Displaying 20 results from an estimated 400 matches similar to: "Samba4 and GSSAPI based authentication for OpenSSH"
2014 Sep 12
1
Group Policy failures related to machine password replication
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New
2017 Mar 13
2
AD replication issue
I believe the problem is a lack of outbound replication for non PDC
emulator DCs. You'll notice isn't even trying because last successful
was epoch (never) yet there are no errors. Inbound replication for this
DC seems fine.
[root at vsc-dc02 ~]# samba-tool drs showrepl
[...]==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
aws\AWS-DC01 via RPC
DSA object GUID:
2017 Mar 13
3
AD replication issue
On 3/13/2017 2:15 PM, Arthur Ramsey via samba wrote:
> Upgraded to 4.6.0 on all nodes. Still seeing the same issue.
>
> If I create an object on vsc-dc02, epo-dc01 or aws-dc01 DCs it doesn't
> replicate. If I create it on vsc-dc01 (PDC emulator) then it does
> replicate.
>
> On 03/13/2017 12:13 PM, Arthur Ramsey wrote:
>>
>> I believe the problem is a lack
2016 Oct 14
2
Replications errors on 4.5.0 (WERR_BADFILE)
Replication has been running smoothly until I upgraded to 4.5.0. I had
various errors with all BDCs and a force sync didn't resolve it. I
shutdown all BDCs, demoted them with --remove-other-dead-server then
joined new BDCs with new names. At first replication was intermittently
failing (consecutive failures counter kept resetting), but it seemed OK,
just slow if anything. Now they all
2016 Jul 13
5
Authentication Auditing
Hello,
I'm looking for a way to log the following attributes for all
authentication activity (LDAP bind, Kerberos, SMB / CIFS, etc.).
I would like to see:
* Principle name (user name)
* Source IP
* Timestamp (including at least seconds if not milliseconds)
* Authentication result (success / failure)
* Reason for failure: bad password, account lockout, account expired,
2015 Jul 10
2
SASL DIGEST-MD5 NT_STATUS_INVALID_PARAMETER
That's too bad, I was trying to get the Vasco Identikey server working
with samba4 as a backend for FIPS 140-2 compliant OTP, which will only
bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to
the domain as a domain controller.
Thanks for clarifying,
Arthur
On 07/10/2015 04:38 AM, Andrew Bartlett wrote:
> On Tue, 2015-07-07 at 15:10 -0500, Arthur Ramsey wrote:
2015 Jul 07
3
SASL DIGEST-MD5 NT_STATUS_INVALID_PARAMETER
I've googled and I believe that SASL method DIGEST-MD5 is supported and
I see it in the samba startup, but it doesn't work.
ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Operations error (1)
additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER
[root at dc03 ~]# samba
2016 Oct 17
3
Replications errors on 4.5.0 (WERR_BADFILE)
Executing the following with nsupdate seems to have fixed replication.
update add 28f7281f-3955-4885-8a7d-42a36ee87590._msdcs.mediture.dom. 900 A 192.168.222.5
show
send
update add 8b750a53-3d39-4bc0-8fe9-9bffa9e413aa._msdcs.mediture.dom. 900 A 172.16.1.106
show
send
update add fe066b13-6f9e-4f3c-beb4-37df1292b8cb._msdcs.mediture.dom. 900 A 192.168.168.65
show
send
New DNS records I create
2016 Oct 05
1
Authentication Auditing
Hello,
I believe there may be a bug with accounts getting erroneously locked in
v4.4.5+. I've checked at all the Internet facing services to find the
source of account lockout and I've done packet captures at the DCs, but
I cannot find the source of lockout. I've got several accounts locking
out for seemingly no reason including some service accounts where the
passwords
2017 Mar 13
0
AD replication issue
Upgraded to 4.6.0 on all nodes. Still seeing the same issue.
If I create an object on vsc-dc02, epo-dc01 or aws-dc01 DCs it doesn't
replicate. If I create it on vsc-dc01 (PDC emulator) then it does
replicate.
On 03/13/2017 12:13 PM, Arthur Ramsey wrote:
>
> I believe the problem is a lack of outbound replication for non PDC
> emulator DCs. You'll notice isn't even
2017 Mar 13
0
AD replication issue
That bug is reported? Do you have a link? You're saying it is just an
issue with the logging or am I correct that this indicates an outbound
replication isn't trying.
On 03/13/2017 01:45 PM, lingpanda101 via samba wrote:
> On 3/13/2017 2:15 PM, Arthur Ramsey via samba wrote:
>> Upgraded to 4.6.0 on all nodes. Still seeing the same issue.
>>
>> If I create an
2017 Mar 14
2
AD replication issue
Changes replicate to it, but not from it.
vsc\VSC-DC02
DSA Options: 0x00000001
DSA object GUID: fe066b13-6f9e-4f3c-beb4-37df1292b8cb
DSA invocationId: 8a2b1405-07b1-4d92-89dd-1d993e59e378
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
vsc\DC01 via RPC
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
Last attempt @ Tue Mar 14
2016 Oct 17
0
Replications errors on 4.5.0 (WERR_BADFILE)
I increased the debug level to 10 and found this dreplsrv_notify: Failed
to send DsReplicaSync to
fe066b13-6f9e-4f3c-beb4-37df1292b8cb._msdcs.mediture.dom for
DC=DomainDnsZones,DC=mediture,DC=dom - NT_STATUS_OBJECT_NAME_NOT_FOUND :
WERR_BADFILE. I manually created the DNS entry, but it doesn't
resolve. Other DNS records supplied by BIND_DLZ are working. I tried
adding a host file
2015 Oct 22
0
pam_winbind could not lookup name
I upgraded Samba from 4.2.0 to 4.3.1 on my domain controllers. Now on 2
of 4 I get the following.
Oct 22 15:07:38 dc01 sshd[1372]: pam_winbind(sshd:auth): getting password (0x00000250)
Oct 22 15:07:38 dc01 sshd[1372]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 22 15:07:38 dc01 sshd[1372]: pam_winbind(sshd:auth): could not lookup name: #
2016 Oct 20
2
Error joining Linux member to 4.5.0 DC: Indicates the SID structure is not valid
Error joining Linux member to Samba 4.5.0 DC.
/usr/bin/net join -w MEDITURE -S dc01.mediture.dom -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain 'MEDITURE.DOM' over rpc: Indicates the SID structure is not valid.
ADS join did not work, falling back to RPC...
Thanks,
Arthur
This e-mail and any attachments may contain
2016 Oct 19
2
Replications errors on 4.5.0 (WERR_BADFILE)
The errors went away, but replication still isn't working properly.
There are objects missing on all DCs, but it isn't consistent at all.
showrepl: http://pastebin.com/bYfCZcNG
Thanks,
Arthur
On 10/17/2016 12:32 PM, Arthur Ramsey wrote:
> This fixed DNS issues.
>
> samba_upgradedns --dns-backend=BIND9_DLZ
> /usr/local/samba/bin/samba-tool domain exportkeytab
>
2017 Oct 10
3
winbind inconsistent group membership
I have 4 Samba 4.7.0 DCs. I have 3 clients using samba-winbind.x86_64
0:4.6.2-11.el7_4 with an identical configuration, which produce
inconsistent user group membership for multiple users. I've tried using
all 4 DCs explicitly (e.g., realm = dc01.mediture.dom), net cache flush
and restarting winbind. I've also tested cloning a user and setting up
the user as identical as possible:
2014 Mar 05
1
Issue moving DC to site
I'm having the same issue as the person here
<http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCcQFjAA&url=http%3A%2F%2Fforum.zentyal.org%2Findex.php%3Ftopic%3D18368.0&ei=fZ8WU4KCJLH_yQH6poDIBg&usg=AFQjCNG2y_hN3Ct-WGP9gwobz8Yrl_DKrA&sig2=jiDkFilv4DCZw50Ay5QV1w&bvm=bv.62286460,d.aWc>.
I'm using Samba-4.1.5 as PDC with 3
2015 Jul 10
1
SASL DIGEST-MD5 NT_STATUS_INVALID_PARAMETER
Yeah, I'm trying to setup the Indentikey server on Windows instead so it
uses the Windows API instead of LDAP rather than setup a Windows 2008 R2
domain controller for LDAP w/ SASL DIGEST-MD5 authentication. It seems
silly for them to use DIGEST-MD5, but that's what I stuck with for now.
If samba4 could support DIGEST-MD5 that would be great.
Thanks,
Arthur
On 07/10/2015 03:29 PM,
2016 Oct 20
2
Error joining Linux member to 4.5.0 DC: Indicates the SID structure is not valid
On Thu, 20 Oct 2016 20:21:17 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Thu, 20 Oct 2016 14:06:18 -0500
> Arthur Ramsey via samba <samba at lists.samba.org> wrote:
>
> > On 10/20/2016 01:52 PM, Rowland Penny via samba wrote
> > > Have you given Administrator a uidNumber attribute ?
> > Yes, I have.
> > >
> > >