search for: fichdc

Hello Samba team ! I'am in a very delicate situation. After an upgrade to debian Stretch my DRS stopped working. I have three DCs (fichdc, fichds01, fichds02), all Debian Stretch, all with the same problem. Everything seems to be fine except DRS. -> File shares works -> DNS (with bind9 DLZ) works -> "kinit administrator" works -> "kinit -k FICHDC$" works -> times synchronisation works -> winbind...

...st the "krb5-user" > kerberos client package. > > >> > >> This seem to be a computer account problem. But I can't find any > >> problem in Kerberos : > >> > >> > >> -------------------------------- > >> # kinit -k FICHDC$ > >> # klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > > > > Can you do this against the secrets.keytab in Samba's private/ dir? > > > > You can reset the Samba machine acco...

...> Thank you very much Louis, Rowland, Mike ! > > I have made all the changes proposed by Louis but still have the same problem. > > -> kinit works now with /var/lib/samba/private/secrets.keytab > ------------------------ > ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ > ~# > ------------------------ > > -> but samba-tool authentication with machine account fail : > ------------------------ > ~# samba-tool time -P -d 8 > INFO: Current debug levels: > all: 8 > tdb: 8 > printdrivers: 8 > lanman: 8 > smb: 8 > rp...

...> ----------------------------- > HOSTS : Don't take care of "puppet" entry. In use use puppet > to configure all my DCs and all my Linux Clients. But it's > currently disabled during the update. > ~# cat /etc/hosts > 127.0.0.1 localhost > 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > fichdc > 172.16.0.20 > puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet ( better would be, create and CNAME in the dns and point that to the DC name ) For now, i also suggest, you change this to : /etc/hosts 127.0.0.1 localh...

21.06.2017 11:45, L.P.H. van Belle via samba пишет: > I suggest before you upgrade do a very good read here. > > https://wiki.samba.org/index.php/Updating_Samba#Notable_Enhancements_and_Changes > > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > And a summerize version for with all parameter changes as of upgrade from 4.2 up to 4.6 >

Thank you very much Louis, Rowland, Mike ! I have made all the changes proposed by Louis but still have the same problem. -> kinit works now with /var/lib/samba/private/secrets.keytab ------------------------ ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ ~# ------------------------ -> but samba-tool authentication with machine account fail : ------------------------ ~# samba-tool time -P -d 8 INFO: Current debug levels: all: 8 tdb: 8 printdrivers: 8 lanman: 8 smb: 8 rpc_parse: 8 rpc_srv: 8 rpc_cli: 8 passdb: 8 sam: 8 auth...

On Tue, 20 Jun 2017 22:31:02 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote: > On Tue, 2017-06-20 at 11:13 +0200, L.P.H. van Belle via samba wrote: > > Now choose, of > > dedicated keytab file = /etc/krb5.keytab > > To be clear, this parameter is not used in the AD DC. > > Thanks, > > Andrew Bartlett > Shouldn't that be

Hello thanks again for the help ! I have analysed samba logs more closely. I'am very worried. I have three DC (fichdc, fichds01, fichds02) but here I talk just about fichdc's logs. -> Almost every times, "AS-REQ" fail for the 3 DCs with something like this : ---------------- Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.20:59818 for krbtgt/NET.LYC-GUILLAUME...

...fail depending of the KDC used. So I think that the best thing to do is to demote and remote the two DCs without FSMO roles. This works with the three virtual machines but I don't know what's can happen with all my other Linux and Windows client. If someone can give me some tips. ("fichdc" is the DC owning all the FSMO roles, "fichds01" and "fichds02" are DCs not owning any FSMO role) 1) As DRS does not works, to demote "fichds01" for example I need to : -> on "fichds01" : disable Samba -> on "fichdc" : demote "fich...

Hai, Just saying samba does not use /etc/krb5.keytab is not totaly correct. A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab Because systemd defaults point to /etc/krb5.keytab. >From his logs: Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab ) the above server is found. Only the HOST/SPN entry is missing. This looks like that : dedicated keytab...

On Tue, 20 Jun 2017 17:54:09 +0200 Prunk Dump via samba <samba at lists.samba.org> wrote: > Hello thanks again for the help ! > > I have analysed samba logs more closely. I'am very worried. I have > three DC (fichdc, fichds01, fichds02) but here I talk just about > fichdc's logs. > How did you upgrade 'jessie' to 'stretch' and why ? Did all the Samba packages get upgraded (this includes things like talloc, tevent etc) Rowland

...se /etc/krb5.keytab, so this may be related to some previous install (or may be related to how you are trying to use NFS). > > This seem to be a computer account problem. But I can't find any > problem in Kerberos : > > > -------------------------------- > # kinit -k FICHDC$ > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Can you do this against the secrets.keytab in Samba's private/ dir? You can reset the Samba machine account pw with ./source4/scripting/devel/chgtdcpass, but: - it wont...

...mba <samba at lists.samba.org>: > On Tue, 20 Jun 2017 17:54:09 +0200 > Prunk Dump via samba <samba at lists.samba.org> wrote: > >> Hello thanks again for the help ! >> >> I have analysed samba logs more closely. I'am very worried. I have >> three DC (fichdc, fichds01, fichds02) but here I talk just about >> fichdc's logs. >> > > How did you upgrade 'jessie' to 'stretch' and why ? > > Did all the Samba packages get upgraded (this includes things like > talloc, tevent etc) > > Rowland > Hello. I...

...nChanged: 20150630144502.0Z uSNCreated: 3768 uSNChanged: 3768 showInAdvancedViewOnly: TRUE name: fichnet objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c objectCategory: CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName: FICHDC msSFU30OrderNumber: 10000 msSFU30Domains: fichnet distinguishedName: CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values. Do you know if this current entry was created...

...quot;samba-tool time -P" fail > -> kinit with exported machine keytab account works > -> kinit with /var/lib/samba/private/secrets.keytabs fail. > > But on the AD database there is one error that is only related to one > of my DC. -> the kerberos principal of "nfs/fichdc" disappeared of > the kerberos database -> the "nfs/fichds01" and "nfs/fichds02" > principal works with kinit. > > Baptiste. Then I am not sure if backing up the DCs is going to work, if the problem is in AD, you will just backup the problem :-( Two things...

...ly or not. Il have checked the DC's time clock. No problem. Here my smb.confs. ########### For pdc01 ########### [global] netbios aliases = sambaaccount sambaaccount.fichnet.fr load printers = yes workgroup = FICHNET realm = FICHNET.FR netbios name = FICHDC interfaces = lo, eth0 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/...

Mandi! Kacper Wirski via samba In chel di` si favelave... > I understand the OP, I was asking some time ago similar question, but it was > in relation to samba domain member. Thanks, Kacper. > I couldn't get backend: ad to work for > machine accounts, so i switched to idmap: rid and it solved everything. I > tried manually adding UID and GID to Domain Computer group and to

...>> showInAdvancedViewOnly: TRUE >> name: fichnet >> objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c >> objectCategory: >> CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l >> yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName: >> FICHDC msSFU30OrderNumber: 10000 >> msSFU30Domains: fichnet >> distinguishedName: >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste >> m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr >> >> But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber va...

On Mon, 15 Jan 2018 16:18:57 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > I understand the OP, I was asking some time ago similar question, but > it was in relation to samba domain member. I couldn't get backend: ad > to work for machine accounts, so i switched to idmap: rid and it > solved everything. I tried manually adding UID and GID to

Hello Samba team ! On my network I have three Samba-4.1.17 domain controllers (Debian Jessie) : -> One PDC : pdc01 -> Two "slave" DC : sdc02, sdc03 I don't know why, but sometimes Samba receive the SIGTERM signal and restart even if I remove it from the logrotate configuration. On "pdc01" I see : ---------- pdc01 (log.samba) ---------- SIGTERM: killing children