similar to: samba AD - bind - deleted DNS entries are not removed completely

To answer my own question: Yes, it's seems like a feature. I ran basic ldbsearch query: ldbsearch -H /usr/local/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: dNSTombstoned: TRUE Overall there are a couple hundred entries with as such. So now my question is: How can I safely remove them, any tips/guideliness? I thought that

So in my case - is it safe to delete directly using ldbdel or using windows ADSI gui ldap editor? Or is there another way? What is the right way to do it? something like: ldbdel -H /usr/local/samba/private/sam.ldb -b"DC=DomainDnsZones,DC=mydomain,DC=com '(dNSTombstoned: TRUE)' ? I read in samba 4.9 new features release notes about scavenging but I'm not sure if it's the

W dniu 21.11.2018 o 21:09, Rowland Penny via samba pisze: > On Wed, 21 Nov 2018 20:48:34 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> So in my case - is it safe to delete directly using ldbdel or using >> windows ADSI gui ldap editor? Or is there another way? What is the >> right way to do it? >> >> something like: >>

Hello, Since noone answered, I'll add some more information - maybe I'm unclear about the nature of the issue? I re-read samba wiki, especially about DNS management and I didn't find any information pointing to such behaviour. I was deleting all entries using windows DNS management console (which is in the sama wiki, so I suppose it's supported) I don't have

Hello! After process, error continue...... ---------------------------------------------------------------- C: \ Users \ USER1XXX> gpupdate / force Updating Policy ... Unable to update user policy successfully. The following errors for found: Group Policy was not processed. Windows was unable to apply the settings registry-based policy for the LDAP Group Policy object LDAP://CN

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

It is an issue that I myself would also like to solve. I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since

Hello, Thank You for fast response. I'm glad that it's a mistake somewhere on my side, it means it will work when I fix it :) Ok, first of all: Everything is on centos 7.4 All config files will be below, but to start off: behaviour is stranger than I thought, but there is a pattern: when doing [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using default cache: /tmp/krb5cc_101003

Hello, I stumbled upon weird error/bug. My setup: 4.8.3 AD on centos 7.5 (compiled from source). BIND as dns running on AD DC with secure dns updates setup and working. Most of the DNS updates are dynamic, some added manually using windows DNS manager. One of the PTR entries in reverse lookup zone went missing. It's not visible in the windows DNS manager, it's nowhere to be found

On 03/06/2019 12:29, Kacper Wirski via samba wrote: > Hello, > > Since nobody picked this up I will try to answer myself (hopefully > correctly). > > I think I just misread documentation on wiki, but I would really > appreciate a clarification. In the wiki it states: > > "To enable other accounts than the domain administrator to set > permissions on Windows,

I actually posted about this here on samba list about it last year, but nobody caught interest. I used to have logs from samba and wireshark, which very nicely showed what's wrong (kerberos request was for SPN  eg. "Hyper-V Replication Service/Servername.mydomain.com" and in samba log there was an error with something like "Hyper-V\ Replication \Service.. not found".

Hi, I have a problem with GPO editing. I have some GPO first created with RSAT and GPO editor on Win 7 x64. I have modified recently this object with RSAT and GPO editor on Win 10 x64 . If I try to edit the GPO back to Win7 I got the following error (in french): La ressource ? $(string.SiteDiscoveryEnableWMI) ? r?f?renc?e dans l?attribut displayName est introuvable. Fichier

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Hi, we have updated our samba AD domain from 4.4.x to 4.5.x. The release notes for 4.5.0 included  "NTLMv1 authentication disabled by default". So we had to enable it to get our radius (freeradius) server working (for 802.1x). What would be the best way to change the freeradius configuration in such a way, that we can disable NTLMv1 again. The radius server is used for WLAN

I've noticed myself similiar issue. Windows 10 (v 1803) - window with security tab open crashes on certain files (yes, just the window, not whole OS). Just before crash i see unresolved SID which looks like nothing I know (doesn't look like domain SID - maybe local user SID from samba member server?). All files that cause this issue are from any of the samba servers. Same files I can

On Tue, 3 Jul 2018 08:06:44 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > > I've realised that there was an error on this server, wrong > idmap.ldb, 3000002 should be one of the built-in users or groups > instead of machine own account. Unfortunately fixing idmap (I > imported idmap.ldb from DC with correct mapping) didn't fix my >

Try verifying kvno from the client that gives the error message. That kvno = 2 for dc$ must've come from somewhere. You can also double check e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If  kvno is definately 1 that means that client connecting has some error, if it's 2, than it means that dc has outdated keytab. And if it's the former, than I really am not sure

On Sat, 21 Jul 2018 20:57:07 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > > I found this bugged record with > > ldbsearch -H > path/to/samba/bind-dns/dns/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=SUBDOMAIN\,DC\=DOMAIN\,DC\=PL.ldb > '(name=49)' > > So I have a couple of questions - hopefully someone can shed some > light: >

Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by

On Wed, 1 Nov 2017 19:49:32 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Wed, 1 Nov 2017 20:28:05 +0100 > Kacper Wirski <kacper.wirski at gmail.com> wrote: > > > I'm going to start with clean centos install, so I might as well use > > some additional guidelines, thank You. > > > > When You run kinit, does Your user have