ¿Quizás debería corregir el error del kernel?
ACTUALIZAR. Se agregaron registros de KDC.
KDC durante el montaje desde un cliente con kernel 5.9: correctamente
[2021/09/21 21:55:12.061264, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2021/09/21 21:55:44.743415, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ [email protected] from ipv4:x.y.11.42:38701 for krbtgt/[email protected]
[2021/09/21 21:55:44.747105, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 150, 149
[2021/09/21 21:55:44.747154, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- [email protected]
[2021/09/21 21:55:44.747178, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2021/09/21 21:55:44.747209, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
[2021/09/21 21:55:44.751030, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ [email protected] from ipv4:x.y.11.42:50506 for krbtgt/[email protected]
[2021/09/21 21:55:44.753959, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2021/09/21 21:55:44.754060, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- [email protected]
[2021/09/21 21:55:44.754114, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2021/09/21 21:55:44.754187, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using arcfour-hmac-md5
[2021/09/21 21:55:44.754275, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[[email protected]] at [Tue, 21 Sep 2021 21:55:44.754261 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:50506] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6619]. local host [NULL]
{"timestamp": "2021-09-21T21:55:44.754359+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "dd24014b273cc7a8", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:50506", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "[email protected]", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6619", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3366}}
[2021/09/21 21:55:44.761108, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2021-09-21T21:55:44 starttime: unset endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44
[2021/09/21 21:55:44.761282, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
[2021/09/21 21:55:44.761368, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, forwardable
[2021/09/21 21:55:44.767382, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ [email protected] from ipv4:x.y.11.42:39570 for nfs/[email protected] [canonicalize, renewable, forwardable]
[2021/09/21 21:55:44.773999, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2021-09-21T21:55:44 starttime: 2021-09-21T21:55:44 endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44
[2021/09/21 21:55:44.774695, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
KDC durante el montaje desde un cliente con kernel 5.10: no se pudo montar
[2021/09/22 00:31:39.893723, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ [email protected] from ipv4:x.y.11.42:46094 for krbtgt/[email protected]
[2021/09/22 00:31:39.899112, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 150, 149
[2021/09/22 00:31:39.899162, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- [email protected]
[2021/09/22 00:31:39.899186, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2021/09/22 00:31:39.899221, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
[2021/09/22 00:31:39.901942, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ [email protected] from ipv4:x.y.11.42:39303 for krbtgt/[email protected]
[2021/09/22 00:31:39.905030, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2021/09/22 00:31:39.905080, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- [email protected]
[2021/09/22 00:31:39.905105, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2021/09/22 00:31:39.905171, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using arcfour-hmac-md5
[2021/09/22 00:31:39.905270, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[[email protected]] at [Wed, 22 Sep 2021 00:31:39.905248 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:39303] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6621]. local host [NULL]
{"timestamp": "2021-09-22T00:31:39.905331+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "8511280d720bd92c", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:39303", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "[email protected]", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6621", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3429}}
[2021/09/22 00:31:39.912509, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2021-09-22T00:31:39 starttime: unset endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39
[2021/09/22 00:31:39.912597, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
[2021/09/22 00:31:39.912663, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, forwardable
[2021/09/22 00:31:39.918313, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ [email protected] from ipv4:x.y.11.42:59850 for nfs/[email protected] [canonicalize, renewable, forwardable]
[2021/09/22 00:31:39.924869, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2021-09-22T00:31:39 starttime: 2021-09-22T00:31:39 endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39
[2021/09/22 00:31:39.925340, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2021/09/22 00:31:39.928319, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ [email protected] from ipv4:x.y.11.42:59852 for nfs/[email protected] [renewable, forwardable]
[2021/09/22 00:31:39.930936, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Server (nfs/[email protected]) has no support for etypes
[2021/09/22 00:31:39.930998, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:x.y.11.42:59852
[2021/09/22 00:31:39.931336, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Veo error. Google encuentra problemas antiguos relacionados con tipos de enc antiguos, nada útil. Todos los paquetes están actualizados.Server (nfs/[email protected]) has no support for etypes
He progresado un poco gracias a los comentarios. Instalé Samba DC nuevo, uní tanto el cliente (kernel 5.10) como el servidor al nuevo KDC, ¡y funcionó! El nuevo KDC permite a los clientes NFS con cualquier kernel montar recursos compartidos. Parece que el problema está en mi producción Samba DC. Miré las bases de datos ldap y parece que son similares, excepto muy pocas adiciones en CC nuevas, como 3 objetos nuevos y algunos campos. Actualmente no sé qué debo modificar en el DC de producción para que se comporte como uno nuevo. La reinstalación sería el último recurso, porque implica MUCHO tiempo.
El DC de producción se creó hace mucho tiempo y se migró varias veces mediante copias de seguridad o replicación de Samba estándar. Producción e información reciente de DC:
- oEMInformación: proporcionada por SAMBA 4.1.6-Ubuntu
- oEMInformation: Provisto por SAMBA 4.13.5-Debian
Actualmente, los DC se ejecutan bajo sistemas operativos Debian idénticos.
ACTUALIZACIÓN 2. ¡Resuelto!
Vea la solución a continuación.
Respuesta1
Linux eliminó el soporte para RC4-HMAC-MD5 de Kerberos en 5.10. Su cliente usa ese tipo de cifrado como se puede ver en la salida del registro del servidor:
[2021/09/21 21:55:44.761282, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
Si los tipos AES estuvieran disponibles, Samba debería haber elegido aes256-cts-hmac-sha1-96.
No está en ninguno de sus registros, pero supongo que el TGS-REQ defectuoso solicita des3-cbc-sha1, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96. Esto se puede verificar iniciando rpc.gssd con los parámetros -vvvrr. En ese caso, la cuenta AD del cliente no tiene habilitados los tipos de cifrado requeridos. Esto sucederá si el cliente se unió al dominio en un momento en que Samba no admitía AES. Puede habilitar los tipos de cifrado restableciendo la contraseña de la cuenta AD del cliente o volviendo a unirse al dominio. También deberá asegurarse de que los tipos de cifrado se agreguen a la tabla de claves del cliente. Esto se puede verificar ejecutándose klist -keen el cliente.
En caso de que utilice entidades de servicio específicas, asegúrese deagregar explícitamente los tipos de cifrado a la cuenta del cliente(en la ejecución del ADC net ads enctypes set <ACCOUNTNAME> 24). De lo contrario, sólo se exportarán los tipos ARCFOUR.
Respuesta2
La solución en mi caso fue la siguiente: intenté hacer que LDAP DB en mi DC de producción pareciera LDAP DB en el DC nuevo (que está funcionando). Entonces cambié algunos campos. Reinicié todo. ¡Y funcionó!
Lo que cambié exactamente.
Agregué/cambié los siguientes campos en el objeto dn: DC=my,DC=domainusando ldbedit -H /var/lib/samba/private/sam.ldb:
msDS-Behavior-Version: 4
msDS-NcType: 0
serverState: 1
El DC de producción cambió de nombre en el pasado, pero encontré restos (nombres antiguos) en los siguientes objetos:
dn: CN=<old-name>,CN=*,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain
Solucioné esto cambiándoles el nombre con ldbrename, por ejemplo:
ldbrename -H /var/lib/samba/private/sam.ldb 'CN=<old-name>,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain' 'CN=<actual-name>,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain'
Quizás no todos estos cambios fueran necesarios, pero ahora funciona. ¡Gracias por tus comentarios!