Santiago Londoño Mejía
2017-Mar-27 18:48 UTC
[Samba] Provision new domain keeping users and passwords
Hello, I try to add a new dc to my domain, but the sysadmin installed the main dc left misconfigured dns zones that I can not remove. ¿Is it possible to provision the domain again using new samba as main dc Keeping users and passwords Of the previous dc? The current main dc runs samba 4.4. Best regards, Santiago. -- Santiago Londoño Mejía Analista de Infraestructura t. (574) 605 25 23 ext. 1232 m. (57) 3148332567 Medellín | Carrera 50 C #10 Sur 80 Bogotá | Medellín | Cali www.pragma.com.co -- Este mensaje es confidencial. Puede contener información privilegiada que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su destinatario. Si obtiene este mensaje por error, equivocación u omisión, por favor bórrelo y avise al remitente. Está prohibida su retención, grabación, utilización o divulgación con cualquier propósito. Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños generados por el recibo y uso de este material, siendo responsabilidad del destinatario verificar con sus propios medios la existencia de virus u otros defectos. Las opiniones, conclusiones y otra información contenida en este correo no relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como personales y de ninguna manera son avaladas por la Compañía.
27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:> Hello, > > I try to add a new dc to my domain, but the sysadmin installed the > main dc left misconfigured dns zones that I can not remove. > > ¿Is it possible to provision the domain again using new samba as main > dc Keeping users and passwords Of the previous dc? > The current main dc runs samba 4.4.I am also interested in this task, I have 4.1 old (two) DC with errors in dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 . -- Mike Lykov, system administrator
Jeanderson Soares
2017-Mar-29 04:02 UTC
[Samba] Provision new domain keeping users and passwords
I was able to do this by exporting and importing users (including passwords) with the pdbedit samba utility. Look at this: Http://serverfault.com/questions/675938/migrate-samba-users-to-new-server Maybe you need to change the passdb backend 2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <samba at lists.samba.org>:> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет: > >> Hello, >> >> I try to add a new dc to my domain, but the sysadmin installed the >> main dc left misconfigured dns zones that I can not remove. >> >> ¿Is it possible to provision the domain again using new samba as main >> dc Keeping users and passwords Of the previous dc? >> The current main dc runs samba 4.4. >> > > I am also interested in this task, I have 4.1 old (two) DC with errors in > dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 . > > > -- > Mike Lykov, system administrator > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2017-Mar-29 14:13 UTC
[Samba] Provision new domain keeping users and passwords (mike)
Hai Mike, Are you running samba internal DNS or bind9_DLZ. In your case, can you give an example of "undeletable" item? And did you check the rights on the dns object before trying to remove it. Greetz, Louis
L.P.H. van Belle
2017-Mar-29 14:17 UTC
[Samba] Provision new domain keeping users and passwords (Santiago)
Hi Santiago, Same for you? Are you running samba internal DNS or bind9_DLZ? Can you explain a bit more about this? I know the sitiuantion to have problems with zones, and i may know a way to get around it. At least i did fix something like this about 2 years ago with samba 4.1.x and bind9_dlz. Greetz, Louis
L.P.H. van Belle
2017-Mar-29 14:48 UTC
[Samba] Provision new domain keeping users and passwords (Santiago)
Hai Santiago, Your welkom, i hope i can help you out. Post my your bind9 configuration, you can anonimize it if needed, but dont remove any lines from it. And i need a snap of the log when bind is starting up. Like this one : Mar 29 16:42:58 dc1 named[21921]: starting BIND 9.9.5-9+deb8u10-Debian -f -u bind Mar 29 16:42:58 dc1 named[21921]: built with '?pr.... etc. . Mar 29 16:42:58 dc1 named[21921]: ---bla bla..... ..... and from this point is what i really want. Mar 29 16:42:58 dc1 named[21921]: using up to 4096 sockets Mar 29 16:42:58 dc1 named[21921]: loading configuration from '/etc/bind/named.conf' Mar 29 16:42:58 dc1 named[21921]: reading built-in trusted keys from file '/etc/bind/bind.keys' Mar 29 16:42:58 dc1 named[21921]: using default UDP/IPv4 port range: [1024, 65535] Mar 29 16:42:58 dc1 named[21921]: using default UDP/IPv6 port range: [1024, 65535] Mar 29 16:42:58 dc1 named[21921]: listening on IPv4 interface lo, 127.0.0.1#53 Mar 29 16:42:58 dc1 named[21921]: listening on IPv4 interface eth0, 192.168.1.1#53 Mar 29 16:42:58 dc1 named[21921]: generating session key for dynamic DNS Mar 29 16:42:58 dc1 named[21921]: sizing zone task pool based on 5 zones Mar 29 16:42:58 dc1 named[21921]: Loading 'AD DNS Zone' using driver dlopen Mar 29 16:42:58 dc1 named[21921]: samba_dlz: started for DN DC=officemain,DC=domain,DC=tld Mar 29 16:42:58 dc1 named[21921]: samba_dlz: starting configure Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '0.1.10.in-addr.arpa' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '1.2.10.in-addr.arpa' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '2.3.10.in-addr.arpa' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '3.4.10.in-addr.arpa' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '4.5.10.in-addr.arpa' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'officemain.domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office1.domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office2.domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office3.domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office4.domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office5.domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'domain.tld' Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '_msdcs.officemain.domain.tld' Mar 29 16:42:58 dc1 named[21921]: set up managed keys zone for view _default, file 'managed-keys.bind' Mar 29 16:42:58 dc1 named[21921]: command channel listening on 127.0.0.1#953 Mar 29 16:42:58 dc1 named[21921]: managed-keys-zone: loaded serial 715 Mar 29 16:42:58 dc1 named[21921]: zone 0.in-addr.arpa/IN: loaded serial 1 Mar 29 16:42:58 dc1 named[21921]: zone localhost/IN: loaded serial 2 Mar 29 16:42:58 dc1 named[21921]: zone 127.in-addr.arpa/IN: loaded serial 1 Mar 29 16:42:58 dc1 named[21921]: zone 255.in-addr.arpa/IN: loaded serial 1 Mar 29 16:42:58 dc1 named[21921]: all zones loaded Mar 29 16:42:58 dc1 named[21921]: running> -----Oorspronkelijk bericht-----> Van: Santiago Londoño Mejía [mailto:santiago.londono at pragma.com.co]> Verzonden: woensdag 29 maart 2017 16:33> Aan: L.P.H. van Belle> Onderwerp: Re: [Samba] Provision new domain keeping users and passwords> (Santiago)>> Hello,> backend: bind9_DLZ>> deleting zone WASPRUEBAS.PROTECCION.COM.CO>> ./samba-tool dns zonedelete neptuno waspruebas.proteccion.com.co> ERROR(runtime): uncaught exception - (9717,> 'WERR_DNS_ERROR_DS_UNAVAILABLE')> File "/usr/local/samba/lib64/python2.7/site-> packages/samba/netcmd/__init__.py",> line 175, in _run> return self.run(*args, **kwargs)> File "/usr/local/samba/lib64/python2.7/site-> packages/samba/netcmd/dns.py",> line 925, in run> None)>> Thank you very much for your response> Best regards,>> Santiago.>>>>>>>>> 2017-03-29 9:17 GMT-05:00, L.P.H. van Belle via samba> <samba at lists.samba.org>:> > Hi Santiago,> >> > Same for you?> > Are you running samba internal DNS or bind9_DLZ?> >> > Can you explain a bit more about this?> >> >> > I know the sitiuantion to have problems with zones, and i may know a way> to> > get around it.> > At least i did fix something like this about 2 years ago with samba> 4.1.x> > and bind9_dlz.> >> >> > Greetz,> >> > Louis> >> >> >> > --> > To unsubscribe from this list go to the following URL and read the> > instructions: https://lists.samba.org/mailman/options/samba> >>>> --> Santiago Londoño Mejía> Analista de Infraestructura> t. (574) 605 25 23 ext. 1232> m. (57) 3148332567> Medellín | Carrera 50 C #10 Sur 80> Bogotá | Medellín | Cali> www.pragma.com.co>> -->>> Este mensaje es confidencial. Puede contener información privilegiada que> pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores,> empleados y asesores, por tanto no debe ser usado ni divulgado por> personas distintas a su destinatario. Si obtiene este mensaje por error,> equivocación u omisión, por favor bórrelo y avise al remitente.>> Está prohibida su retención, grabación, utilización o divulgación con> cualquier propósito.>> Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA> S.A. no asume ninguna responsabilidad por eventuales daños generados por> el recibo y uso de este material, siendo responsabilidad del destinatario> verificar con sus propios medios la existencia de virus u otros defectos.>> Las opiniones, conclusiones y otra información contenida en este correo no> relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como> personales y de ninguna manera son avaladas por la Compañía.
Andrew Bartlett
2017-Mar-29 18:42 UTC
[Samba] "a misconfigured DNS zone" (was: Re: Provision new domain keeping users and passwords)
On Mon, 2017-03-27 at 13:48 -0500, Santiago Londoño Mejía via samba wrote:> Hello, > > I try to add a new dc to my domain, but the sysadmin installed the > main dc left misconfigured dns zones that I can not remove.Can you give some more details on this? It would still seem less disruptive to sort out whatever is wrong with DNS.> ¿Is it possible to provision the domain again using new samba as main > dc Keeping users and passwords Of the previous dc? > The current main dc runs samba 4.4.The closest we have is the 'upgradeprovision' tool, which tried to do that: create a new domain with most of the changed objects of an old domain. However it never made it to production quality, and isn't something we emphsize. The challenge is that you really want to keep much more than the users and passwords, you really also want to keep SIDs and preferably also GUIDs. Andrew Bartlett> Best regards, > > Santiago. > > > > > > > > > > -- > Santiago Londoño Mejía > Analista de Infraestructura > t. (574) 605 25 23 ext. 1232 > m. (57) 3148332567 > Medellín | Carrera 50 C #10 Sur 80 > Bogotá | Medellín | Cali > www.pragma.com.co > > -- > > > Este mensaje es confidencial. Puede contener información privilegiada > que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, > directores, empleados y asesores, por tanto no debe ser usado ni > divulgado por personas distintas a su destinatario. Si obtiene este > mensaje por error, equivocación u omisión, por favor bórrelo y avise > al remitente. > > Está prohibida su retención, grabación, utilización o divulgación con > cualquier propósito. > > Este mensaje ha sido sometido a programas antivirus. No obstante, > PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños > generados por el recibo y uso de este material, siendo > responsabilidad del destinatario verificar con sus propios medios la > existencia de virus u otros defectos. > > Las opiniones, conclusiones y otra información contenida en este > correo no relacionadas con el negocio oficial de PRAGMA S.A., deben > entenderse como personales y de ninguna manera son avaladas por la > Compañía. > >-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Santiago Londoño Mejía
2017-Mar-29 18:55 UTC
[Samba] "a misconfigured DNS zone" (was: Re: Provision new domain keeping users and passwords)
Hello, named log: Mar 29 10:31:00 neptuno named[32096]: sizing zone task pool based on 6 zones Mar 29 10:31:00 neptuno named[32096]: Loading 'AD DNS Zone' using driver dlopen Mar 29 10:31:00 neptuno named[32096]: samba_dlz: started for DN DC=pragma,DC=com,DC=co Mar 29 10:31:00 neptuno named[32096]: samba_dlz: starting configure Mar 29 10:31:00 neptuno named[32096]: samba_dlz: configured writeable zone 'waspruebas.proteccion.com.co' Mar 29 10:31:00 neptuno named[32096]: samba_dlz: configured writeable zone 'segdllo02.suranet.com' Mar 29 10:31:00 neptuno named[32096]: zone dbmed04.pragma.com.co/NONE: has no NS records Mar 29 10:31:00 neptuno named[32096]: samba_dlz: Failed to configure zone 'dbmed04.pragma.com.co' Mar 29 10:31:00 neptuno named[32096]: loading configuration: bad zone Mar 29 10:31:00 neptuno named[32096]: exiting (due to fatal error) When I try to delete the zone get the following error: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 925, in run None) Thank you very much for your reply. Best regards, Santiago. 2017-03-29 13:42 GMT-05:00, Andrew Bartlett via samba <samba at lists.samba.org>:> On Mon, 2017-03-27 at 13:48 -0500, Santiago Londoño Mejía via samba > wrote: >> Hello, >> >> I try to add a new dc to my domain, but the sysadmin installed the >> main dc left misconfigured dns zones that I can not remove. > > Can you give some more details on this? It would still seem less > disruptive to sort out whatever is wrong with DNS. > >> ¿Is it possible to provision the domain again using new samba as main >> dc Keeping users and passwords Of the previous dc? >> The current main dc runs samba 4.4. > > The closest we have is the 'upgradeprovision' tool, which tried to do > that: create a new domain with most of the changed objects of an old > domain. However it never made it to production quality, and isn't > something we emphsize. > > The challenge is that you really want to keep much more than the users > and passwords, you really also want to keep SIDs and preferably also > GUIDs. > > Andrew Bartlett > >> Best regards, >> >> Santiago. >> >> >> >> >> >> >> >> >> >> -- >> Santiago Londoño Mejía >> Analista de Infraestructura >> t. (574) 605 25 23 ext. 1232 >> m. (57) 3148332567 >> Medellín | Carrera 50 C #10 Sur 80 >> Bogotá | Medellín | Cali >> www.pragma.com.co >> >> -- >> >> >> Este mensaje es confidencial. Puede contener información privilegiada >> que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, >> directores, empleados y asesores, por tanto no debe ser usado ni >> divulgado por personas distintas a su destinatario. Si obtiene este >> mensaje por error, equivocación u omisión, por favor bórrelo y avise >> al remitente. >> >> Está prohibida su retención, grabación, utilización o divulgación con >> cualquier propósito. >> >> Este mensaje ha sido sometido a programas antivirus. No obstante, >> PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños >> generados por el recibo y uso de este material, siendo >> responsabilidad del destinatario verificar con sus propios medios la >> existencia de virus u otros defectos. >> >> Las opiniones, conclusiones y otra información contenida en este >> correo no relacionadas con el negocio oficial de PRAGMA S.A., deben >> entenderse como personales y de ninguna manera son avaladas por la >> Compañía. >> >> > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Santiago Londoño Mejía Analista de Infraestructura t. (574) 605 25 23 ext. 1232 m. (57) 3148332567 Medellín | Carrera 50 C #10 Sur 80 Bogotá | Medellín | Cali www.pragma.com.co -- Este mensaje es confidencial. Puede contener información privilegiada que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su destinatario. Si obtiene este mensaje por error, equivocación u omisión, por favor bórrelo y avise al remitente. Está prohibida su retención, grabación, utilización o divulgación con cualquier propósito. Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños generados por el recibo y uso de este material, siendo responsabilidad del destinatario verificar con sus propios medios la existencia de virus u otros defectos. Las opiniones, conclusiones y otra información contenida en este correo no relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como personales y de ninguna manera son avaladas por la Compañía.
Mike Lykov
2017-Mar-30 04:38 UTC
[Samba] Provision new domain keeping users and passwords (mike)
29.03.2017 18:13, L.P.H. van Belle via samba пишет:> Hai Mike, > > Are you running samba internal DNS or bind9_DLZ.internal> In your case, can you give an example of "undeletable" item? > And did you check the rights on the dns object before trying to remove it.# net rpc group members "Domain Admins" -U lmy Enter lmy's password: SAMGES\Administrator SAMGES\lmy SAMGES\bee For "Domain Admins" to the record rights is "Full control" (i don't know how to show object rights in console, I using DNS MMC from RSAT) AD domain zone is dc.samges.ru and I have a hand-created (via RSAT - DNS - create new zone) zone samges.ru. Any object in this zone is undeletable. # samba-tool dns delete ad51.samges.ru samges.ru vjud A 213.156.210.216 -U lmy GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:ad51.samges.ru[,sign] Password for [SAMGES\lmy]: ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1184, in run del_rec_buf) But after creating zone (a month later) we accidentally delete some machine accounts, and after trying to restore it in LDAP we have a errors in DomainDNSZones like this: samba-tool dbcheck --fix (.... many similar errors ...) --------------------------- ERROR: parent object not found for DC=SAMG62\0ADEL:ccc70e60-4086-49b0-86f0-e5b4af86666d,CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru Move object DC=SAMG62\0ADEL:ccc70e60-4086-49b0-86f0-e5b4af86666d,CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=samg es,DC=ru into LostAndFound? [YES] Renamed object DC=SAMG62\0ADEL:ccc70e60-4086-49b0-86f0-e5b4af86666d,CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=s amges,DC=ru into lostAndFound at DC=SAMG62\0ADEL:ccc70e60-4086-49b0-86f0-e5b4af86666d,CN=LostAndFound,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru Set lastKnownParent on lostAndFound object at DC=SAMG62\0ADEL:ccc70e60-4086-49b0-86f0-e5b4af86666d,CN=LostAndFound, DC=DomainDnsZones,DC=dc,DC=samges,DC=ru ERROR: missing GUID component for lastKnownParent in object DC=SAMG146\0ADEL:c1531dae-eb09-4d2b-8270-4e91b73a6cad,C N=LostAndFound,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru - CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru unable to find object for DN CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru - (No such Base DN: CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru) Not removing dangling forward link Segmentation fault ------------------------------- -- Mike Lykov, system administrator