Hi Rowland,
Sorry, migration using BIND9_DLZ gives the same result
Not sure if the following from the migration is of a concern
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3034, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3040, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3030, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3046, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3032, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3050, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3036, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3038, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3042, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
User root has been kept in the directory, it should be removed in favour of the
Administrator user
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3048, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3010, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3028, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3062, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Committing 'add users' transaction to disk
Adding users to groups
Committing 'add users to groups' transaction to disk
Setting password for administrator
Administrator password has been set to password of user 'root'
Processing section "[netlogon]"
Processing section "[sysvol]"
Module 'acl_xattr' loaded
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
Processing section "[netlogon]"
Processing section "[sysvol]"
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
I've tested the DNS according the Samba document, the SRV records for both
domain and the realm seems to work
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Have tried a Server 2008 and Server 2012. In 2012 it comes up with Verification
of replica failed. The wizard cannot access the list of domains in the forest.
The error is: An internal error occurred
Just confirming that I am logged in as Domain Administrator and using those
creds to run the AD Wizard and dcrpomo. Also tried using both realm the domain
when trying the dcpromo
The following is the new smb.conf file. Have added bits about dns udpates
[global]
netbios name = TESTDC
realm = TEST.LOCAL
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = TEST
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dcerpc endpoint servers = +mapiproxy
allow dns updates = nonsecure
[netlogon]
path = /var/lib/samba/sysvol/test.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
The following is the krb5.conf
[libdefaults]
default_realm = TEST.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
service --status-all
[ - ] acpid
[ + ] apparmor
[ + ] apport
[ + ] atd
[ + ] bind9
[ - ] console-setup.sh
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] ebtables
[ + ] grub-common
[ - ] hwclock.sh
[ - ] irqbalance
[ + ] isc-dhcp-server
[ + ] iscsid
[ - ] keyboard-setup.sh
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ + ] lxcfs
[ - ] lxd
[ - ] mdadm
[ - ] mdadm-waitidle
[ - ] nmbd
[ - ] open-iscsi
[ + ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ - ] rsync
[ + ] rsyslog
[ + ] samba-ad-dc
[ - ] screen-cleanup
[ - ] smbd
[ + ] ssh
[ + ] udev
[ + ] ufw
[ + ] unattended-upgrades
[ - ] uuidd
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc,
drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy
Any ideas?
Regards,
Praveen Ghimire
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Tuesday, 5 December 2017 5:58 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4 AD issues with RPC
On Tue, 5 Dec 2017 05:08:24 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
>
>
> Hi Guys,
>
> Setup:
>
> Versions: Samba: 4.6.7
> Bind9: 9.10.3
>
>
> Firewall disabled
>
> AD Provision:
>
> Migrated from samba 3 to 4 using classic upgrade.
>
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
> --realm=TEST.LOCAL --dns-backend=BIND9_FLATFILE
> /etc/samba.PDC/smb.PDC.conf
>
> Any suggestions?
>
Yes, Do not use BIND9_FLATFILE, it doesn't work.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________