Martin Krämer
2019-Apr-06 17:08 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Am Sa., 6. Apr. 2019 um 18:01 Uhr schrieb Rowland Penny via samba < samba at lists.samba.org>:> On Sat, 6 Apr 2019 17:21:26 +0200 > Martin Krämer <mk.maddin at gmail.com> wrote: > > > Hello Rowland, > > > > thanks for your help. > > Below my comments > > > > See here: > > > > > > http://apt.van-belle.nl/ > > > > > From stability point of view I always had the best experience by > > saying with the debian default repository. > > Additionally as you have seen blow I am using ssds (more on this > > later) "PACKAGES > > ARE NOT COMPATIBLE WITH SSSD" > > Well, Louis builds them using exactly the same tools etc that Debian > uses, so they should be just as stable. As for sssd, see below. >hm... to be truth there were already multiple times I tough of having a more up-to-date version would be greate... Maybe I can try with my test servers first (I would start with http://downloads.van-belle.nl/samba4/Upgrade-info.txt here I think ) - but first I think have to check how to get rid of sssd ( I do not want to build on my own)> > > I know that article. - But how does it help here? > > Both <DC objectGUID>._msdcs.domain.de CNAMES already exist. > > An none of the both objectGUIDs I recieve from: ldbsearch -H > > "/var/lib/samba/private/sam.ldb" '(invocationId=*)' --cross-ncs > > objectguid does match to the uuid I recieve the error about. > > Should I (additionally to the objectGUIDs recieve from ldbsearch) > > register the error uuid "50abc2a4-574d-40b3-9d66-ee4fd5fba076" ? > > If yes, should I register a CNAME to location-000001(192.168.13.251) > > or location-000002(192.168.30.251) dc? > > This is just a starting point and, if you don't have the required > records, you get a similar error. I would next try running > 'samba_dnsupdate' and see what happens. >Thanks for this - I tried "samba_dnsupdate" in following ways. All of them run through without any error telling me "No DNS updates needed" at the end samba_dnsupdate --verbose samba_dnsupdate --verbose --rpc-server-ip=location-000001.domain.de samba_dnsupdate --verbose --rpc-server-ip=location-000002.domain.de afterwards unfortunately there is still no change to the error :/> > > > > > > > > > > > > Checking file: /etc/nsswitch.conf > > > > > > > > # /etc/nsswitch.conf > > > > # > > > > # Example configuration of GNU Name Service Switch functionality. > > > > # If you have the `glibc-doc-reference' and `info' packages > > > > installed, try: # `info libc "Name Service Switch"' for > > > > information about this file. > > > > > > > > passwd: compat sss > > > > group: compat sss > > > > shadow: compat sss > > > > > > Why are you using sssd ? > > > You do not seem to be using the DC as a fileserver. > > > > > > > I came from an openldap installation running on centOS. > > This one was already using sssd and all my debian clients > > (infrastructure about 50% windows; 50% debian) were set up to use > > sssd. What is wrong with it? > > There is nothing wrong with it, it just isn't supported by Samba (we > don't produce it) and in most cases isn't needed. > > >Until yesterday I never hat problems > > with it. I can successfully authenticate most services (sudo; ssh; > > apache etc.) using kerberos and sssd. > > They all work with winbind & kerberos, except for possibly sudo and > this mostly works with winbind unless you store the sudo rules in AD > and then you can use sudo-ldap >hm...this is how I currently use sssd & sudo: https://linux.die.net/man/5/sssd-sudo I think with sudo-ldap you refere to the following: https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html ? As of today my sudo rules are "linked" to the ou of the device and based on the "ldap_sudo_search_base" config from sudo-sssd devices apply one the one matching for them. (nearly the same way as group policy linking in windows works) I think in case of switching I need to work with "SUDOERS_SEARCH_FILTER" or "SUDOERS_BASE" option... maybe I will check. Louis once guided me to: https://github.com/thctlo/samba4/tree/master/howtos Are these how-to compliant to what you mention about samba support & winbind?> > > > > > > > Checking file: /etc/samba/smb.conf > > > > > > > > ## FAI generated smb.conf > > > > ## do not manually edit this file - changes might be overwritten > > > > > > OH yes, definitely manually edit this by removing the rubbish FAI > > > added (what is FAI ?) : > > > > > > > > :) - Think you miss interpreted. > > FAI is Fully Automatic Installation tool (http://fai-project.org/ ) > > which I use to administer my network configuration. > > "manually edit" here means outside of the FAI administration tool > > since if I do this it will be overwritten again by FAI softupdate. > > Changes have to be made in the FAI "version" of this file. > > OK, I got it wrong, edit FAI instead > > These lines are defaults: > > tls cafile = tls/ca.pem > tls certfile = tls/cert.pem > tls keyfile = tls/key.pem > tls enabled = yes > usershare allow guests = No > client use spnego = yes > > Not having them is the same as having them. > > Normally only the secrets.tdb is used to verify kerberos tickets, this > will work 99.999% of the time, using: > > kerberos method = secrets and keytab > > > means that the system keytab will be used as well, for most Samba AD > DC's, you do not need the above line. > > Normally SMB signing is offered, but not enforced, but when this is set: > > client signing = yes > > SMB signing is required. This is normally not required on a DC, but if > your clients need it, then put it back. > > Rowland > >okay - could remove all options except the "client signing = yes". Without this a very old window custom application does not further work. :/ Unfortunately still no change to my error :(> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-06 18:43 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
On Sat, 6 Apr 2019 19:08:30 +0200 Martin Krämer <mk.maddin at gmail.com> wrote:> hm... to be truth there were already multiple times I tough of having > a more up-to-date version would be greate... > Maybe I can try with my test servers first (I would start with > http://downloads.van-belle.nl/samba4/Upgrade-info.txt here I think ) > - but first I think have to check how to get rid of sssd ( I do not > want to build on my own)It all depends on how you use your Samba machines. If you use your DC's just for authentication and never log in as a domain user and never store anything in shares (except sysvol & netlogon) then you do not need to use sssd or anything else. It is only when you use a DC as fileserver that you may need something like sssd.> Thanks for this - I tried "samba_dnsupdate" in following ways. > All of them run through without any error telling me "No DNS updates > needed" at the end > > samba_dnsupdate --verbose > samba_dnsupdate --verbose --rpc-server-ip=location-000001.domain.de > samba_dnsupdate --verbose --rpc-server-ip=location-000002.domain.de > > afterwards unfortunately there is still no change to the error :/Try comparing the databases on the DC's, see 'samba-tool ldapcmp --help' for more info. You could also try replicating from the good DC to the other, see 'samba-tool drs replicate --help' for more info There is also 'samba-tool dbcheck' Finally, is something like a firewall getting in the way.> > hm...this is how I currently use sssd & sudo: > https://linux.die.net/man/5/sssd-sudo > I think with sudo-ldap you refere to the following: > https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html ? > As of today my sudo rules are "linked" to the ou of the device and > based on the "ldap_sudo_search_base" config from sudo-sssd devices > apply one the one matching for them. > (nearly the same way as group policy linking in windows works) > I think in case of switching I need to work with > "SUDOERS_SEARCH_FILTER" or "SUDOERS_BASE" option... maybe I will > check.From memory, sudo-ldap works in much the same way as sssd, the only real difference is the lack of a cache, but, from my experience, this would be the last thing on your mind if something has gone wrong and you cannot login as a sudo user from ldap.> > Louis once guided me to: > https://github.com/thctlo/samba4/tree/master/howtos Are these how-to > compliant to what you mention about samba support & winbind?Apart from referring to older versions of Samba, they should still be valid. Rowland
L.P.H. van Belle
2019-Apr-08 09:05 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Hai, I have a few things on this thread. For the DsREplicatSync error, i would suggest these steps first. DC2, change the resolv.conf, set DC1 first, then DC2, reboot. Wait 5 min, now check replication again, if its ok, now you can change the resolv.conf backup. The samba_dnsupdate might work also, but in my experiance a reboot is often needed, dont ask why. I dont know and never investigated it because a reboot works for me al the times. On the replication error. Run this script on both DC's and show the output. https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-db-repl.sh Dont need all, just the results. About the howto and packages. If your now on 4.5.16 ( official debian ), then the shown howto's are good. If you upgrade to higher, then you might need to adjust some settings in smb.conf, which are shown in the upgrade-into.txt and offcourse the samba change logs. About sssd, yes i could build these also, but that would increase my packages needed to build even more. Do remember one samba version, ( debian stretch amd64 ) requeres me to build between 5 and 11 packages. Now add i386, jessie, bionic, 3 different samba version... So thats why.. To much, this is a lot already. And better option for you, but this highly depends on whats running on the server, upgrade now to debian buster. This way you can still use sssd and your up in samba version. But i only recommend this if you only use samba on the servers and not much other packages. Debian Buster is in freeze state, so no major changes should enter. Today wil be building day, so if you have more questions, just ask, im monitoring the list today. New packages will arrive soon. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: zaterdag 6 april 2019 20:43 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DsReplicaSync failed - > WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp > - NT_STATUS_LOGON_FAILURE > > On Sat, 6 Apr 2019 19:08:30 +0200 > Martin Krämer <mk.maddin at gmail.com> wrote: > > > hm... to be truth there were already multiple times I tough > of having > > a more up-to-date version would be greate... > > Maybe I can try with my test servers first (I would start with > > http://downloads.van-belle.nl/samba4/Upgrade-info.txt here I think ) > > - but first I think have to check how to get rid of sssd ( I do not > > want to build on my own) > > It all depends on how you use your Samba machines. If you use > your DC's > just for authentication and never log in as a domain user and never > store anything in shares (except sysvol & netlogon) then you do not > need to use sssd or anything else. It is only when you use a DC as > fileserver that you may need something like sssd. > > > Thanks for this - I tried "samba_dnsupdate" in following ways. > > All of them run through without any error telling me "No DNS updates > > needed" at the end > > > > samba_dnsupdate --verbose > > samba_dnsupdate --verbose --rpc-server-ip=location-000001.domain.de > > samba_dnsupdate --verbose --rpc-server-ip=location-000002.domain.de > > > > afterwards unfortunately there is still no change to the error :/ > > Try comparing the databases on the DC's, see 'samba-tool ldapcmp > --help' for more info. > > You could also try replicating from the good DC to the other, see > 'samba-tool drs replicate --help' for more info > > There is also 'samba-tool dbcheck' > > Finally, is something like a firewall getting in the way. > > > > > hm...this is how I currently use sssd & sudo: > > https://linux.die.net/man/5/sssd-sudo > > I think with sudo-ldap you refere to the following: > > https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html ? > > As of today my sudo rules are "linked" to the ou of the device and > > based on the "ldap_sudo_search_base" config from sudo-sssd devices > > apply one the one matching for them. > > (nearly the same way as group policy linking in windows works) > > I think in case of switching I need to work with > > "SUDOERS_SEARCH_FILTER" or "SUDOERS_BASE" option... maybe I will > > check. > > From memory, sudo-ldap works in much the same way as sssd, the only > real difference is the lack of a cache, but, from my experience, this > would be the last thing on your mind if something has gone wrong and > you cannot login as a sudo user from ldap. > > > > > Louis once guided me to: > > https://github.com/thctlo/samba4/tree/master/howtos Are these how-to > > compliant to what you mention about samba support & winbind? > > Apart from referring to older versions of Samba, they should still be > valid. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Martin Krämer
2019-Apr-10 17:47 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Hello All, I just discovered that the last I unfortunately I send only to Louis - not the list. So below are my answers included (and log outputs that were requested). Never the less in meantime I have investigated further into SAMBA & winbind. I was able to setup samba dc based on previous instructions and guidelines successfully. I additionally setup a debian samba member with winbind. Unfortunately on that samba member I faced the issue of "Could not convert sid: NT_STATUS_NO_SUCH_USER" when trying to run "winbind -i <username>" while "winbind -n <username>" works correctly on the client. (On the DC both commands work correctly.) With some more research I found the following articles: https://wiki.samba.org/index.php/Idmap_config_ad and https://wiki.samba.org/index.php/Adding_users_with_samba_tool#Adding_Unix_attributes_to_a_Windows_user But after reading these two articles I am left over with some questions I hope you can help me with: 1. Did I understand correctly that if I want to make sure winbind resolve is working correctly (independently of Samba user, Samba group or samba computer account) I have to set non overlapping uidNumber for users and computers and non overlapping gidNumber for groups? 2. Did I understand correctly that these uid- & gidNumbers cannot be set automatically/managed by samba-tool or any other linux out of box tool? 3. Did I understand correctly that on windows the "Active directory users and Computers" (ADUC) sets automatically/manages the uid- & gidNumbers for users & groups,but not for computers? 4. Did I understand correctly that if I set the uid- & gidNumbers via samba-tool or ldbedit there is no verification if an uid- & gidNumber already exists? --- that was the understanding part - now the real questions :) --- 5. Assuimg 3&4 is correct, what happens if I create one user/group via samba-tool/ldbedit and another one via ADUC - does ADUC take care of not using the same uid-/gidNumber as of the user created/set within samba-tool/ldbedit? 6. Assuimg 2 is correct that means I have to take care about setting the uid- & gidNumbers (and no overlappings) by myself if not using ADUC (even with ADUC I have to take care about uidNumber of comptuers by myself - but thats only secondary). Never the less I know that on my domain controller I can receive a uid- & gidNumber of the user/group independently of this being set in AD by using "wbinfo --name-to-sid <myuser>" and using the resolved SID further in "wbinfo --sid-to-uid <SID>". Based on this I could run a cronjob (just as a concept - maybe cronjob is not best solution) that sets the uid- & gidNumber recieved from the DC as a global AD uid- & gidNumber. Would this make sure the uid- & gidNumbers for users, computers and groups do not overlap? 7. If 6 would be implemented - what happens if I have a second DC...will the uid- & gidNumbers recieved there differnetiate to the ones of DC1? (If they would differentiate I assume I would have to make sure the cronjob runs only on the FSMO role owner or?) 8. If 7 would be implemented with the FSMO role owner only - what would happen if that FSMO role owner has gone/will go offline and I would have to online/offline transfer - not seize - the FSMO roles (and with them the cronjob)? Would the resolved uid- & gidNumbers still not overlap? Thanks for answers/help regarding above in advance :) Martin Am Mo., 8. Apr. 2019 um 18:09 Uhr schrieb Martin Krämer <mk.maddin at gmail.com>:> Thanks for your reply. > Below some comments. > > Am Mo., 8. Apr. 2019 um 11:06 Uhr schrieb L.P.H. van Belle via samba < > samba at lists.samba.org>: > >> Hai, >> >> I have a few things on this thread. >> >> For the DsREplicatSync error, i would suggest these steps first. >> DC2, change the resolv.conf, set DC1 first, then DC2, reboot. >> Wait 5 min, now check replication again, if its ok, now you can change >> the resolv.conf backup. > > > Tried this - unfortunately no change. > As I see it currently - yes it is a problem with replication but from my > point of view only secondary. > The primary error seems to be the authentication of DC2 against DC1 - like > DC2 would have lost the domain membership like this sometimes happens on > windows devices and AD.... > > >> > The samba_dnsupdate might work also, but in my experiance a reboot is >> often needed, dont ask why. >> I dont know and never investigated it because a reboot works for me al >> the times. >> >> As written more early to rowland samba_dnsupdate runs smoothly without > any errors... > >> >> >> On the replication error. >> Run this script on both DC's and show the output. >> >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-db-repl.sh >> Dont need all, just the results. >> >> > I think the output you are asking for is the following (I tested > administrator password to be correct three times): > > ---------------- DC1 ----------------- > Running with with console output > Checking the DC_With_FSMO (location-000001) with SAMBA DC: > location-000002.domain.de > Running : /usr/bin/samba-tool ldapcmp --filter="whenChanged,dc,DC,cn,CN" > ldap://location-000001.domain.de ldap://location-000002.domain.de > Please wait.. this can take a while.. > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, > v1db1> <> > Failed to connect to 'ldap://location-000001.domain.de' with backend > 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> > ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS - > <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, > data 52e, v1db1> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 962, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 64, in __init__ > options=ldb_options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in > __init__ > self.connect(url, flags, options) > .. Next check.. > Running : samba-tool drs showrepl > failures don't match > successes don't match > > ---------------- DC2 ----------------- > Running with with console output > Checking the DC_With_FSMO (location-000001) with SAMBA DC: > location-000002.domain.de > Running : /usr/bin/samba-tool ldapcmp --filter="whenChanged,dc,DC,cn,CN" > ldap://location-000001.domain.de ldap://location-000002.domain.de > Please wait.. this can take a while.. > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, > v1db1> <> > Failed to connect to 'ldap://location-000002.domain.de' with backend > 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> > ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS - > <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, > data 52e, v1db1> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 968, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 64, in __init__ > options=ldb_options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in > __init__ > self.connect(url, flags, options) > .. Next check.. > Running : samba-tool drs showrepl > failures don't match > successes don't match > > > BUT - what works correctly is if I authenticate like the following by > using kerberos: > > ---------------- DC1 ----------------- > /usr/bin/samba-tool ldapcmp -k yes --filter="whenChanged,dc,DC,cn,CN" > ldap://location-000001.domain.de ldap://location-000002.domain.de > > * Comparing [DOMAIN] context... > > * Objects to be compared: 353 > > Comparing: > 'CN=Administrator,CN=Users,DC=domain,DC=de' [ldap:// > location-000001.domain.de] > 'CN=Administrator,CN=Users,DC=domain,DC=de' [ldap:// > location-000002.domain.de] > Difference in attribute values: > lastLogonTimestamp => > ['131990081769899510'] > ['131990081770581220'] > FAILED > > Comparing: > 'CN=LOCATION-000001,OU=Domain Controllers,DC=domain,DC=de' [ldap:// > location-000001.domain.de] > 'CN=LOCATION-000001,OU=Domain Controllers,DC=domain,DC=de' [ldap:// > location-000002.domain.de] > Difference in attribute values: > lastLogonTimestamp => > ['131991113774626660'] > ['131991113774175790'] > FAILED > > Comparing: > 'CN=LOCATION-000002,OU=Domain Controllers,DC=domain,DC=de' [ldap:// > location-000001.domain.de] > 'CN=LOCATION-000002,OU=Domain Controllers,DC=domain,DC=de' [ldap:// > location-000002.domain.de] > Difference in attribute values: > lastLogonTimestamp => > ['131987828972205070'] > ['131990122230450530'] > pwdLastSet => > ['131964524527478280'] > ['131990983474537410'] > FAILED > > * Result for [DOMAIN]: FAILURE > > SUMMARY > --------- > > Attributes with different values: > > lastLogonTimestamp > pwdLastSet > > * Comparing [CONFIGURATION] context... > > * Objects to be compared: 1615 > > > > * Result for [CONFIGURATION]: SUCCESS > > * Comparing [SCHEMA] context... > > * Objects to be compared: 1561 > > * Result for [SCHEMA]: SUCCESS > > * Comparing [DNSDOMAIN] context... > > * Objects to be compared: 115 > > Comparing: > 'DC=251,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=251,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > [' > \x00\x0c\x00\x05\xf0\x00\x00\xdb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00'] > [' > \x00\x0c\x00\x05\xf0\x00\x00\xd9\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=251,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=251,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > [' > \x00\x0c\x00\x05\xf0\x00\x00\xb8\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x10\xf27\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00'] > [' > \x00\x0c\x00\x05\xf0\x00\x002\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=26,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=26,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > [")\x00\x0c\x00\x05\xf0\x00\x00\xa2\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x82\xf17\x00'\x03\x18android-a2bb8d65e49d7f4c\tdomain\x02de\x00"] > > [")\x00\x0c\x00\x05\xf0\x00\x00\xeb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xfa\xf17\x00'\x03\x18android-a2bb8d65e49d7f4c\tdomain\x02de\x00"] > FAILED > > Comparing: > 'DC=31,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=31,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\xab\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xb8\xf17\x00\x1d\x03\x0etv8a0f26eac0f5\tdomain\x02de\x00'] > > ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\t\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x04\xf27\x00\x1d\x03\x0etv8a0f26eac0f5\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=32,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=32,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ["'\x00\x0c\x00\x05\xf0\x00\x00\xad\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc6\xf17\x00%\x03\x16Samsung-Galaxy-S7-edge\tdomain\x02de\x00"] > > ["'\x00\x0c\x00\x05\xf0\x00\x001\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00%\x03\x16Samsung-Galaxy-S7-edge\tdomain\x02de\x00"] > FAILED > > Comparing: > 'DC=36,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=36,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x1a\x00\x0c\x00\x05\xf0\x00\x00\xad\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc6\xf17\x00\x18\x03\tGalaxy-S8\tdomain\x02de\x00'] > > ['\x1a\x00\x0c\x00\x05\xf0\x00\x00\x03\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x03\xf27\x00\x18\x03\tGalaxy-S8\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=37,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=37,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x16\x00\x0c\x00\x05\xf0\x00\x00H\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc7\xf17\x00\x14\x03\x05fritz\tdomain\x02de\x00'] > > ['\x16\x00\x0c\x00\x05\xf0\x00\x003\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\x14\x03\x05fritz\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=38,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=38,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\xaf\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xcb\xf17\x00\x1d\x03\x0eJuergen-Tablet\tdomain\x02de\x00'] > > ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\x1b\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\x1d\x03\x0eJuergen-Tablet\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=40,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=40,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > [' > \x00\x0c\x00\x05\xf0\x00\x00\xaf\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xf17\x00\x1e\x03\x0fnxtcloud-000002\tdomain\x02de\x00'] > [' > \x00\x0c\x00\x05\xf0\x00\x00#\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\n\xf27\x00\x1e\x03\x0fnxtcloud-000002\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=41,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=41,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x1e\x00\x0c\x00\x05\xf0\x00\x00\xab\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xbb\xf17\x00\x1c\x03\rSusanne_Buero\tdomain\x02de\x00'] > > ['\x1e\x00\x0c\x00\x05\xf0\x00\x00\x17\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x07\xf27\x00\x1c\x03\rSusanne_Buero\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=@,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=@,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > [' > \x00\x02\x00\x05\xf0\x00\x00\xdb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xee7\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00', > 'O\x00\x06\x00\x05\xf0\x00\x00\xdb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\x00\x00\x00\xdc\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00'] > [' > \x00\x02\x00\x05\xf0\x00\x00\xd9\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xee7\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00', > 'O\x00\x06\x00\x05\xf0\x00\x00\xd9\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\x00\x00\x00\xda\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=@,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=@,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > [' > \x00\x02\x00\x05\xf0\x00\x00\xb8\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00', > 'O\x00\x06\x00\x05\xf0\x00\x00\xb8\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x10\xf27\x00\x00\x00\x00\xb9\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00'] > [' > \x00\x02\x00\x05\xf0\x00\x002\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00', > 'O\x00\x06\x00\x05\xf0\x00\x002\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\x00\x00\x013\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000002\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=@,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=@,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > ['\x04\x00\x01\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\xc0\xa8\r\xfb', > '\x04\x00\x01\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\xc0\xa8\x1e\xfb', > ' > \x00\x02\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00', > ' > \x00\x02\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00', > 'O\x00\x06\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xd7\xf17\x00\x00\x00\x01N\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00'] > ['\x04\x00\x01\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\xc0\xa8\r\xfb', > '\x04\x00\x01\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\xc0\xa8\x1e\xfb', > ' > \x00\x02\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00', > ' > \x00\x02\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00', > 'O\x00\x06\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xf7\xf17\x00\x00\x00\x01S\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000002\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00'] > FAILED > > Comparing: > 'DC=Galaxy-S8,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=Galaxy-S8,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\xc0\xa8\r\x1e'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x03\xf27\x00\xc0\xa8\x1e$'] > FAILED > > Comparing: > 'DC=Juergen-Tablet,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=Juergen-Tablet,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00H\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xcb\xf17\x00\xc0\xa8\x1e&'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\xc0\xa8\x1e&'] > FAILED > > Comparing: > 'DC=Samsung-Galaxy-S7-edge,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=Samsung-Galaxy-S7-edge,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > ['\x04\x00\x01\x00\x05\xf0\x00\x00G\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc6\xf17\x00\xc0\xa8\x1e > '] > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\xc0\xa8\x1e > '] > FAILED > > Comparing: > 'DC=Susanne_Buero,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=Susanne_Buero,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00F\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xbb\xf17\x00\xc0\xa8\x1e)'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x07\xf27\x00\xc0\xa8\x1e)'] > FAILED > > Comparing: > 'DC=android-a2bb8d65e49d7f4c,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=android-a2bb8d65e49d7f4c,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00;\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x82\xf17\x00\xc0\xa8\x1e\x1a'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xfa\xf17\x00\xc0\xa8\x1e\x1a'] > FAILED > > Comparing: > 'DC=location-000001,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=location-000001,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\xc0\xa8\r\xfb'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\xc0\xa8\r\xfb'] > FAILED > > Comparing: > 'DC=location-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=location-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x10\xf27\x00\xc0\xa8\x1e\xfb'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\xc0\xa8\x1e\xfb'] > FAILED > > Comparing: > 'DC=nxtcloud-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=nxtcloud-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00H\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xf17\x00\xc0\xa8\x1e('] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\n\xf27\x00\xc0\xa8\x1e('] > FAILED > > Comparing: > 'DC=tv8a0f26eac0f5,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000001.domain.de] > 'DC=tv8a0f26eac0f5,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de' > [ldap://location-000002.domain.de] > Difference in attribute values: > dnsRecord => > > ['\x04\x00\x01\x00\x05\xf0\x00\x00F\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xb8\xf17\x00\xc0\xa8\x1e\x1f'] > > ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x04\xf27\x00\xc0\xa8\x1e\x1f'] > FAILED > > * Result for [DNSDOMAIN]: FAILURE > > SUMMARY > --------- > > Attributes with different values: > > dnsRecord > > * Comparing [DNSFOREST] context... > > * Objects to be compared: 18 > > * Result for [DNSFOREST]: SUCCESS > ERROR: Compare failed: -1 > > > >> About the howto and packages. >> If your now on 4.5.16 ( official debian ), then the shown howto's are >> good. >> If you upgrade to higher, then you might need to adjust some settings in >> smb.conf, >> which are shown in the upgrade-into.txt and offcourse the samba change >> logs. >> >> > yep - of course I will start with test environment and check first :) > > >> >> About sssd, yes i could build these also, but that would increase my >> packages needed to build even more. >> Do remember one samba version, ( debian stretch amd64 ) requeres me to >> build between 5 and 11 packages. >> Now add i386, jessie, bionic, 3 different samba version... So thats why.. >> To much, this is a lot already. >> >> > Absolutely understandable. BTW: think this is a great work you do here :) > > >> And better option for you, but this highly depends on whats running on >> the server, upgrade now to debian buster. >> This way you can still use sssd and your up in samba version. >> But i only recommend this if you only use samba on the servers and not >> much other packages. >> Debian Buster is in freeze state, so no major changes should enter. >> >> > hm...unfortunately I see other dependencies beside SAMBA here. > Really would like to wait for official release and do some tests > (especially with self build scripts that might be incompatible). > > >> Today wil be building day, so if you have more questions, just ask, im >> monitoring the list today. >> New packages will arrive soon. >> >> Greetz, >> >> Louis >> >> >> >> >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> > Rowland Penny via samba >> > Verzonden: zaterdag 6 april 2019 20:43 >> > Aan: samba at lists.samba.org >> > Onderwerp: Re: [Samba] DsReplicaSync failed - >> > WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp >> > - NT_STATUS_LOGON_FAILURE >> > >> > On Sat, 6 Apr 2019 19:08:30 +0200 >> > Martin Krämer <mk.maddin at gmail.com> wrote: >> > >> > > hm... to be truth there were already multiple times I tough >> > of having >> > > a more up-to-date version would be greate... >> > > Maybe I can try with my test servers first (I would start with >> > > http://downloads.van-belle.nl/samba4/Upgrade-info.txt here I think ) >> > > - but first I think have to check how to get rid of sssd ( I do not >> > > want to build on my own) >> > >> > It all depends on how you use your Samba machines. If you use >> > your DC's >> > just for authentication and never log in as a domain user and never >> > store anything in shares (except sysvol & netlogon) then you do not >> > need to use sssd or anything else. It is only when you use a DC as >> > fileserver that you may need something like sssd. >> > >> > > Thanks for this - I tried "samba_dnsupdate" in following ways. >> > > All of them run through without any error telling me "No DNS updates >> > > needed" at the end >> > > >> > > samba_dnsupdate --verbose >> > > samba_dnsupdate --verbose --rpc-server-ip=location-000001.domain.de >> > > samba_dnsupdate --verbose --rpc-server-ip=location-000002.domain.de >> > > >> > > afterwards unfortunately there is still no change to the error :/ >> > >> > Try comparing the databases on the DC's, see 'samba-tool ldapcmp >> > --help' for more info. >> > >> > You could also try replicating from the good DC to the other, see >> > 'samba-tool drs replicate --help' for more info >> > >> > There is also 'samba-tool dbcheck' >> > >> > Finally, is something like a firewall getting in the way. >> > >> > > >> > > hm...this is how I currently use sssd & sudo: >> > > https://linux.die.net/man/5/sssd-sudo >> > > I think with sudo-ldap you refere to the following: >> > > https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html ? >> > > As of today my sudo rules are "linked" to the ou of the device and >> > > based on the "ldap_sudo_search_base" config from sudo-sssd devices >> > > apply one the one matching for them. >> > > (nearly the same way as group policy linking in windows works) >> > > I think in case of switching I need to work with >> > > "SUDOERS_SEARCH_FILTER" or "SUDOERS_BASE" option... maybe I will >> > > check. >> > >> > From memory, sudo-ldap works in much the same way as sssd, the only >> > real difference is the lack of a cache, but, from my experience, this >> > would be the last thing on your mind if something has gone wrong and >> > you cannot login as a sudo user from ldap. >> > >> > > >> > > Louis once guided me to: >> > > https://github.com/thctlo/samba4/tree/master/howtos Are these how-to >> > > compliant to what you mention about samba support & winbind? >> > >> > Apart from referring to older versions of Samba, they should still be >> > valid. >> > >> > Rowland >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Rowland Penny
2019-Apr-10 18:41 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
On Wed, 10 Apr 2019 19:47:27 +0200 Martin Krämer via samba <samba at lists.samba.org> wrote:> Hello All, > > I just discovered that the last I unfortunately I send only to Louis > - not the list. > So below are my answers included (and log outputs that were > requested). > > Never the less in meantime I have investigated further into SAMBA & > winbind. I was able to setup samba dc based on previous instructions > and guidelines successfully. > > I additionally setup a debian samba member with winbind. > Unfortunately on that samba member I faced the issue of "Could not > convert sid: NT_STATUS_NO_SUCH_USER" > when trying to run "winbind -i <username>" while "winbind -n > <username>" works correctly on the client. > (On the DC both commands work correctly.) > > With some more research I found the following articles: > https://wiki.samba.org/index.php/Idmap_config_ad > and > https://wiki.samba.org/index.php/Adding_users_with_samba_tool#Adding_Unix_attributes_to_a_Windows_user > > But after reading these two articles I am left over with some > questions I hope you can help me with: > 1. Did I understand correctly that if I want to make sure winbind > resolve is working correctly (independently of Samba user, Samba > group or samba computer account) I have to set > non overlapping uidNumber for users and computers and non > overlapping gidNumber for groups?If you use the winbind 'ad' backend, then your users must have a unique uidNumber attribute and Domain Users (at least) a gidNumber attribute. These attributes must be inside the range you set in smb.conf You can however use the winbind 'rid' backend and this does not require adding anything to AD.> 2. Did I understand correctly that these uid- & gidNumbers cannot be > set automatically/managed by samba-tool or any other linux out of box > tool?Have a look at LAM, (LDAP Account Manager)>3. Did I understand correctly that on windows the "Active > directory users and Computers" (ADUC) sets automatically/manages the > uid- & gidNumbers for users & groups,but not for computers?Yes> 4. Did I understand correctly that if I set the uid- & gidNumbers via > samba-tool or ldbedit there is no verification if an uid- & gidNumber > already exists?Yes> --- that was the understanding part - now the real questions :) --- > 5. Assuimg 3&4 is correct, what happens if I create one user/group via > samba-tool/ldbedit and another one via ADUC - does ADUC take care of > not using the same uid-/gidNumber as of the user created/set within > samba-tool/ldbedit?No> 6. Assuimg 2 is correct that means I have to take care about setting > the uid- & gidNumbers (and no overlappings) by myself if not using > ADUC (even with ADUC I have to take care about uidNumber of comptuers > by myself - but thats only secondary).Yes> Never the less I know that on my domain controller I can receive a > uid- & gidNumber of the user/group independently of this being set in > AD by using "wbinfo --name-to-sid <myuser>" and using the resolved > SID further in "wbinfo --sid-to-uid <SID>".That would only work if the user or group already has a uidNumber/gidNumber> Based on this I could run a cronjob (just as a concept - maybe > cronjob is not best solution) that sets the uid- & gidNumber recieved > from the DC as a global AD uid- & gidNumber.Don't think this will work.> Would this make sure the uid- & gidNumbers for users, computers and > groups do not overlap?Probably not.> 7. If 6 would be implemented - what happens if I have a second > DC...will the uid- & gidNumbers recieved there differnetiate to the > ones of DC1? (If they would differentiate I assume I would have to > make sure the cronjob runs only on the FSMO role owner or?)The RFC2307 attributes are stored in AD and as such are replicated to all DC's> 8. If 7 would be implemented with the FSMO role owner only - what > would happen if that FSMO role owner has gone/will go offline and I > would have to online/offline transfer - not seize - the FSMO roles > (and with them the cronjob)? > Would the resolved uid- & gidNumbers still not overlap?Don't think I need to answer this, mainly because what you are proposing isn't going to work. Why don't you use the attributes that ADUC uses, 'msSFU30MaxUidNumber' and 'msSFU30MaxGidNumber', I am very sure that you will be able to add 'ypServ30.ldif' (it appears to be what IDMU used. Rowland
Rowland Penny
2019-Apr-10 19:40 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
On Wed, 10 Apr 2019 21:10:59 +0200 Martin Krämer <mk.maddin at gmail.com> wrote:> Thanks - think I will give it a try > I read the wiki page > https://wiki.samba.org/index.php/Idmap_config_rid and understood this > is a read only connection. For normal logon and use I think this is > absolutely enough. Only topic I am not sure of is password expiry... > - will people be able to change their passwords from linux machine > with this rid backend?Yes, the AD password has nothing to do with the winbind backend> > > 2. Did I understand correctly that these uid- & gidNumbers cannot > > > be set automatically/managed by samba-tool or any other linux out > > > of box tool? > > > > Have a look at LAM, (LDAP Account Manager) > > > > Looks absolutely interesting.> But I am able to get that resolved as follows on the DC without > uidNumber attribute set (or am I misinterpreting something here?): > > root at location-000001:~# wbinfo --name-to-sid faiuser > S-1-5-21-2380976951-3081962821-3908499780-1138 SID_USER (1) > root at location-000001:~# wbinfo --sid-to-uid > S-1-5-21-2380976951-3081962821-3908499780-1138 > 3000020AH, I thought we were talking just about Unix domain members ;-) Samba DC's have yet another way doing things, they use 'xidNumber' attributes stored in idmap.ldb, these are only used on DC's and will be replaced by any uidNumber or gidNumber attributes added.> Does that mean that the result I recieve for "wbinfo --sid-to-uid" > might overlap even on the same DC? > That would mean that a file permitted for user A with uidNumber 123456 > might be accessible by user B, too, because the uidNumber for that > user might be 123456 as well on the DC?On 'A' DC, no, but on another DC, yes Long answer: The 'xidnumber' attributes on a DC are allocated on a 'first come basis', this means that you cannot rely on any user or group getting the same ID number on different DC's. This means that you are advised to sync idmap.ldb from your first DC to any other DC's> > You think to increment these attributes with every newly created > > user / > computer or group?Yes, this is just what ADUC does. I don't know if you are aware that, as far as AD is concerned, a computer is just a user with an extra objectclass. Rowland
Seemingly Similar Threads
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- replication fails
- replication fails
- FW: ERR_DS_DRA_SCHEMA_MISMATCH after join samba 4.2.1 to existing domain
- FW: ERR_DS_DRA_SCHEMA_MISMATCH after join samba 4.2.1 to existing domain