search for: mydc

...eave -U administrator 2.) Remove the machine entry on the 1st DC 3.) mv /var/lib/samba /var/lib/samba-client 4.) mv /etc/krb5.keytab /etc/krb5.keytab-client 5.) samba-tool domain join 2nd DC I am having problems right off the start in that item 1.) throws this message: > net ads leave -U 'MYDC\administrator' Enter MYDC\administrator's password: Disabled account for 'MACHINE' in realm '(null)' I thought this command would remove the machine account from the 1st DC but it does not seem to do that hence item 2. Is it good enough to just remove the machine account...

...ve the machine entry on the 1st DC (used ldbedit) > 3.) mv /var/lib/samba /var/lib/samba-client > 4.) mv /etc/krb5.keytab /etc/krb5.keytab-client > 5.) samba-tool domain join 2nd DC I tried this procedure and it just doesn't want to work. I have this error: >samba-tool domain join mydc.mydom.com DC -U"MYDC\administrator" --dns-backend=SAMBA_INTERNAL Password for [MYDC\administrator]: workgroup is MYDC realm is mydc.mydom.com Deleted CN=DC2,CN=Computers,DC=mydc,DC=mydom,DC=com Adding CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com Adding CN=DC2,CN=Servers,CN=Defau...

...ates, on my samba dc i have installed the dhcp package and the samba-dhcpd-updateAUR package there are two unresolved errors that i cannot fix 1 -: Can't create new lease file: Permission denied 2 -: kinit for dynamic DNS failed can anyone offer any suggestions. # journalctl Jan 02 17:43:28 MYDC dhcpd[25603]: execute_statement argv[0] = /usr/bin/dhcpd-update-samba-dns.sh Jan 02 17:43:28 MYDC dhcpd[25603]: execute_statement argv[1] = add Jan 02 17:43:28 MYDC dhcpd[25603]: execute_statement argv[2] = 192.168.1.233 Jan 02 17:43:28 MYDC dhcpd[25603]: execute_statement argv[3] = salaam Jan 02...

...m per se but for some > time Bind-DLZ has been a bit more strict and ask for a NS record for > every zone. So you just have to create a NS field in your zone pointing > to one of your DC and you should be fine. Internal DNS does not have > this requirements. > > samba-tool dns mydc 21.168.192.in-addr.arpa @ NS mydc.mydomain.lan. -P > There is something missing, right? perhaps this way: samba-tool dns add|update mydc 21.168.192.in-addr.arpa NS mydc.mydomain.lan -Uadministrator -- forumZFD Entschieden f?r Frieden|Committed to Peace Benedikt Kale? Leiter Team IT|Head te...

...=Computers. > I put them in ou=People and the problem was solved. > > --Dan > Daniel: I deleted the following options from the smb.conf #ldap user suffix = ou=People #ldap machine suffix = ou=Computers But I left the options set in my smbldap.conf. usersdn="ou=Users,dc=mydc,dc=com" computersdn="ou=Computers,dc=mydc,dc=com" I set my nss_ldap as such: nss_base_passwd dc=mydc,dc=com?sub nss_base_shadow dc=mydc,dc=com?sub --- The end result is some extra sub queries - which is ok for me. I also get the benefit of having the logical separation betwe...

...ent passwd testuser2:*:3001108:3000513::/home/testuser1:/bin/bash testuser1:*:3001107:3000513::/home/testuser2:/bin/bash > getent group domain admins:x:3000512:administrator domain users:x:3000513:testuser2,testuser1,administrator,krbtgt > kinit Administrator Password for Administrator at MYDC.TEST.COM: > klist Ticket cache: KEYRING:persistent:3001107:3001107 Default principal: Administrator at MYDC.TEST.COM Valid starting       Expires              Service principal 12/26/2017 14:24:36  12/27/2017 00:24:36 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM     renew until 01/02/2018 14:24:32...

...6-3029571206-2736118167-1143 type: ID_TYPE_BOTH xidNumber: 3000062 distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143 Please note that the xidNumber is 3000062. Here is the entry for my wife's user account in the sam.ldb file: # record 277 dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com sn: Wife c: US l: Somewhere st: A State postalCode: givenName: Sharon instanceType: 4 whenCreated: 20141220195750.0Z uSNCreated: 5115 co: United States company: MyHome! objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564 badPwdCount: 0 codePage: 0 countryCode: 840 homeDirectory: \\mydom\home\my...

...I had some time to follow this bunny trailand found that even > though all the other servers had no problems this one continued > to.Every so often a new computer couldn't connect and then it would > be all better after a net leave/net join. Net join would not work > without -S <MyDC> in the command lineWhat I found out was that most > net rpc commands such as net rpc testjoin would also fail without -S > <MyDC> in the command linewhereas they would work find for any other > box. I also noticed that a tdbtool dump of secrets.tdb was pretty > nearly empty wh...

..._BOTH > xidNumber: 3000062 > distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143 > > Please note that the xidNumber is 3000062. > > Here is the entry for my wife's user account in the sam.ldb file: > > # record 277 > dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com > sn: Wife > c: US > l: Somewhere > st: A State > postalCode: > givenName: Sharon > instanceType: 4 > whenCreated: 20141220195750.0Z > uSNCreated: 5115 > co: United States > company: MyHome! > objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564 > badPwdCou...

Hi, i have setup an ad dc with samba 4.8, and then rigorously followed wiki tutorial at : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs However, when following the last part (File System ACLs in the Back End), I don't get the expected results : [root at mydc ~]# getfattr -d /srv/samba/Demo/ doesn't yield anything and getfacl /srv/samba/Demo/ getfacl : suppression du premier « / » des noms de chemins absolus # file: srv/samba/Demo/ # owner: root # group: SAMDOM\134domain\040admins user::rwx user:root:rwx user:3000004:rwx group::rwx group:users:rwx...

...dmins:x:3000512:administrator > domain users:x:3000513:testuser2,testuser1,administrator,krbtgt Have you actually given your users & groups a uidNumber or gidNumber attribute, or are you using the 'rid' backend > > > kinit Administrator > Password for Administrator at MYDC.TEST.COM: > > klist > Ticket cache: KEYRING:persistent:3001107:3001107 > Default principal: Administrator at MYDC.TEST.COM This gets stranger and stranger, if you are using the 'rid' backend, why does 'Administrator' have the 'RID' 1107 ? and if you aren't,...

about 3 weeks ago there was a power outage where our main file server was not connected to any dc for some time. (don't know if that's related) since then winbind will randomly not resolve rfc_2307 users or groups whenever it feels like it. have tried shutting down nmbd,smbd.winbind and running net cache flush (and starting them up again)have tried turning off winbind group and user

...I had some time to follow this bunny trailand found that even > though all the other servers had no problems this one continued > to.Every so often a new computer couldn't connect and then it would > be all better after a net leave/net join. Net join would not work > without -S <MyDC> in the command lineWhat I found out was that most > net rpc commands such as net rpc testjoin would also fail without -S > <MyDC> in the command linewhereas they would work find for any other > box. I also noticed that a tdbtool dump of secrets.tdb was pretty > nearly empty wh...

Hi, I have to add a second DC to a Zone. I use the sernet packages Version 4.11 on a debian 10 host. The bind refuses to start: root at addc-zone02:~# systemctl status bind9 ? bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2020-04-30 14:51:58 EEST; 5s ago Docs:

...g/index.php/Setup_a_Samba_print_server I have granted seprinteroperator rights to my domain group. While adding printer or driver am getting "access denied" error. My configurations as follows, workgroup = MYGROUP realm = MYGROUP security = ADS encrypt passwords = yes password server = MYDC.MYGROUP idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = true template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = yes restrict anonymous = 2 winbind offline logon = yes ###############...

...or hostname -d, nothing returns. What OS are you running the domain member on ? Normally if you don't get anything from those commands you don't have a FQDN. > > If I return *net ads info* I get this: > LDAP server: <IP Address of domain controller> > LDAP server name: myDC.mydomain.com > Realm: MYDOMAIN.COM > Bind Path: dc=MYDOMAIN,dc=COM > LDAP port: 389 > Server time: Mon, 31 Oct 2016 16:04:43 EDT > KDC server: <IP Address of domain controller> > Server time offset: 0 > > I ran the net ads join command with -d 10 and seeing this at th...

so I had some time to follow this bunny trailand found that even though all the other servers had no problems this one continued to.Every so often a new computer couldn't connect and then it would be all better after a net leave/net join. Net join would not work without -S <MyDC> in the command lineWhat I found out was that most net rpc commands such as net rpc testjoin would also fail without -S <MyDC> in the command linewhereas they would work find for any other box. I also noticed that a tdbtool dump of secrets.tdb was pretty nearly empty whereas other servers...

...I had some time to follow this bunny trailand found that even > though all the other servers had no problems this one continued > to.Every so often a new computer couldn't connect and then it would > be all better after a net leave/net join. Net join would not work > without -S <MyDC> in the command lineWhat I found out was that most > net rpc commands such as net rpc testjoin would also fail without -S > <MyDC> in the command linewhereas they would work find for any other > box. I also noticed that a tdbtool dump of secrets.tdb was pretty > nearly empty wh...

...I had some time to follow this bunny trailand found that even > though all the other servers had no problems this one continued > to.Every so often a new computer couldn't connect and then it would > be all better after a net leave/net join. Net join would not work > without -S <MyDC> in the command lineWhat I found out was that most > net rpc commands such as net rpc testjoin would also fail without -S > <MyDC> in the command linewhereas they would work find for any other > box. I also noticed that a tdbtool dump of secrets.tdb was pretty > nearly empty wh...

...need to demote after failures, but on the success arm rejoining the DC might fail when we recognise we are joined. This is an extra safety check. Also regardless it isn't awesome to be creating and deleting lots of DCs in production. You could potentially just test with ldbsearch -H ldap://mydc -k yes However, and that would be harmless. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba