search for: 0zone

...m desperate... Please see the configs and the tests. May the force be with you :) Many thanks in advance! Environment: Ubuntu Server 16.04.1 + Samba 4.3.9 ### DOMAIN CONTROLLER root at hg-dc1:/etc/samba# cat smb.conf # Global parameters [global] workgroup = HUMGEN realm = HUMGEN.0ZONE netbios name = HG-DC1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc idmap_ldb:use rfc2307 = yes dns-nameservers 127.0.0.1 tls enabled = yes tls ke...

...ay the force be with you :) > > Many thanks in advance! > > Environment: Ubuntu Server 16.04.1 + Samba 4.3.9 > > ### DOMAIN CONTROLLER > root at hg-dc1:/etc/samba# cat smb.conf > # Global parameters > [global] > workgroup = HUMGEN > realm = HUMGEN.0ZONE > netbios name = HG-DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc > > idmap_ldb:use rfc2307 = yes > dns-nameservers 127.0.0.1 I take...

...General mailing list wrote >> >> [2017/01/11 16:42:34.522067, 1] >> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) >> >> gss_accept_sec_context failed with [ Miscellaneous failure (see >> >> text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) >> >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> >> [2017/01/11 16:42:34.522095, 1] >> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) >> >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOG...

...n the domain_member_file_server in the file <IP-address-of-client.log> saying: >>> [2017/01/11 16:42:34.522067, 1] ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2017/01/11 16:42:34.522095, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2017/01/11 16:42:34.525704, 1] ../lib/param/loadparm.c:1629...

Samba - General mailing list wrote >> [2017/01/11 16:42:34.522067, 1] >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see text): >> Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> [2017/01/11 16:42:34.522095, 1] >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > Looks like: ht...

...gt;> Please note also the behavior of "hosts allow ... except" on the AD-DC >> >> here it comes... >> >> root at hg-dc1:/etc/samba# cat smb.conf >> ## Global parameters >> [global] >> workgroup = HUMGEN >> realm = HUMGEN.0ZONE >> netbios name = HG-DC1 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc >> #dnsupdate >> ## all dns and dhcp is static for humgen.0zone a...

...ns = NO" and this is default. > Please note also the behavior of "hosts allow ... except" on the AD-DC > > here it comes... > > root at hg-dc1:/etc/samba# cat smb.conf > ## Global parameters > [global] > workgroup = HUMGEN > realm = HUMGEN.0ZONE > netbios name = HG-DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc > #dnsupdate > ## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone &...

...llow ... except" on the > >> AD-DC > >> > >> here it comes... > >> > >> root at hg-dc1:/etc/samba# cat smb.conf > >> ## Global parameters > >> [global] > >> workgroup = HUMGEN > >> realm = HUMGEN.0ZONE > >> netbios name = HG-DC1 > >> server role = active directory domain controller > >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > >> drepl, winbindd, ntp_signd, kcc > >> #dnsupdate > >> ## all dns and dhc...

...: > Samba - General mailing list wrote > >> [2017/01/11 16:42:34.522067, 1] > >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) > >> gss_accept_sec_context failed with [ Miscellaneous failure (see > >> text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) > >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > >> [2017/01/11 16:42:34.522095, 1] > >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) > >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE >...

...ill... > You must be using an old version of samba-tool, it doesn't do that now. Version 4.3.9 from the last fresh ubuntu LTS. And I asked on FreeNode, they would not upgrade to the 4.4. branch if 4.3 hasn't bugs... > No they are not: > > dn: CN=test,CN=Users,DC=humgen,DC=0zone > ...... > primaryGroupID: 513 Oh, I hoped winbind would give me: uidNumber: 9439 gidNumber: 5001 ... from the posix attributes > This makes the users primary group 'Domain Users' and as such, the > primary group must have a gidNumber, or all your users will be ignored...

...gard to the Geckos On the ad-dc: HUMGEN\test:*:9439:5000: WT. Test --given-name=Want To:/home/HUMGEN/test:/bin/false The Geckos on ad-dc are composed from initials + surname + givenName. On the domain member (real Geckos field or may be description) : test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1 computer. The fields (I gave them to samba-tool by creating the test user) surname and givenName are not visible in the output of ldbsearch. So, how would one modify the surname after a women married...

Thank you Rowland for looking into this! >> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups >> on the domain member (PARTIALLY DEPENDING if I have the lines with >> "idmap config *:..." or not ??? - see below) > « [hide part of quote] > > Have you added uidNumber & gidNumber attributes to the user & > groupobjects in AD ?

...grade to the 4.4. branch if > 4.3 hasn't bugs... Ubuntu will not want to materially change an LTS version and Samba changes so fast, in fact version 4.5.0 is slated for release in min September. > > > > No they are not: > > > > dn: CN=test,CN=Users,DC=humgen,DC=0zone > > ...... > > primaryGroupID: 513 > > Oh, I hoped winbind would give me: > uidNumber: 9439 > gidNumber: 5001 > ... from the posix attributes > Well, it will use the uidNumber as the users Unix UID, but winbind will use the gidNumber attribute from 'Domain U...

...ide the range > > 5000-30000 ? > > No, Domain Users has no GID. > Until now it was unimportant to me. All my users are in the group > "hg_allg" with GID 5001. As primary group in unix passwd in the old > NT domain. No they are not: dn: CN=test,CN=Users,DC=humgen,DC=0zone ...... primaryGroupID: 513 This makes the users primary group 'Domain Users' and as such, the primary group must have a gidNumber, or all your users will be ignored by winbind. Do not think of changing the users primaryGroupID, windows expects all users to be members of 'Domain Users...

...UMGEN\test:*:9439:5000: WT. Test --given-name=Want > To:/home/HUMGEN/test:/bin/false > > The Geckos on ad-dc are composed from initials + surname + givenName. > > On the domain member (real Geckos field or may be description) : > test:*:9439:5000:Want to > Test://hg004.humgen.0zone/test/linhome:/bin/bash > > The Geckos from the ad-dc will be sent as FullName to a joined > Windows 8.1 computer. This is a known problem, winbindd on the DC only extracts uidNumber & gidNumber attributes, I just wish somebody would fix this. > > The fields (I gave them to sa...