search for: dgfip

...pid things: > > This server, dns20, uses as a resolver itself. > When asking for NS, there two: dc200 and dc100. > When asking SOA there is one: the name server which replied, it > replied "I am SOA". > > In AD DB SOA is dc200 which my FSMO. > > dns20:~# dig ad.dgfip.finances.gouv.fr > <http://ad.dgfip.finances.gouv.fr> -t NS > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> > ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr> -t NS > ;; global options: +cmd > ;; Got answer: > ;; ->>HEAD...

...and better DNS and perhaps stop telling stupid things: This server, dns20, uses as a resolver itself. When asking for NS, there two: dc200 and dc100. When asking SOA there is one: the name server which replied, it replied "I am SOA". In AD DB SOA is dc200 which my FSMO. dns20:~# dig ad.dgfip.finances.gouv.fr -t NS ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> ad.dgfip.finances.gouv.fr -t NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2556 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL...

...;> Back on one Windows on the network associated to that AD Site, reboot >> it, >> and tcpdump on my DNS server (all requests goes through this DNS server) >> >> 1° Site related DNS SRV request: >> 35752:15:24:38.907301 IP 10.156.248.244.64390 > >> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? >> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. >> (88) >> 2° Site related DNS SRV reply: >> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > >> 10.156.248.244.64390: 23013 2/2/4 *SRV*...

...0, uses as a resolver itself. > > When asking for NS, there two: dc200 and dc100. > > When asking SOA there is one: the name server which replied, it replied > "I > > am SOA". > > > > In AD DB SOA is dc200 which my FSMO. > > > > dns20:~# dig ad.dgfip.finances.gouv.fr -t NS > > > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> ad.dgfip.finances.gouv.fr > > -t NS > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2556 > &...

...ntries which were missing for one of my sites. Next, test: Back on one Windows on the network associated to that AD Site, reboot it, and tcpdump on my DNS server (all requests goes through this DNS server) 1° Site related DNS SRV request: 35752:15:24:38.907301 IP 10.156.248.244.64390 > dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. (88) 2° Site related DNS SRV reply: 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.156.248.244.64390: 23013 2/2/4 *SRV* *m705.ad.dgfip.finances.gouv.fr.:389 0 100,...

SOA means "this DNS se'rver can modify the zone". Using Bind-DLZ all DNS servers can modify the AD zones, they all reply "I am the SOA" when you ask them about SOA for AD zones. Using Internal DNS I expect all DNS servers can modify the AD zones also (that's internal stuff) but even if they can modify the AD zone locally that's is not the process chosen by Samba

...r. I tried the following with: auth methods = sam winbindd and the same with only one d: auth methods = sam winbind One user: ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell gidnumber uidnumber # record 1 dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip homeDirectory: */home/another.fakeuser* uidNumber: 1000210377 gidNumber: 1000210377 loginShell: */bin/bash* Seen through winbind eyes: wbinfo -i another.fakeuser another.fakeuser:*:1000210377:100:another.fakeuser: */home/AD/another.fakeuser*:*/bin/false* Using winbind in nsswitch.conf I could see...

Am 16.07.2015 um 17:18 schrieb Rowland Penny: > On 16/07/15 13:27, Reindl Harald wrote: >> >> Am 16.07.2015 um 14:02 schrieb Rowland Penny: >>> /etc/hosts should be: >>> >>> 127.0.0.1 localhost.localdomain localhost >> >> uhm no - you want 127.0.0.1 normally resolved to localhost and hence >> 127.0.0.1 localhost

...it comes to AD Sites. Samba does not seems to create at all any Site relevant DNS record. As AD relies on DNS to find DC on the correct AD site, if no DNS entry is created related to AD Site, no usage of AD Sites. Here Win client ask for domain 11:37:28.671044 IP 10.207.102.32.50193 > dns1.ad.dgfip.finances.gouv.fr.domain: 50244+ SRV? _ldap._tcp.pdc._ msdcs.ad.dgfip.finances.gouv.fr. (65) 11:37:28.671308 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.207.102.32.50193: 50244 1/2/3 SRV m702.ad.dgfip.finances.gouv.fr.:389 0 100 (202) Just after that it asks for kerberos service on "SCIF&...

...e, >>>> reboot it, >>>> and tcpdump on my DNS server (all requests goes through this DNS >>>> server) >>>> >>>> 1° Site related DNS SRV request: >>>> 35752:15:24:38.907301 IP 10.156.248.244.64390 > >>>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? >>>> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. >>>> >>>> (88) >>>> 2° Site related DNS SRV reply: >>>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain &gt...

...y sites. > > Next, test: > Back on one Windows on the network associated to that AD Site, reboot it, > and tcpdump on my DNS server (all requests goes through this DNS server) > > 1° Site related DNS SRV request: > 35752:15:24:38.907301 IP 10.156.248.244.64390 > > dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? > _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. > (88) > 2° Site related DNS SRV reply: > 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.156.248.244.64390: 23013 2/2/4 *SRV* *m705.ad.dgfip.fina...

...--------------- But my nsswitch.conf is configured to use winbind: grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind And that works: For users: id administrator uid=0(root) gid=0(root) groupes=0(root) For computers: id dc200$ uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password replication group) So idmapping seems to be enabled by default as there are no UID/GID declared on DC200 computer: ldbsearch -H $sam cn=dc200...

On 23/07/15 16:23, mathias dufresne wrote: > Hi all, > > I tried "samba-tool ldapcmp" several times to solve this issue, without > success. > > On DC acting as full FSMO: > dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan > ldap://dc20.ad.dgfip.lan domain > ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/pyth...

...rk associated to that AD Site, >>> reboot it, >>> and tcpdump on my DNS server (all requests goes through this DNS >>> server) >>> >>> 1° Site related DNS SRV request: >>> 35752:15:24:38.907301 IP 10.156.248.244.64390 > >>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? >>> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. >>> >>> (88) >>> 2° Site related DNS SRV reply: >>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > >>> 10.15...

Hi all, I tried "samba-tool ldapcmp" several times to solve this issue, without success. On DC acting as full FSMO: dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan ldap://dc20.ad.dgfip.lan domain ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3) File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/samba/netcmd/...

...gt;> passwd: files winbind >> shadow: files winbind >> group: files winbind >> >> And that works: >> For users: >> id administrator >> uid=0(root) gid=0(root) groupes=0(root) >> For computers: >> id dc200$ >> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) >> groupes=3000011(AD.DGFIP\domain >> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc >> password >> replication group) >> >> So idmapping seems to be enabled by default as there are no UID/GID &...

...> When asking for NS, there two: dc200 and dc100. > > > When asking SOA there is one: the name server which replied, it replied > > "I > > > am SOA". > > > > > > In AD DB SOA is dc200 which my FSMO. > > > > > > dns20:~# dig ad.dgfip.finances.gouv.fr -t NS > > > > > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> > ad.dgfip.finances.gouv.fr > > > -t NS > > > ;; global options: +cmd > > > ;; Got answer: > > > ;; ->>HEADER<<- opcode: QUER...

...does not seems to create at all any Site relevant DNS record. As AD > relies on DNS to find DC on the correct AD site, if no DNS entry is created > related to AD Site, no usage of AD Sites. > > Here Win client ask for domain > 11:37:28.671044 IP 10.207.102.32.50193 > > dns1.ad.dgfip.finances.gouv.fr.domain: 50244+ SRV? _ldap._tcp.pdc._ > msdcs.ad.dgfip.finances.gouv.fr. (65) > 11:37:28.671308 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.207.102.32.50193: 50244 1/2/3 SRV m702.ad.dgfip.finances.gouv.fr.:389 0 > 100 (202) > > Just after that it asks for ke...

...gmail.com>: > On 23/07/15 16:23, mathias dufresne wrote: > >> Hi all, >> >> I tried "samba-tool ldapcmp" several times to solve this issue, without >> success. >> >> On DC acting as full FSMO: >> dc20:~# samba-tool ldapcmp ldap://dc00.ad.dgfip.lan >> ldap://dc20.ad.dgfip.lan domain >> ERROR(ldb): uncaught exception - ldb_wait: Time limit exceeded (3) >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >> line >> 175, in _run >> return self.run(*args, **kwargs) >&...

...inbind: > grep win /etc/nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind > > And that works: > For users: > id administrator > uid=0(root) gid=0(root) groupes=0(root) > For computers: > id dc200$ > uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) > groupes=3000011(AD.DGFIP\domain > controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password > replication group) > > So idmapping seems to be enabled by default as there are no UID/GID > declared on DC200 compute...