search for: microsult

...d=0 enctypes=18,17,16,23,3,1,2 ' Sep 23 13:36:24 hunin rpc.gssd[15285]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte) Sep 23 13:36:24 hunin rpc.gssd[15285]: process_krb5_upcall: service is '<null>' Sep 23 13:36:24 hunin rpc.gssd[15285]: Full hostname for 'nfs4.ad.microsult.de' is 'nfs4.ad.microsult.de' Sep 23 13:36:24 hunin rpc.gssd[15285]: Full hostname for 'hunin.ad.microsult.de' is 'hunin.ad.microsult.de' Sep 23 13:36:24 hunin rpc.gssd[15285]: Success getting keytab entry for 'HUNIN$@AD.MICROSULT.DE' Sep 23 13:36:24 hunin rpc....

...s for b19509be-c3ee-4a58-9fc9-afd61759a23f [2016/01/04 12:33:47.202791, 2] ../source4/rpc_server/drsuapi/getncchanges.c:2114(dcesrv_drsuapi_DsGetNCChanges) DsGetNCChanges with uSNChanged >= 3651 flags 0x00000074 on <GUID=57840cd3-5b72-476b-9333-32d1c03d872c>;CN=Configuration,DC=ad,DC=microsult,DC=de gave 0 objects (done 0/0) 0 links (done 0/0 (as S-1-5-21-820921042-1573760902-1500171102-1000)) [2016/01/04 12:34:39.306100, 3] ../auth/credentials/credentials_krb5.c:532(cli_credentials_get_client_gss_creds) Credentials for VERDANDI$@AD.MICROSULT.DE will expire shortly (0 sec), must...

This topic has been on the list two years ago, already, but apparently to no conclusion. I'm trying to join a Debian Wheezy machine (Samba 3.6.6) to my freshly made backports AD (Samba 4.1.7). This is what I see: root at samba4:/# net ads join -U Administrator at AD.MICROSULT.DE Enter Administrator at AD.MICROSULT.DE's password: Using short domain name -- AD Joined 'SAMBA4' to realm 'ad.microsult.de' DNS Update for samba4.ad.microsult.de failed: ERROR_DNS_INVALID_MESSAGE DNS update failed! root at samba4:/# host samba4.ad.microsult.de Host samba4.ad....

Well, seems like I hit every mudhole that could be on the way ... root at samba4:/# getent passwd | grep mgr mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash root at samba4:/# ldapsearch -LLL -D "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)' uid uidNumber gidNumber sAMAccountName name gecos Enter LDAP Password: dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de name: Lars LH. Hanke sAMAccountName: mgr uid: mgr uidNumber: 1001 gidNumber: 1001 gecos: Dr. Lars Hanke root at samba4:/# grep mgr /...

...ding 'AD Zones' using driver dlopen Oct 28 07:07:46 verdandi named[672]: samba_dlz: starting configure Oct 28 07:07:46 verdandi named[672]: samba_dlz: Ignoring duplicate zone '1.16.172.in-addr.arpa' from 'DC=@,DC=1.16.172.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=microsult,DC=de' Oct 28 07:07:46 verdandi named[672]: samba_dlz: Ignoring duplicate zone '6.16.172.in-addr.arpa' from 'DC=@,DC=6.16.172.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=microsult,DC=de' Oct 28 07:07:46 verdandi named[672]: samba_dlz: Ignoring duplicate zone '...

...reported local accounts 3. wbinfo -t checking the trust secret for domain AD via RPC calls failed error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret 4. net ads testjoin kerberos_kinit_password URDABORN$@AD.MICROSULT.DE failed: Client not found in Kerberos database kerberos_kinit_password URDABORN$@AD.MICROSULT.DE failed: Client not found in Kerberos database Join to domain is not valid: Improperly formed account name 5. kinit Administrator Password for Administrator at AD.MICROSULT.DE: Warning: Your passwor...

Hi Marc, >> The cause is that the password change didn' reach both AD DCs, but only >> one. The other one still had the old value as could be seen by >> samba-tool ldapcmp. Restarting the DCs and waiting for a couple of >> seconds brings them back to sync and Windows logons work as they used to. >> Any idea, what I should do next time to obtain valuable output

...urns kinda different information for the two: ---8<----------- First DC: Default-First-Site-Name\SAMBA DSA Options: 0x00000001 DSA object GUID: b19509be-c3ee-4a58-9fc9-afd61759a23f DSA invocationId: 4f30d79d-2e9c-4235-88a1-c258b8622d23 ==== INBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=ad,DC=microsult,DC=de Default-First-Site-Name\VERDANDI via RPC DSA object GUID: a03bbb51-1dca-44ae-a4d9-7aa8cb4a1ace Last attempt @ Mon May 18 20:33:36 2015 CEST was successful 0 consecutive failure(s). Last success @ Mon May 18 20:33:36...

...ANDI) reported issues: root at verdandi:~# samba-tool drs showrepl Default-First-Site-Name\VERDANDI DSA Options: 0x00000001 DSA object GUID: a03bbb51-1dca-44ae-a4d9-7aa8cb4a1ace DSA invocationId: 8bdb4f85-1da2-4f5a-b9a9-e8369d202745 ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=ad,DC=microsult,DC=de Default-First-Site-Name\SAMBA via RPC DSA object GUID: b19509be-c3ee-4a58-9fc9-afd61759a23f Last attempt @ Wed Apr 22 00:12:36 2015 CEST failed, result 5 (WERR_ACCESS_DENIED) 1265 consecutive failure(s). Last succes...

...ormation about this strange effect apparently no-one has seen before. I now added the missing zone: samba-tool dns zonecreate verdandi 10.16.172.in-addr.arpa -U Administrator and it claims that the zone is okay, but the next one is missing: Dec 29 10:31:12 verdandi named[2601]: Loading 'ad.microsult.de' using driver dlopen Dec 29 10:31:12 verdandi named[2601]: samba_dlz: started for DN DC=ad,DC=microsult,DC=de Dec 29 10:31:12 verdandi named[2601]: samba_dlz: starting configure Dec 29 10:31:12 verdandi named[2601]: samba_dlz: configured writeable zone '10.16.172.in-addr.arpa.' De...

...es. > > The system definitely has DLZ included. Otherwise it could not produce > DLZ related errors and change behaviour, if sam.ldb is changes. > > Using some hints from bind-users I found > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > "DC=DomainDnsZones,DC=ad,DC=microsult,DC=de" "(objectClass=dnsZone)" dn > > a useful command. It showed me that I added the wrong zones and that the > zones claimed to have missing SOA and NS are actually there. To cite the > most important parts of the logs: > > Dec 29 20:24:26 verdandi named[3695]: sa...

...22 12:25:55 verdandi named[18534]: listening on IPv4 interface eth0, 172.16.10.17#53 Dec 22 12:25:55 verdandi named[18534]: generating session key for dynamic DNS Dec 22 12:25:55 verdandi named[18534]: sizing zone task pool based on 22 zones Dec 22 12:25:55 verdandi named[18534]: Loading 'ad.microsult.de' using driver dlopen Dec 22 12:25:56 verdandi named[18534]: samba_dlz: started for DN DC=ad,DC=microsult,DC=de Dec 22 12:25:56 verdandi named[18534]: samba_dlz: starting configure Dec 22 12:25:56 verdandi named[18534]: zone 10.16.172.in-addr.arpa/NONE: has 0 SOA records Dec 22 12:25:56 ve...

...o-one > has seen before. > > I now added the missing zone: > > samba-tool dns zonecreate verdandi 10.16.172.in-addr.arpa -U > Administrator > > and it claims that the zone is okay, but the next one is missing: > > Dec 29 10:31:12 verdandi named[2601]: Loading 'ad.microsult.de' using > driver dlopen > Dec 29 10:31:12 verdandi named[2601]: samba_dlz: started for DN > DC=ad,DC=microsult,DC=de > Dec 29 10:31:12 verdandi named[2601]: samba_dlz: starting configure > Dec 29 10:31:12 verdandi named[2601]: samba_dlz: configured writeable > zone '1...

If I query the AD DC I see: root at samba4:/# ldapsearch -H ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' SASL/GSSAPI authentication started SASL username: Administrator at AD.MICROSULT.DE SASL SSF: 56 SASL data security layer installed. I would like to see SASL SSF: 112. Does anyone know whether and where this can be configured? Regards, - lars.

...on does not easily link to DLZ issues. The system definitely has DLZ included. Otherwise it could not produce DLZ related errors and change behaviour, if sam.ldb is changes. Using some hints from bind-users I found ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=ad,DC=microsult,DC=de" "(objectClass=dnsZone)" dn a useful command. It showed me that I added the wrong zones and that the zones claimed to have missing SOA and NS are actually there. To cite the most important parts of the logs: Dec 29 20:24:26 verdandi named[3695]: samba_dlz: starting configur...

...p). I have two different VMs. One called samba, which is the AD DC and another called samba4, which is my toy for client setup. Host samba4 cannot be resolved by DNS and it failed to add to the zone during the join - but this is a different issue. root at samba:/# samba-tool dns query samba ad.microsult.de @ A Password for [Administrator at AD.MICROSULT.DE]: Name=, Records=1, Children=0 A: 172.16.6.240 (flags=600000f0, serial=1, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Nam...

I run two Kerberos services in my network. The current production system on domain @OLD using plain MIT and the upcoming samba4 server on domain @AD.MICROSULT.DE. With both domains in the krb5.conf I can get tickets from either domain. However, I just try to setup a notebook as a reference system for the workstation migration. Getting a ticket from samba4 fails: kinit Administrator at AD.MICROSULT.DE kinit: Generic preauthentication failure while get...

...oup, but then I get the following exception: ldap.UNWILLING_TO_PERFORM: {'info': 'error in module samldb: Unwilling to perform during LDB_MODIFY (53)', 'desc': 'Server is unwilling to perform'} This is the equivalent LDIF: dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de changetype: modify replace: primaryGroupID primaryGroupID: 100 Any ideas, why this is prohibited? Regards, - lars.

...307. The file server knows the users from the AD, but it does not use the uid stored in the AD. The smb.conf: [global] printcap name=cups winbind enum groups=yes workgroup=AD encrypt passwords=yes security=ads local master=no realm=AD.MICROSULT.DE passdb backend=smbpasswd printing=cups wins server=172.16.6.240 winbind enum users=yes winbind use default domain=yes #winbind nss info = rfc2307 idmap config AD: range = 1001 - 29999 idmap config AD: backend = ad i...

I'm launching the final phase of getting my new Samba4 AD DC productive. I wanted to join the first real workstation, but it failed: # net ads join -U Administrator Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain 'AD.MICROSULT.DE' over rpc: Invalid server state This issue was reported already here: https://lists.samba.org/archive/samba/2012-July/168212.html, but following the tips there neither changed any DNS info involved nor did the trick. Some verified facts about my setup: 1) I have joined other systems to...