similar to: Samba4 and GSSAPI based authentication for OpenSSH

We are using Samba-4.1.11. I can run gpupdate /force without error on my machine. H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini [General] Version=65551 displayName=New Group Policy Object H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini [General] Version=65551 displayName=New

I believe the problem is a lack of outbound replication for non PDC emulator DCs. You'll notice isn't even trying because last successful was epoch (never) yet there are no errors. Inbound replication for this DC seems fine. [root at vsc-dc02 ~]# samba-tool drs showrepl [...]==== OUTBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=mediture,DC=dom aws\AWS-DC01 via RPC DSA object GUID:

On 3/13/2017 2:15 PM, Arthur Ramsey via samba wrote: > Upgraded to 4.6.0 on all nodes. Still seeing the same issue. > > If I create an object on vsc-dc02, epo-dc01 or aws-dc01 DCs it doesn't > replicate. If I create it on vsc-dc01 (PDC emulator) then it does > replicate. > > On 03/13/2017 12:13 PM, Arthur Ramsey wrote: >> >> I believe the problem is a lack

Replication has been running smoothly until I upgraded to 4.5.0. I had various errors with all BDCs and a force sync didn't resolve it. I shutdown all BDCs, demoted them with --remove-other-dead-server then joined new BDCs with new names. At first replication was intermittently failing (consecutive failures counter kept resetting), but it seemed OK, just slow if anything. Now they all

Hello, I'm looking for a way to log the following attributes for all authentication activity (LDAP bind, Kerberos, SMB / CIFS, etc.). I would like to see: * Principle name (user name) * Source IP * Timestamp (including at least seconds if not milliseconds) * Authentication result (success / failure) * Reason for failure: bad password, account lockout, account expired,

That's too bad, I was trying to get the Vasco Identikey server working with samba4 as a backend for FIPS 140-2 compliant OTP, which will only bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to the domain as a domain controller. Thanks for clarifying, Arthur On 07/10/2015 04:38 AM, Andrew Bartlett wrote: > On Tue, 2015-07-07 at 15:10 -0500, Arthur Ramsey wrote:

I've googled and I believe that SASL method DIGEST-MD5 is supported and I see it in the samba startup, but it doesn't work. ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Operations error (1) additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER [root at dc03 ~]# samba

Executing the following with nsupdate seems to have fixed replication. update add 28f7281f-3955-4885-8a7d-42a36ee87590._msdcs.mediture.dom. 900 A 192.168.222.5 show send update add 8b750a53-3d39-4bc0-8fe9-9bffa9e413aa._msdcs.mediture.dom. 900 A 172.16.1.106 show send update add fe066b13-6f9e-4f3c-beb4-37df1292b8cb._msdcs.mediture.dom. 900 A 192.168.168.65 show send New DNS records I create

Hello, I believe there may be a bug with accounts getting erroneously locked in v4.4.5+. I've checked at all the Internet facing services to find the source of account lockout and I've done packet captures at the DCs, but I cannot find the source of lockout. I've got several accounts locking out for seemingly no reason including some service accounts where the passwords

Upgraded to 4.6.0 on all nodes. Still seeing the same issue. If I create an object on vsc-dc02, epo-dc01 or aws-dc01 DCs it doesn't replicate. If I create it on vsc-dc01 (PDC emulator) then it does replicate. On 03/13/2017 12:13 PM, Arthur Ramsey wrote: > > I believe the problem is a lack of outbound replication for non PDC > emulator DCs. You'll notice isn't even

That bug is reported? Do you have a link? You're saying it is just an issue with the logging or am I correct that this indicates an outbound replication isn't trying. On 03/13/2017 01:45 PM, lingpanda101 via samba wrote: > On 3/13/2017 2:15 PM, Arthur Ramsey via samba wrote: >> Upgraded to 4.6.0 on all nodes. Still seeing the same issue. >> >> If I create an

Changes replicate to it, but not from it. vsc\VSC-DC02 DSA Options: 0x00000001 DSA object GUID: fe066b13-6f9e-4f3c-beb4-37df1292b8cb DSA invocationId: 8a2b1405-07b1-4d92-89dd-1d993e59e378 ==== INBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=mediture,DC=dom vsc\DC01 via RPC DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2 Last attempt @ Tue Mar 14

I increased the debug level to 10 and found this dreplsrv_notify: Failed to send DsReplicaSync to fe066b13-6f9e-4f3c-beb4-37df1292b8cb._msdcs.mediture.dom for DC=DomainDnsZones,DC=mediture,DC=dom - NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE. I manually created the DNS entry, but it doesn't resolve. Other DNS records supplied by BIND_DLZ are working. I tried adding a host file

I upgraded Samba from 4.2.0 to 4.3.1 on my domain controllers. Now on 2 of 4 I get the following. Oct 22 15:07:38 dc01 sshd[1372]: pam_winbind(sshd:auth): getting password (0x00000250) Oct 22 15:07:38 dc01 sshd[1372]: pam_winbind(sshd:auth): pam_get_item returned a password Oct 22 15:07:38 dc01 sshd[1372]: pam_winbind(sshd:auth): could not lookup name: #

Error joining Linux member to Samba 4.5.0 DC. /usr/bin/net join -w MEDITURE -S dc01.mediture.dom -U Administrator Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain 'MEDITURE.DOM' over rpc: Indicates the SID structure is not valid. ADS join did not work, falling back to RPC... Thanks, Arthur This e-mail and any attachments may contain

The errors went away, but replication still isn't working properly. There are objects missing on all DCs, but it isn't consistent at all. showrepl: http://pastebin.com/bYfCZcNG Thanks, Arthur On 10/17/2016 12:32 PM, Arthur Ramsey wrote: > This fixed DNS issues. > > samba_upgradedns --dns-backend=BIND9_DLZ > /usr/local/samba/bin/samba-tool domain exportkeytab >

I have 4 Samba 4.7.0 DCs. I have 3 clients using samba-winbind.x86_64 0:4.6.2-11.el7_4 with an identical configuration, which produce inconsistent user group membership for multiple users. I've tried using all 4 DCs explicitly (e.g., realm = dc01.mediture.dom), net cache flush and restarting winbind. I've also tested cloning a user and setting up the user as identical as possible:

I'm having the same issue as the person here <http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCcQFjAA&url=http%3A%2F%2Fforum.zentyal.org%2Findex.php%3Ftopic%3D18368.0&ei=fZ8WU4KCJLH_yQH6poDIBg&usg=AFQjCNG2y_hN3Ct-WGP9gwobz8Yrl_DKrA&sig2=jiDkFilv4DCZw50Ay5QV1w&bvm=bv.62286460,d.aWc>. I'm using Samba-4.1.5 as PDC with 3

Yeah, I'm trying to setup the Indentikey server on Windows instead so it uses the Windows API instead of LDAP rather than setup a Windows 2008 R2 domain controller for LDAP w/ SASL DIGEST-MD5 authentication. It seems silly for them to use DIGEST-MD5, but that's what I stuck with for now. If samba4 could support DIGEST-MD5 that would be great. Thanks, Arthur On 07/10/2015 03:29 PM,

On Thu, 20 Oct 2016 20:21:17 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Thu, 20 Oct 2016 14:06:18 -0500 > Arthur Ramsey via samba <samba at lists.samba.org> wrote: > > > On 10/20/2016 01:52 PM, Rowland Penny via samba wrote > > > Have you given Administrator a uidNumber attribute ? > > Yes, I have. > > > > > >