search for: srvad

...AD. > > > Another thing that comes to my mind is that the 2008R2 domain was > > upgraded from an initial Win2000. > > Win2000-->Samba direct migration is not possible because Samba > > requires at least a Win2003 domain. > > So the complete upgrade was Win2000 (SRVAD-OLDOLD) --> Win2008R2 > > (SRVAD-OLD) --> Domain/forest functional level upgrade --> Samba > > 4.7.4 migration. > > > > Could there be something wrong/unexpected in current Win2008R2 > > domain config? > > Could you suggest something to check for? >...

It seems I'm talking to myself... anyway another test here: Added the existing DC IP config to /etc/hosts and the join now shows a more explicit LDAP error: --- Wrong username or password: kinit for SRVAD-NEW$@SAMDOM.LOCAL failed (Preauthentication failed) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/SRVAD-OLD.SAMDOM.LOCAL failed (next[ntlmssp]): NT_STATUS_LOGON_FAILURE Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP...

Thanks for your help. > On the Windows DC can you check that the A record is actually created? Yes, it is, and it persists after join failure. Another sign of presence of SRVAD-NEW on the old DC is the new computer account, created in "Domain controllers" folder in "Active Directory Users and Computers" at the beginning of join procedure then automatically removed just after the failure message. > Try with some additional debugging perhaps, usi...

...> > > Il 23/02/2018 09:52, Claudio Nicora via samba ha scritto: >> Thanks for your help. >> >>> On the Windows DC can you check that the A record is actually created? >> >> Yes, it is, and it persists after join failure. >> Another sign of presence of SRVAD-NEW on the old DC is the new >> computer account, created in "Domain controllers" folder in "Active >> Directory Users and Computers" at the beginning of join procedure >> then automatically removed just after the failure message. >> >> > Try wit...

On Fri, 2 Mar 2018 11:43:37 +0100 Claudio Nicora via samba <samba at lists.samba.org> wrote: > If I create SRVAD-NEW DNS record manually, under samdom.local zone, > this is what I see with adsiedit: > > distinguishedName: > DC=SRVAD-NEW,DC=samdom.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=SAMDOM,DC=LOCAL > There is a bit of a problem with that, it should be: DC=SRVAD-NEW,DC=samdom.local,CN...

...le DC and I'd like to replace this DC with a Samba 4 DC. I'm using VirtualBox VMs to test the migration before going to production. I've cloned Windows 2008R2 Server into the first VM, then installed Ubuntu_18.04_server_x64_daily (Samba 4.7.4) into another VM. Win2008-R2:?? hostname=SRVAD-OLD, IP: 10.0.3.90 Ubuntu_18.04: hostname=SRVAD-NEW, IP: 10.0.3.100 The two machines are connected to the same virtual network and can ping each other. Now, when I run samba-tool to join the domain, the join fails with this error: ====================================================== root at...

...result. Additional info: before testing Sabma 4.7.4, I've tested to join previous Samba version server (Ubuntu 17.10, Samba 4.6.7) and it worked. Here's the new log (with case-preserved replacement), together with other required files: ========================================= root at srvad-new:~# samba-tool domain join samdom.local DC -U"Administrator" --dns-backend=BIND9_DLZ --option="interfaces=lo eth_lan" --option="bind interfaces only=yes" -d3 lpcfg_load: refreshing parameters from /etc/samba/smb.conf GENSEC backend 'gssapi_spnego' registe...

...warning at the end of /test:dns execution (Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL): ================= PS C:\Users\Administrator.SAMDOM> dcdiag Directory Server Diagnosis Performing initial setup:    Trying to find home server...    Home Server = SRVAD-OLD    * Identified AD Forest.    Done gathering initial info. Doing initial required tests    Testing server: Default-First-Site-Name\SRVAD-OLD       Starting test: Connectivity          ......................... SRVAD-OLD passed test Connectivity Doing primary tests    Testing server: D...

This could be the right way... > There is a bit of a problem with that, it should be: > > DC=SRVAD-NEW,DC=samdom.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=LOCAL The SAMDOM.LOCAL zone is set to replicate to the whole forest (maybe I've missed that info on DNS config, anyway Domain-only replication is ok for me too). I've changed it to replicate to only Domain DNS and now the...

Tested again to join, now clearing both Kerberos, Samba config and Samba private folder. The new log now has some more details (resolve_lmhosts: Attempting lmhosts lookup for name SRVAD-OLD.SAMDOM.LOCAL<0x20>), but I'm still not able to join. Wonder why is it trying to do an lmhosts lookup, 4.6 is not. An identical server (with same hostname and IP) with Samba 4.6 joins without issues (except for the need to manually create the DNS entries). NOTE: I'm testing the...

...e an idea of what's going wrong? Il 23/02/2018 09:52, Claudio Nicora via samba ha scritto: > Thanks for your help. > >> On the Windows DC can you check that the A record is actually created? > > Yes, it is, and it persists after join failure. > Another sign of presence of SRVAD-NEW on the old DC is the new > computer account, created in "Domain controllers" folder in "Active > Directory Users and Computers" at the beginning of join procedure then > automatically removed just after the failure message. > > > Try with some additional...

Tested again to join, now clearing both Kerberos, Samba config and Samba private folder. The new log now has some more details (resolve_lmhosts: Attempting lmhosts lookup for name SRVAD-OLD.SAMDOM.LOCAL<0x20>), but I'm still not able to join. Wonder why is it trying to do an lmhosts lookup, 4.6 is not. An identical server (with same hostname and IP) with Samba 4.6 joins without issues (except for the need to manually create the DNS entries). NOTE: I'm testing the...

On Fri, 2 Mar 2018 15:15:49 +0100 Claudio Nicora <claudio.nicora at gmail.com> wrote: > This could be the right way... > > There is a bit of a problem with that, it should be: > > > > DC=SRVAD-NEW,DC=samdom.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=LOCAL > The SAMDOM.LOCAL zone is set to replicate to the whole forest (maybe > I've missed that info on DNS config, anyway Domain-only replication > is ok for me too). > I've changed it to replicate to only Doma...

On the Windows DC can you check that the A record is actually created? > Adding DNS A record SRVAD-NEW.SAMDOM.LOCAL for IPv4 IP: 10.0.3.100 It appears that the record is added over RPC, but then fails to find it over LDAP. Presumably they are to the same domain controller, so you should be able to see if there is a record in the domain DNS zone. Maybe there is a race here, but that seems a litt...

Thanks for your attention > You are always receiving these: > > Adding DNS A record SRVAD-NEW.SAMDOM.LOCAL for IPv4 IP: 10.0.3.100 > Join failed - cleaning up Yes, but the DNS record is created and it persists after the failure. Another thing I've noticed using RSAT "Active Directory Users and Computers" is that the new DC computer account SRVAD-NEW$@SAMDOM.LOCAL is c...

...I see than the needed files (like /var/lib/samba/private/named.conf > and /var/lib/samba/private/dns.keytab) are generated by samba-tool so > I don't have them ready to be added to bind9 config. > > Before running samba-tool this is content of relevant files: > === > root at srvad-new:~# cat /etc/hosts > 127.0.0.1       localhost > 10.0.3.90       srvad-old.samdom.local srvad-old > 10.0.3.100      srvad-new.samdom.local   srvad-new > > root at srvad-new:~# cat /etc/resolv.conf > nameserver 10.0.3.90 > search samdom.local > === > > Am I missing...

...upgrading a samba4 AD. The forest/domain level is 2008R2, however the schema partition is actually missing the msDS-isRODC attribute (and probably a few others). It makes the ADUC console to failed on that entry below. Here is the samba log message (which is quite explicit :-) Sep 28 16:55:36 srvads samba[27900]: [2016/09/28 16:55:36.819666, 0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) Sep 28 16:55:36 srvads samba[27900]: ldb: acl_read: CN=SRVADS,OU=Domain Controllers,DC=domain,DC=lan cannot find attr[msDS-isRODC] in of schema I don't know how I messed up the schema partition,...

> Garming asked you to see if you could locate > where the records got put the records by hand Sorry, I can't understand what you mean with "if you could locate where the records got put"... Are you're asking me to create the DNS record by hand with RSAT on SRVAD_OLD, then run samba-tool join again? If so, yes I've tried to create the record manually and re-run samba-tool with the same error. Sorry for the misunderstand >> I'm still focusing on log lines after the failure: >> >> --- no SRVAD-OLD address in /etc/hosts --- >&gt...

...out any doubt. > > > There doesn't seem to be anything wrong in any of your conf files, > > the only other thing I can think of is, is Avahi running on the new > > DC ? and this only applies if your TLD is '.local' > > No, it's not: > === > root at srvad-new:~# apt remove avahi* > Reading package lists... Done > Building dependency tree > Reading state information... Done > Note, selecting 'avahi-ui-utils' for glob 'avahi*' > Note, selecting 'avahi-daemon' for glob 'avahi*' > Note, selecting 'av...

...ackages are for MIT kerberos libraries I think and there should be no heimdal inside. I'm going to check that kind of setup with sernet packages and see if it gets any better. By the way, the issue can be reproduced on command line on the rodc (in the excerpt below, rodc-nantes is the rodc, srvads is the rwdc and everything works fine except this issue) : [root at rodc-nantes.tranq ~]# shorewall start [root at rodc-nantes.tranq ~]# kinit dcardon Password for dcardon at TRANQUILIT.LOCAL: [root at rodc-nantes.tranq ~]# shorewall clear [root at rodc-nantes.tranq ~]# klist Ticket cache: F...