search for: darkdragon

...e "Domain join OK" on every domain member, but still unable to authenticate the users using winbind. Domain controller logs (notable parts) are following: log.samba: [2023/11/07 18:56:05.882689, 1] ../../source4/nbt_server/register.c:165(nbtd_register_name_handler) Error registering DARKDRAGON<1b> with 192.168.1.19 on interface 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES [2023/11/07 18:56:20.887545, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for dele...

...;>> Network resources may be unavailable >>>> At the same time LDAP works like a charm and top-level tests pass >>>> # net ads testjoin >>> Join is OK >>>> # net ads info >>> LDAP server: 192.168.1.19 >>> LDAP server name: dc2.ads.darkdragon.lan >>> Realm: ADS.DARKDRAGON.LAN >>> Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN >>> LDAP port: 389 >>> Server time: ??, 07 ??? 2023 18:03:26 MSK >>> KDC server: 192.168.1.19 >>> Server time offset: 0 >>>> But? >>>> # wbinfo...

...t;>>>> At the same time LDAP works like a charm and top-level tests > >>>>> pass # net ads testjoin > >>>> Join is OK > >>>>> # net ads info > >>>> LDAP server: 192.168.1.19 > >>>> LDAP server name: dc2.ads.darkdragon.lan > >>>> Realm: ADS.DARKDRAGON.LAN > >>>> Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN > >>>> LDAP port: 389 > >>>> Server time: ??, 07 ??? 2023 18:03:26 MSK > >>>> KDC server: 192.168.1.19 > >>>> Server time offs...

...n > member, but still unable to authenticate the users using winbind. > > Domain controller logs (notable parts) are following: > > log.samba: > > [2023/11/07 18:56:05.882689, 1] > ../../source4/nbt_server/register.c:165(nbtd_register_name_handler) > Error registering DARKDRAGON<1b> with 192.168.1.19 on interface > 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES [2023/11/07 > 18:56:20.887545, 1] > ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) > Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan &g...

...ces may be unavailable >>>>> At the same time LDAP works like a charm and top-level tests pass >>>>> # net ads testjoin >>>> Join is OK >>>>> # net ads info >>>> LDAP server: 192.168.1.19 >>>> LDAP server name: dc2.ads.darkdragon.lan >>>> Realm: ADS.DARKDRAGON.LAN >>>> Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN >>>> LDAP port: 389 >>>> Server time: ??, 07 ??? 2023 18:03:26 MSK >>>> KDC server: 192.168.1.19 >>>> Server time offset: 0 >>>>> But...

...rapping = sign > tls enabled = Yes Without "tls enabled" ldaps:// access does not work. > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > winbind use default domain = Yes > idmap config darkdragon : unix_nss_info = yes > idmap config darkdragon : unix_primary_group = yes > idmap config darkdragon : range = 2048-131071 > idmap config darkdragon : schema_mode = rfc2307 > idmap config darkdragon : backend = ad > idmap config * : range = 102...

...enabled = yes' has been the default since it was introduced at Samba 4.0.0 > > > winbind enum groups = Yes > > winbind enum users = Yes > > winbind nss info = rfc2307 > > winbind use default domain = Yes > > idmap config darkdragon : unix_nss_info = yes > > idmap config darkdragon : unix_primary_group = yes > > idmap config darkdragon : range = 2048-131071 > > idmap config darkdragon : schema_mode = rfc2307 > > idmap config darkdragon : backend = ad > > idm...

...[global] > auto services = homes > client ldap sasl wrapping = sign > dns forwarder = 192.168.1.12 > dos charset = CP866 > logging = systemd > log level = 1 > netbios name = DC2 > panic action = /usr/share/samba/panic-action %d > printcap name = /dev/null > realm = ADS.DARKDRAGON.LAN > server role = active directory domain controller > template homedir = /home/%U > template shell = /bin/bash > tls enabled = Yes > tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > w...

...SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight $ ldapsearch -H ldaps://dc2.ads.darkdragon.lan -b 'DC=ads,DC=darkdragon,DC=lan' '(&(objectclass=person)(objectSid=S-1-5-21-2269650170-3990761244-2407083512-1124))' # pubserver64, Computers, ads.darkdragon.lan dn: CN=pubserver64,CN=Computers,DC=ads,DC=darkdragon,DC=lan objectClass: top objectClass: person objectClass: or...

...[sudo] password for anrdaemon: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable At the same time LDAP works like a charm and top-level tests pass # net ads testjoin Join is OK # net ads info LDAP server: 192.168.1.19 LDAP server name: dc2.ads.darkdragon.lan Realm: ADS.DARKDRAGON.LAN Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN LDAP port: 389 Server time: ??, 07 ??? 2023 18:03:26 MSK KDC server: 192.168.1.19 Server time offset: 0 But? # wbinfo -t checking the trust secret for domain DARKDRAGON via RPC calls failed wbcCheckTrustCredentials(DARKDRAGON):...

On 09/06/2023 18:11, Andrey Repin via samba wrote: > Greetings, Rowland Penny via samba! >> OK, you have these lines on the DC: > >> winbind nss info = rfc2307 >> winbind use default domain = Yes >> idmap config darkdragon : unix_nss_info = yes >> idmap config darkdragon : unix_primary_group = yes >> idmap config darkdragon : range = 2048-131071 >> idmap config darkdragon : schema_mode = rfc2307 >> idmap config darkdragon : backend = ad >>...

On Thu, 2023-06-08 at 13:41 +0300, Andrey Repin via samba wrote: > Greetings, All! > > I've added a new DC to the working AD, transferred FSMO roles > (checked, all 7 > are ok') and (supposedly) correctly demoted the old DC. > > SchemaMasterRole owner: CN=NTDS > Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN= > InfrastructureMasterRole owner:

...[sudo] password for anrdaemon: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable At the same time LDAP works like a charm and top-level tests pass # net ads testjoin Join is OK # net ads info LDAP server: 192.168.1.19 LDAP server name: dc2.ads.darkdragon.lan Realm: ADS.DARKDRAGON.LAN Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN LDAP port: 389 Server time: ??, 07 ??? 2023 18:03:26 MSK KDC server: 192.168.1.19 Server time offset: 0 But? # wbinfo -t checking the trust secret for domain DARKDRAGON via RPC calls failed wbcCheckTrustCredentials(DARKDRAGON):...

...[sudo] password for anrdaemon: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable At the same time LDAP works like a charm and top-level tests pass # net ads testjoin Join is OK # net ads info LDAP server: 192.168.1.19 LDAP server name: dc2.ads.darkdragon.lan Realm: ADS.DARKDRAGON.LAN Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN LDAP port: 389 Server time: ??, 07 ??? 2023 18:03:26 MSK KDC server: 192.168.1.19 Server time offset: 0 But? # wbinfo -t checking the trust secret for domain DARKDRAGON via RPC calls failed wbcCheckTrustCredentials(DARKDRAGON):...

...enLDAP currently. The core configuration has been done eons ago, and I'm not quite sure it is actual any more. I see a number of PAM-related errors every time the system boot up. One concerning me is Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials) Is this a broken PDC configuration (how can I fix it, if yes?) or I can just remove libpam-ldap since I'm using libpam-winbind anyway? -- WBR, Andrey Repin (anrdaemon at yandex.ru) 03.02.2015, <05:48> Sorry for my terrible english...

...rote: > On 09/06/2023 18:11, Andrey Repin via samba wrote: >> Greetings, Rowland Penny via samba! >>> OK, you have these lines on the DC: >>> winbind nss info = rfc2307 >>> winbind use default domain = Yes >>> idmap config darkdragon : unix_nss_info = yes >>> idmap config darkdragon : unix_primary_group = yes >>> idmap config darkdragon : range = 2048-131071 >>> idmap config darkdragon : schema_mode = rfc2307 >>> idmap config darkdragon : backend = ad &...

...nch and… it just does not fly. Here's a brief and apparent summary of the problem: $ smbd -V; getent passwd anrdaemon Version 4.3.11-Ubuntu (14.04, 16.04) anrdaemon:*:10000:10001:Andrey Repin,,,,umask=0027:/home/anrdaemon:/bin/bash Version 4.6.7-Ubuntu (17.10) anrdaemon:*:10000:10001::/home/DARKDRAGON/anrdaemon:/bin/false The data retrieved by 4.3.11 client is correct as written in AD. On 4.6.7, only UID:GID is correct. The rest comes from local template. Both hosts are setup from the same script, with same set of related packages, with identical set of related configuration files (in fact, th...

...t; The core configuration has been done eons ago, and I'm not quite sure it is > actual any more. I see a number of PAM-related errors every time the system > boot up. One concerning me is > Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials) Where do u see this message, on PDC? > Is this a broken PDC configuration (how can I fix it, if yes?) or I can just > remove libpam-ldap since I'm using libpam-winbind anyway? Show us your server config.

...brief and apparent summary of the problem: > > $ smbd -V; getent passwd anrdaemon > > Version 4.3.11-Ubuntu (14.04, 16.04) > anrdaemon:*:10000:10001:Andrey > Repin,,,,umask=0027:/home/anrdaemon:/bin/bash > > Version 4.6.7-Ubuntu (17.10) > anrdaemon:*:10000:10001::/home/DARKDRAGON/anrdaemon:/bin/false > > The data retrieved by 4.3.11 client is correct as written in AD. > On 4.6.7, only UID:GID is correct. The rest comes from local template. > > Both hosts are setup from the same script, with same set of related > packages, with identical set of related co...

...;s a brief and apparent summary of the problem: > > $ smbd -V; getent passwd anrdaemon > > Version 4.3.11-Ubuntu (14.04, 16.04) > anrdaemon:*:10000:10001:Andrey Repin,,,,umask=0027:/home/anrdaemon:/bin/bash > > Version 4.6.7-Ubuntu (17.10) > anrdaemon:*:10000:10001::/home/DARKDRAGON/anrdaemon:/bin/false > > The data retrieved by 4.3.11 client is correct as written in AD. > On 4.6.7, only UID:GID is correct. The rest comes from local template. > > Both hosts are setup from the same script, with same set of related packages, > with identical set of related co...