search for: mittermayer

Is there anything in the code of any of the versions for reporting or even fixing any records on the DB which violate these new security constraints? ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Peter Mittermayer via samba <samba at lists.samba.org> Sent: Saturday, December 14, 2024 7:01:30 AM To: samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] Error when joining new DC Hi Douglas, I did join a DC (let's say DC2) with 4.14.9 and in place upgrade to 4.10. but still...

...was previously joined to domain and was using sssd. I will report back with my findings in a while. Thanks Peter ________________________________________ From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz> Sent: Thursday, December 12, 2024 6:20 AM To: samba at lists.samba.org; Peter Mittermayer Subject: Re: [Samba] Error when joining new DC On 12/12/24 06:25, Peter Mittermayer via samba wrote: > In the meantime I also did a lot of testing to find out where exactly the issue starts. This is what I found: > 4.13.13 still works. I can joing a DC running this version without problem. &...

...current domain databases which does not meet the new security constraints introduced with 4.14.10 (or 4.13.14, or 4.15.2). Questions how do I find the culprit, and how to fix it? br ________________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Peter Mittermayer via samba <samba at lists.samba.org> Sent: Thursday, December 12, 2024 9:47 AM To: Douglas Bagnall; samba at lists.samba.org Subject: Re: [Samba] Error when joining new DC Hi Douglas, Thanks for this suggestion. I'll try that. Additionally, after reading the not on samba.tranquil.it a...

...ity constraints in 4.14.10? Running with debuglevel 10 provides a lot of details and I'm not sure where exactly to look for any additional hints or how they might look like. Thanks ________________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Peter Mittermayer via samba <samba at lists.samba.org> Sent: Saturday, December 14, 2024 8:06 AM To: Rowland Penny via samba Subject: Re: [Samba] Error when joining new DC Is there anything in the code of any of the versions for reporting or even fixing any records on the DB which violate these new security c...

...level 9 without seeing any additional information. But will try 10 too. This is only about sam.ldb or any of the other DB files as well? Thanks ________________________________ From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz> Sent: Thursday, December 12, 2024 11:05:45 PM To: Peter Mittermayer <samba.lists at outlook.com>; samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] Error when joining new DC On 13/12/24 02:11, Peter Mittermayer via samba wrote: > So, without doing a fresh install on the system the join succeeded with 4.14.9. > What does it...

On 13/12/24 02:11, Peter Mittermayer via samba wrote: > So, without doing a fresh install on the system the join succeeded with 4.14.9. > What does it mean? It means the change that broke the security patches themselves, not in some change that 4.13 needed to make it ready for the security patches. So, > This leads to the...

On 12/12/24 06:25, Peter Mittermayer via samba wrote: > In the meantime I also did a lot of testing to find out where exactly the issue starts. This is what I found: > 4.13.13 still works. I can joing a DC running this version without problem. > 4.13.14 show exactly the same error as I also see on 4.21. Good work tracking th...

On Thu, 12 Dec 2024 13:11:55 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > So, without doing a fresh install on the system the join succeeded > with 4.14.9. What does it mean? > In the end I want to end up with a much later version which is still > getting security fixes. > > I went through the readm...

On Wed, 11 Dec 2024 17:26:48 +0000 Peter Mittermayer <samba.lists at outlook.com> wrote: > OS is RHEL9.4. But I see exactly the same when trying with RHEL8. > First, you do not need to build Samba yourself, you can get it from Tranquil IT. Please post your /etc/krb5.conf file I take it that new DC is using a fixed IP and is also usin...

...om: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org> Sent: Wednesday, December 11, 2024 7:35 PM To: samba at lists.samba.org Cc: Rowland Penny Subject: Re: [Samba] Error when joining new DC On Wed, 11 Dec 2024 17:26:48 +0000 Peter Mittermayer <samba.lists at outlook.com> wrote: > OS is RHEL9.4. But I see exactly the same when trying with RHEL8. > First, you do not need to build Samba yourself, you can get it from Tranquil IT. Please post your /etc/krb5.conf file I take it that new DC is using a fixed IP and is also using...

On Wed, 11 Dec 2024 18:28:25 +0000 Peter Mittermayer <samba.lists at outlook.com> wrote: > The new DC is using fixed IP and two other DCs are configured as > nameserver in resolv.conf. > > This is the krb5.conf: > [libdefaults] > default_realm = SUB.DOM.TLD > dns_lookup_realm = false > dns_looku...

On Mon, 16 Dec 2024 15:35:40 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > No, no. All our servers have static IPs. Therefore there is no need > for dyndns update. > > Therefore I keep the line for the tkey-gssapi-keytab in bind > commented, thus disabling all dyndns updates. That isn't what it is o...

...of Rowland Penny via samba <samba at lists.samba.org> Sent: Monday, December 16, 2024 4:51:50 PM To: samba at lists.samba.org <samba at lists.samba.org> Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Error when joining new DC On Mon, 16 Dec 2024 15:35:40 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > No, no. All our servers have static IPs. Therefore there is no need > for dyndns update. > > Therefore I keep the line for the tkey-gssapi-keytab in bind > commented, thus disabling all dyndns updates. That isn't what it is on...

On Mon, 16 Dec 2024 17:42:33 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > I really would like to do that. That's exactly why I'm asking if DNS > update can be allowed for DCs only and denied for all other clients. > I looked into it a few years ago but did not find a (simple) solution > to this. &gt...

...of Rowland Penny via samba <samba at lists.samba.org> Sent: Monday, December 16, 2024 6:53:34 PM To: samba at lists.samba.org <samba at lists.samba.org> Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Error when joining new DC On Mon, 16 Dec 2024 17:42:33 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > I really would like to do that. That's exactly why I'm asking if DNS > update can be allowed for DCs only and denied for all other clients. > I looked into it a few years ago but did not find a (simple) solution > to this. &gt...

On Tue, 17 Dec 2024 05:54:55 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > AFAIK sssd on RHEL is by default doing dyndny updates and it needs to > be disabled in the config. Same for a Windows. That is easy to fix, there is no reason to use sssd with Samba, it is pointless, so, on redhat: systemctl stop sssd syst...

...From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org> Sent: Monday, December 16, 2024 5:16 PM To: samba at lists.samba.org Cc: Rowland Penny Subject: Re: [Samba] Error when joining new DC On Mon, 16 Dec 2024 15:04:13 +0000 Peter Mittermayer via samba <samba at lists.samba.org> wrote: > Now I just need to find a solution how to allow dyndns updates only > for the DCs and not the clients. Shouldn't that be the other way around ? Your Samba AD DCs should have a fixed ipaddress (either set on the DC or via dhcp) and the...

...server provisioning and we don't use dhcp. So there is absolutely no need for dyndns except for changes in the AD infrastructure (i.e. joining/removing a DC). Any suggestions? br ________________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Peter Mittermayer via samba <samba at lists.samba.org> Sent: Monday, December 16, 2024 4:52 PM To: samba at lists.samba.org Subject: Re: [Samba] Error when joining new DC I see. Thanks for clarification. Checking the detailed of using debuglevel 10 I see this message: ../../source4/dsdb/samdb/ldb_modules/re...

...her DCs I have 8 records each. Is the secrets LDB & TDB also replicated during the join or is it generated locally from other data? Why wasn't it replicated correctly? Thanks ________________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Peter Mittermayer via samba <samba at lists.samba.org> Sent: Monday, December 9, 2024 9:40 AM To: samba at lists.samba.org Subject: Re: [Samba] Error when joining new DC Yes. FIPS mode is disabled: The OS installation was done without enabling it. [root at mdc02 samba]# fips-mode-setup --check Installation o...

Hi, AFAIK there should be a single DNS SRV record for PDC role in the domain, e.g.: _ldap._tcp.pdc._msdcs.adx.mobiltel.bg. 900 IN SRV 0 100 389 dc01.example.com. When doing a 'samba-tool fsmo transfer --role=pdc' on dc02, the reole is being transferred and a new DNS record added, but the old one for dc01 is not removed. Is there anything not working correctly in my setup or does it need