Achim Gottinger
2017-Jun-21 01:23 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Am 21.06.2017 um 00:50 schrieb Andrew Bartlett:> On Tue, 2017-06-20 at 23:35 +0200, Achim Gottinger via samba wrote: >> Can you do this against the secrets.keytab in Samba's private/ dir? >>> You can reset the Samba machine account pw with >>> ./source4/scripting/devel/chgtdcpass, but: >>> - it wont be packaged so you will have to build Samba and tell it >>> to >>> operate against the right paths >>> - it shouldn't be needed, upgrades shouldn't break this, and >>> understanding the root cause would be better >>> >>> >> Hello Andrew, >> >> May I ask a few questions in regards to chgtdcpass. >> Can this command be used to add newer enctypes on machines only >> having >> des and arcfour types? > After bumping the functional level, yes. > >> Is it save to use this command on all ad-dc's in an productive >> environment? > I would do it one at a time. Eventually I'll re-enable the code in > winbindd that does this. > > Andrew BartlettThank you works fine on an single test machine. Raise forest and domain level to 2008_R2 and recerated the password with chgrdcpass. Raising the functional level did not set the krbtgt password (it does if the level is raised on an windows ad). But there is chgkrbtgtpass which does the trick. Sorry for the offtopic noise to the OP.
Mike Lykov
2017-Jun-21 07:20 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
21.06.2017 5:23, Achim Gottinger via samba пишет:> Thank you works fine on an single test machine. Raise forest and domain > level to 2008_R2 and recerated the password with chgrdcpass. > Raising the functional level did not set the krbtgt password (it does if > the level is raised on an windows ad). But there is chgkrbtgtpass which > does the trick.Then, if I want upgrade samba too, and upgrade func. level too, I need to use this command againist every machine account? Now I have AD domain with two dc (samba 4.1.2) on win2003 f. level and ~150 desktops, mostly windows 7 . -- Administrator
L.P.H. van Belle
2017-Jun-21 07:45 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
I suggest before you upgrade do a very good read here. https://wiki.samba.org/index.php/Updating_Samba#Notable_Enhancements_and_Changes https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) And a summerize version for with all parameter changes as of upgrade from 4.2 up to 4.6 http://downloads.van-belle.nl/samba4/Upgrade-info.txt Same as the wiki links but just summerized the parameter changes. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mike > Lykov via samba > Verzonden: woensdag 21 juni 2017 9:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > 21.06.2017 5:23, Achim Gottinger via samba ??????????: > > > Thank you works fine on an single test machine. Raise forest and > > domain level to 2008_R2 and recerated the password with chgrdcpass. > > Raising the functional level did not set the krbtgt > password (it does > > if the level is raised on an windows ad). But there is > chgkrbtgtpass > > which does the trick. > > Then, if I want upgrade samba too, and upgrade func. level > too, I need to use this command againist every machine account? > > Now I have AD domain with two dc (samba 4.1.2) on win2003 f. > level and ~150 desktops, mostly windows 7 . > > > -- > Administrator > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mike Lykov
2017-Jun-21 08:02 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
21.06.2017 11:45, L.P.H. van Belle via samba пишет:> I suggest before you upgrade do a very good read here. > > https://wiki.samba.org/index.php/Updating_Samba#Notable_Enhancements_and_Changes > > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > And a summerize version for with all parameter changes as of upgrade from 4.2 up to 4.6 > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > Same as the wiki links but just summerized the parameter changes.I know that there is a lot of work (like this particullary). I think to create test domain on 4.6 with 1-2 desktops to ensure working configuration, but maybe there is some side effects like as OP's cause.. -- Administrator
Andrew Bartlett
2017-Jun-21 08:47 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Wed, 2017-06-21 at 11:20 +0400, Mike Lykov via samba wrote:> 21.06.2017 5:23, Achim Gottinger via samba пишет: > > > Thank you works fine on an single test machine. Raise forest and domain > > level to 2008_R2 and recerated the password with chgrdcpass. > > Raising the functional level did not set the krbtgt password (it does if > > the level is raised on an windows ad). But there is chgkrbtgtpass which > > does the trick. > > Then, if I want upgrade samba too, and upgrade func. level too, I need > to use this command againist every machine account?This is for each DC.> Now I have AD domain with two dc (samba 4.1.2) on win2003 f. level and > ~150 desktops, mostly windows 7 .Windows domain members will change their password every few weeks. I'm not sure if we will add the AES bit to their account however, that might still be TODO in the netlogon server. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba