Displaying 20 results from an estimated 1000 matches similar to: "Identity change between pkinit and TGS"
2012 Dec 02
1
samba / winbind user authentication problem
Hi,
I have a problem with samba / winbind PAM authentication. Domain
controller is samba4, machines users log on to via PAM are samba 3.6
(all of them ubuntu 12.04 LTS). The whole user authentication was
working already, but after a reboot it somehow broke. Additional reboots
don't help.
The funny thing is that all logs look quite OK to me (except for the
single line saying
2017 Dec 27
0
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
There is additional info in the logs of the source DC (dcdo1, log level
2, manually triggered another replication):
====================
[2017/12/27 12:31:29.695121, 2]
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on
DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
[2017/12/27
2017 Dec 27
0
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Rowland,
- the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites and
Services console to each of them).
- I also checked that "samba-tool dbcheck" completes w/o showing errors.
- the objectGUID DNS aliases of all DCs are resolvable against all 3
DCs' builtin DNS
- I forced a full sync from the FSMO holder (dcge1) to the 2 other DCs
which finished w/o errors.
-
2017 Dec 27
2
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
We have 3 ADCs based on Samba-4.7.4 (compiled from source,internal DNS)/
CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO roles. The 3 ADCs
are on different locations connected via IPSec based VPN. No traffic is
filtered out.
All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:
[root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
2016 Aug 22
1
Upgrade 4.2.14 --> 4.3.11
Hi,
I had Samba 4.2.14 working as AD DC with shares. After upgrade to version 4.3.11 AD DC authentication, ADUC, etc, stopped working. Shares still work fine.
OS. Oracle Linux 6.x with UEK, uptodate. Samba compiled from source.
Upgrade procedure (nothing special):
./configure --enable-selftest
make
make install
Testparm output:
# Global parameters
[global]
workgroup = EXAMPLE
realm =
2017 Dec 27
2
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
On Wed, 27 Dec 2017 13:00:05 +0100
"Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.org> wrote:
> There is additional info in the logs of the source DC (dcdo1, log
> level 2, manually triggered another replication):
> ====================
> [2017/12/27 12:31:29.695121, 2]
>
2018 Jan 16
0
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi Heinz,
> i have the same problem on samba 4.7.3 and 4.7.4.
> I start with 2 DCs and the sync works fine. After the join of a third
> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
> times.
>
> in my case i have:
> DC1 (with any FSMO Roles)
> DC2
>
> new join as DC:
> DC3
>
> After the join, the sync from DC2 to DC3 fails.
>
>
2018 Jan 16
0
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
no, it seems to work!!!
i did a ldapmodify on DC2:
ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f
serverReference.ldif
serverReference.ldif:
dn: CN=SAMBA3,CN=Servers,CN=Default-First-
SiteName,CN=Sites,CN=Configuration,DC=test,DC=net
changetype: modify
add: serverReference
serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net
-
now the question:
Why the
2018 Jan 16
0
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
on DC2 in the log i found:
./source4/dsdb/common/util.c:4807: Failed to find account dn
(serverReference) for CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net, parent of DSA with
objectGUID c01a335e-1794-4997-9c7e-553be77fba04, sid S-1-5-21-
1608159440-4144762864-1017073214-18962
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
DsReplicaUpdateRefs
2018 Feb 12
0
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi Heinz and Johannes,
> I had exactly the same problem, and used ldbedit to apply the fix.
> Thanks for digging into this!
>
> Now I'm interested in the root cause as well ...
I just had a client calling with a replication issue due to the exact
same error. The domain was initially build on 4.7.1, upgraded to 4.7.3,
and it was also missing the serverReference attribute on one
2018 Apr 04
2
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Same error here...
root at samba01:~# samba-tool ldapcmp ldap://samba01 ldap://samba02 -Uadministrator --filter=CN,DC,member CONFIGURATION
Password for [LAURENZ\administrator]:
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1631
Comparing:
'CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC=laurenz,DC=ws' [ldap://samba01]
2018 Jan 16
2
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi,
i have the same problem on samba 4.7.3 and 4.7.4.
I start with 2 DCs and the sync works fine. After the join of a third
DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
times.
in my case i have:
DC1 (with any FSMO Roles)
DC2
new join as DC:
DC3
After the join, the sync from DC2 to DC3 fails.
samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
samba-tool drs replicate
2018 Jan 16
2
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Heinz,
I had exactly the same problem, and used ldbedit to apply the fix.
Thanks for digging into this!
Now I'm interested in the root cause as well ...
Uli
Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba:
> no, it seems to work!!!
>
>
> i did a ldapmodify on DC2:
>
> ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f
> serverReference.ldif
2018 Jan 16
4
AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi,
there is no firewall, all DCs are in the same subnet.
here ist the output of a test, you can see, the CNAME guid entries in
the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and
second DCs, SAMBA3 was added at last.
ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-ncs
objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
2014 Nov 10
0
User's DPAPI/backupkey protected data lost when changing domain password
After a user changes their password (CTRL-ALT-DEL) in our Samba 4 domain
(4.1.12) they lose access to any stored passwords on their Windows PC.
I've set the log level in smb.conf to 4 and enabled the GPO to record DPAPI
log entries in Windows to get the below log data.
My reading of the two is that the Windows PC believes it is failing to reset
the access to its DPAPI store (where the saved
2015 Jul 01
3
strange: 20 characters max in samAccountName
Hi all,
Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC.
I can't log in with on Windows systems (Windows 7) when samAccountName are
longer than 20 characters. This seems to be a LAN MAN or NT4 limitation
which should not happen on AD domain.
Any idea what could leads my to that limitation?
I can log in using administrator account or any other having a short
(enough)
2018 Mar 04
1
Samba AD + Kerbero + NFS "Client no longer in database"
I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for
NFSv4. The NFS server is the Samba AD server running Ubuntu Server
16.0.4.3 and the client is Linux Mint 18.3
This export WORKS and mounts on client
########## /etc/exports ##########
/mnt/fileshare *(rw,no_subtree_check,async)
############################
This export DOES NOT
########## /etc/exports ##########
2016 Jun 24
0
Login not possible / machine account issues
Hi,
Did you find any solution?
I am facing exactly the same scenario.
-CentOS 6.7
-Samba Version 4.4.3
-BIND_DLZ 9.9.8
Some workstations suddenly are unable to login, unless I reboot or rejoin
the domain. The only odd event I see in the client is the one already said:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Event ID: 4
Task Category:
2016 Jul 17
1
Winbindd segfaults with bind9-dlz trying to login via libwinbind-pam
Hello,
I just found and odd behaviour here on my test environment (debian
jessie with samba 4.4.5 backported from sid).
I create and ad-dc as usual, adjust nsswitch.conf and enable
pam-auth-winbind (ruuning pam-auth-update). I also define /bin/bash as
template shell.
Now after i create an samba-user and the users home directory
(/home/DOMAIN/achim).
I can login with that account on the
2013 Aug 07
2
Samba 4 empty password
Hello,
We are trying to setup a SAMBA-Server with users that have empty passwords.
We are using:
Samba 4.0.8
Kernel 3.10.5
Slackware 14.0 x64
When we set a password the login successes!
That's what we get when trying to login:
[2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ media1 at BC from ipv4:10.0.99.100:62078 for