search for: lnf

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > > c) seems to use some ''random'' AD DNS, not the one in the site, for > > example. > Yes that is correct. ( The DC Locator Process does that ) > If you dont want that, you can assign by GPO a preffered server. > You can set it as preffered server per site in the GPO. ( note, a pc needs 2

..., i've narrowed down a bit... DNS works in this way, as expected. Touble arise in windows client accessing server aliases; I'm used to define some aliases for servers (so i use \\FILEPP\). I define aliases with: a) cname in AD DNS, and work: root at vdmtms1:~# host filepp filepp.ad.fvg.lnf.it is an alias for vdmpp1.ad.fvg.lnf.it. vdmpp1.ad.fvg.lnf.it has address 10.27.1.22 b) 'netbios aliases' in smb.conf: netbios aliases = CUPSPP FILEPP HOMEPP c) SPN aliases: samba-tool spn add HOST/filepp.ad.fvg.lnf.it vdmpp1$ samba-tool spn add HOST/FILEPP vdmpp1$ but still...

...t; Ok, this is easy. > Yes, that is easy... > > b) AFAI've understood i need to create a 'principal', type 'NFS', for > server and client, and store the key in ''local keytab''. Debian wiki > suggest: > addpriv -randkey NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT > ktadd NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT > > but in 'samba' lingo the same operation can be obtained with (run in > the client and server, with appropiate data): > > net -U gaio ads keytab add > NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT...

...that DNS got by DHCP ARE AD DCs? Ok, DNS registration seems to work, but on a (form me) strange way... Spotted in logs: Jun 8 10:14:25 vdcud1 named[1049]: client 10.5.2.127#50250: request has invalid signature: TSIG 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634 (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG) Jun 8 10:19:05 vdcud1 named[1049]: samba_dlz: starting transaction on zone ad.fvg.lnf.it Jun 8 10:19:05 vdcud1 named[1049]: client 10.5.2.127#56413: update 'ad.fvg.lnf.it/IN' denied Jun 8 10:19:05 vdcud1 named[1049]: samba_dlz: cancelling transaction...

...records 2 x. Lines 1-13, show a successfull commit of the A/AAAA records. ( TSIG key ok ) If you count the below lines, after line 13, my logs shows. samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa Yours is trying again to update samba_dlz: starting transaction on zone ad.fvg.lnf.it So the only thing i can think of is. 1- you get the update for your zone : ad.fvg.lnf.it 2- the gets in sucessfully. 3- it does it again, but bind changed the key. client 10.5.2.64#61734/key ( first attempt, ok ) client 10.5.2.64#50303/key ( second attempt, fail ) Where is the reverse...

...k, DNS registration seems to work, but on a (form me) strange way... > > Spotted in logs: > > Jun 8 10:14:25 vdcud1 named[1049]: client 10.5.2.127#50250: request > has invalid signature: TSIG > 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634 > (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG) Jun 8 > 10:19:05 vdcud1 named[1049]: samba_dlz: starting transaction on zone > ad.fvg.lnf.it Jun 8 10:19:05 vdcud1 named[1049]: client > 10.5.2.127#56413: update 'ad.fvg.lnf.it/IN' denied Jun 8 10:19:05 > vdcud1 named[1049]: samba_dlz: cancel...

...then it must be > something on that DC. is there a firewall or apparmor/selinux in the > way ? No. Anyway, note that query return correctly 'result: 0 Success', simply return no data. Another query to the same DC return data. eg: root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep ^rfc822MailMember Enter LDAP Password: root at vdmpp1:~# root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC...

...s This keep you member working and in sync with the ad password for the computer. Out of sync, your server losses ad access. > > > > Check the spn/upn in the AD with the RSAT's ADUC, this is why i do. > > Ok, added the nfs/ SPN: > samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$ On my own DC ( samba 4.8.6) , im adding the nfs/FQDN to hostname$ samba-tool spn add nfs/$(hostname -f) $(hostname -s)\$ And what is my result. samba-tool spn list $(hostname -s)\$ | grep nfs Result : nfs/hostname.internal.domain.tld > > clearly you can check it also with:...

Following: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC i've demoted and removed a DC. Seems all went as expected: root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion Password for [LNFFVG\gaio]: Deactivating inbound replication Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize from us Changing userControl and container Removing Sysvol reference: CN=VDCUD1,CN=Enterprise,CN=Mic...

...favelave... > > No. Anyway, note that query return correctly 'result: 0 Success', > > simply return no data. > That just means the search retuned without error Eh. Query succeded and return no data. Yes. > If you run the command: > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" > Does it produce the entire users object ? No, query succeded and return no data. root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC...

Hi Marco, > Following: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > > i've demoted and removed a DC. Seems all went as expected: > > root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio > Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion > Password for [LNFFVG\gaio]: > Deactivating inbound replication > Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize from us > Changing userControl and container > Removing Sysvol reference:...

I need to do a simple query, against some LDAP data in 'laster draft schema' format i've added to te samba/AD schema. All LDAP query return the same result on all (6) of the DC: root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password: # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (cn=prova123) # requesting: rfc822MailMember...

...s the default: > Sys.getenv('R_LIBS_USER'); R_LIBS_USER "${R_LIBS_USER-~/R/i386-pc-solaris2.11-library/2.10}" The strange thing is, if I set another envar to the same value, there seems to be no problem at all. E.g.: BLA=/develop/lnf/i386/R/LNFr-car/reloc/R-2.10/library:/develop/lnf/i386/R/LNFr-Formula/reloc/R-2.10/library:/develop/lnf/i386/R/LNFr-lmtest/reloc/R-2.10/library:/develop/lnf/i386/R/LNFr-sandwich/reloc/R-2.10/library:/develop/lnf/i386/R/LNFr-strucchange/reloc/R-2.10/library:/develop/lnf/i386/R/LNFr-zoo/reloc/R-2.10/...

...-server' on server, 'nfs-common' on client. Ok, this is easy. b) AFAI've understood i need to create a 'principal', type 'NFS', for server and client, and store the key in ''local keytab''. Debian wiki suggest: addpriv -randkey NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT ktadd NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT but in 'samba' lingo the same operation can be obtained with (run in the client and server, with appropiate data): net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k done that, effectively the file...

...0 (0x0) CODICE_USCITA_SERVIZIO : 0 (0x0) PUNTO_CONTROLLO : 0x0 INDICAZIONE_ATTESA : 0x0 Windows is able to find NTP servers: C:\Users\gaio>w32tm /monitor È in corso il recupero dell'elenco dei controller di dominio Active Directory pe vdc3t1.ad.fvg.lnf.it[10.99.21.1:123]: ICMP: 16ms ritardo NTP: +0.0175839s differenza di tempo dall'orologio locale RefID: vdcud1.ad.fvg.lnf.it [10.99.1.3] Strato: 4 vdcsv1.ad.fvg.lnf.it[10.5.1.25:123]: ICMP: 0ms ritardo NTP: +0.0129460s differenza di tempo dall'orologio local...

...at lists.samba.org > Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'... > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > root at vdcsv1:~# samba-tool spn list vdmpp1$ > > Hmm, > > > nfs/vdmpp1.ad.fvg.lnf.it << correct > > And these are wrong. > > > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1 > > > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it > > Remove these 2. > > Removed, both on server and client. But, really, i've only do: > > samba-tool spn...

...or : > CN=58eba604-07e5-4c5d-a104-9e6f4907248f > And > CN=16b8c008-6c59-4b65-9f1b-530751904a75 > > In _msdc.dom.tld. > Verify which GUID is removed, you can see that, then remove the old server GUID. > > Run : > dig CNAME 58eba604-07e5-4c5d-a104-9e6f4907248f._msdcs.ad.fvg.lnf.it > dig CNAME 16b8c008-6c59-4b65-9f1b-530751904a75._msdcs.ad.fvg.lnf.it > > To see the name of the server, then you know which one to pick for sure. Yes, but why wasn't it removed in the first place ? Which method was used to demote the DC, standard demote or with --demote-other-de...

...t; > > you cannot use "memberserver" as an alias on another machine) > > > > And you should register any such alias as a servicePrincpalName. > > Ahem, looking at the wiki ad google does not help me. > > > Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to > create an alias 'file', i need to add 'file' to 'netbios aliases' and > also do something like: > > samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it > > > This lead me to another question: in this way, aliases...

...e, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it objectClass: top objectClass: nisMailAlias cn: prova123 instanceType: 4 whenCreated: 20171218110150.0Z uSNCreated: 7923 name: prova123 objectGUID: 82012731-c88e-49dd-a802-714877fb1...

Hai, The steps shown here dont work? https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC If that is the case and you besides that free of errors. Then upgrade, and try again once your on at least samba 4.9 or 4.10. As im hoping you are upgrade straight to Buster. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens