search for: matrixsci

...(Samba 4.5.16) which I've deployed as a soon-to-be replacement. All credentials are valid as I can log in to the domain with both. Both accounts, as far as I can tell, look identical from AD perspective. The only difference that I can spot is when I run "ldapsearch -D 'account at matrixscience.co.uk' -b 'cn=Users,dc=matrixscience,dc=co,dc=uk' -H ldap://dc15 -W sAMAccountName=account" The responses are successful and identical apart from these 2 lines: msDS-SupportedEncryptionTypes: 0 msSFU30Name: account2 which only appear for the second (problematic) account. A...

On 13/06/2019 16:05, Adam Weremczuk via samba wrote: > I got authentication (bind credentials) working for account2 on the > old DC (Samba 4.0.9): > > CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK > CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL > MATRIXSCIENCE.CO.UK\account1 ---> OK > MATRIXSCIENCE.CO.UK\account2 ---> OK > > but it's still failing on the new DC (Samba 4.5.16): > > CN=account1,CN=Users,DC=matrixscience...

I got authentication (bind credentials) working for account2 on the old DC (Samba 4.0.9): CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL MATRIXSCIENCE.CO.UK\account1 ---> OK MATRIXSCIENCE.CO.UK\account2 ---> OK but it's still failing on the new DC (Samba 4.5.16): CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK CN=accoun...

Hi all, I have an old dc (4.0.9). Let's call it dc1. I also have a new one (4.5.16) which I'm planning to switch to. Let's call it dc2. After initial set up of dc2 I initialised replication and things looked ok for a couple of weeks. Recently I've managed to mess it up. Possibly by editing users and DNS records. Or copying Kerberos cache and trying to use it elsewhere for

...winbind use default domain = true Where this is not working on the AD-DC's. The kdc: entries to be removed. 2x ldap server require strong auth = no This server used internal DNS the other BIND9_DLZ > -----Oorspronkelijk bericht----- > Van: Adam Weremczuk [mailto:adamw at matrixscience.com] > Verzonden: dinsdag 16 juli 2019 14:03 > Aan: L.P.H. van Belle; Rowland penny > Onderwerp: Re: [Samba] messy replication > > Hi Louis and Rowland, > > Thank you for a prompt reply. > > I'm ok with skipping anonimisation as long as the files are > onl...

On 16/07/19 15:38, Rowland penny via samba wrote: > I would fix DC1, then create a new DC running Debian stretch (this > will give you Samba 4.5.16), join this to your old DC and once it is > working correctly, transfer the FSMO roles to it and demote DC1. > Upgrade stretch to buster (make sure to back everything up) then start > to use Louis's repo. Anything wrong with

On 22/07/19 16:54, Rowland penny via samba wrote: > On 22/07/2019 16:12, Adam Weremczuk via samba wrote: >> Following deeper analysis I have found some permission differences in >> sysvol policies files. >> >> Would it be enough to justify the error below and cause a complete >> DNS failure? > I wouldn't have thought so. It's not just policy files,

On 22/07/19 13:01, Rowland penny via samba wrote: > You could try restarting Samba, this should recreate any caches, but I > think you will need to remove DC2. There are two ways of doing this, > manually with ldbdel etc or starting climbing the Samba versions until > you get to a point that you can backup everything and be able to run > the demote with

On 23/07/19 16:04, Rowland penny via samba wrote: > Do you want to post it somewhere and then provide a link, this list > strips attachments. > > Rowland > Not my post but my prompt is identical: https://www.dtonias.com/wp-content/uploads/2018/02/forced-removal-domain-controller-metadata-cleanup-03.png

Following deeper analysis I have found some permission differences in sysvol policies files, e.g: WORKING: # file: samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI # owner: 3000000 # group: Domain\040Users user::rwx group::--- group:Domain\040Users:--- group:3000000:rwx group:3000002:rwx group:3000003:r-x group:3000006:rwx group:3000008:rwx group:3000010:r-x

Hi all, Has anybody got it working? My struggle is briefly described here but the pfSense community is dead silent: https://forum.netgate.com/topic/138881/dhcp-dyndns-intergration-with-samba-dns Regards, Adam

That's helpful. About half of our DHCP clients are Unixes. Maybe I'll find a way to make pfSense perform a Kerberos handshake with Samba for the sake of updating DNS. If not, I'll just install isc-dhcp-server on the Debian container running Samba AD. On 20/06/19 13:25, Rowland penny via samba wrote: > The problem is that Windows machines can update their own records in > AD,

Hi all, I'm running old Sernet samba 4.0.9 on Debian and trying to set up LDAP authentication for https://www.reviewboard.org/docs/manual/3.0/admin/configuration/authentication-settings/ To cut a long story short about half of users can log in and half not without any obvious reasons that ldapsearch comparisons would reveal. So I really want to see what the server is saying. I've

On 17/07/19 16:22, Rowland penny via samba wrote: > I don't think there is a 'best way'. This used to come up fairly often > in the early days of Samba AD, I think all you can do is to search in > sam.ldb and remove any mention of the old DC, but DO NOT alter the > files under sam.ldb.d, reading this might help: > >

Hi Rowland, I don't want to to run an AD DC on firewall device, barely DHCP and maybe DNS. What you have pointed me to is similar to what I have in place: https://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ and which is working fine. NOW I want to switch DHCP from isc-dhcp-server 4.2.2 on Debian to DHCP on pfSense firewall (based on

> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to > /var/lib/samba/private/dns/sam.ldb The good news is I believe I've found the problem: RUNNING: # file: samba/private # owner: root # group: root user::rwx group::r-x group:bind:r-x mask::r-x other::--- RESTORE: # file: samba/private # owner: root # group: root user::rwx group::r-x other::--- The bad news is

On 18/07/19 11:42, Rowland penny via samba wrote: > Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to > create it yourself. > > Easiest way will be to remove all mention of the dead DC, then use > 'samba_upgradedns' to upgrade to the internal dns server, then run it > again to upgrade to Bind9 again, this will create the required user

On 18/07/19 12:33, Rowland penny via samba wrote: > I would clone the DC you want keep, move the clone away from the > domain (easiest way, unplug the ethernet) then remove the old dead DC > from this and ensure it works. If you want to use Bind9 and don't have > the 'dns-*' user, then run samba-upgradedns as I said earlier. > > Once you are sure just what to do,

On 18/07/19 13:19, Rowland penny via samba wrote: > OK, from my understanding DC1 is using the internal dns and DC2 is > using Bind9. It's the other way round. On dc1 port 53 is mapped to /usr/sbin/named -u bind. On dc2 it's /usr/sbin/samba. I wasn't sure what to do when I deployed dc2. I remember installing bind9 on dc2 but then purging it. BTW - does it matter for

Hi Rowland, I've decided to roll back samba on DC1 to the state from a couple of weeks ago, before I started all this mess... Since the email subject change :) Stopped bind9 and sernet-samba-ad and copied /var/lib/samba aside. Restored samba folder from backup, started sernet-samba-ad but bind9 fails to start: Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic DNS Jul