search for: vdcpp1

Make a note: it is better to disable 'check password script' in the DC(s) before trying to join a new DC. ;( root at vdcpp1:~# samba-tool domain join ad.my.dom DC -U"MYDOM\administrator" --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'ad.my.dom' Found DC vdcsv1.ad.my.dom Password for [MYDOM\administrator]: workgroup is MYDOM realm is ad.my.dom Adding CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=...

...nly three notes: a) i've followed the suggestion to move idmap.ldb from the first DC to the second (Rowland! Clap me! I've not sayed 'primary' and 'secondary'! ;-). After that, as suggested by the wiki, i've done a 'samba-tool ntacl sysvolreset' but: root at vdcpp1:~# samba-tool ntacl sysvolreset open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File &q...

...rzonden: dinsdag 24 oktober 2017 15:33 > Aan: samba at lists.samba.org > Onderwerp: [Samba] 'check password script' and Join... > > > Make a note: it is better to disable 'check password script' in the > DC(s) before trying to join a new DC. ;( > > root at vdcpp1:~# samba-tool domain join ad.my.dom DC > -U"MYDOM\administrator" --dns-backend=BIND9_DLZ > Finding a writeable DC for domain 'ad.my.dom' > Found DC vdcsv1.ad.my.dom > Password for [MYDOM\administrator]: > workgroup is MYDOM > realm is ad.my.dom > Adding CN=VD...

...wed the suggestion to move idmap.ldb from the first DC to > the second (Rowland! Clap me! I've not sayed 'primary' and > 'secondary'! ;-). > > After that, as suggested by the wiki, i've done a 'samba-tool ntacl > sysvolreset' but: > > root at vdcpp1:~# samba-tool ntacl sysvolreset > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined > error') File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args,...

...39;t work on, then it must be > something on that DC. is there a firewall or apparmor/selinux in the > way ? No. Anyway, note that query return correctly 'result: 0 Success', simply return no data. Another query to the same DC return data. eg: root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep ^rfc822MailMember Enter LDAP Password: root at vdmpp1:~# root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=a...

...or/selinux in the > > way ? > > No. Anyway, note that query return correctly 'result: 0 Success', > simply return no data. That just means the search retuned without error > Another query to the same DC return data. eg: > > root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep > ^rfc822MailMember Enter LDAP Password: root at vdmpp1:~# root at vdmpp1:~# > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mt...

Doing some test i've done, as root, in one DC: root at vdcpp1:~# smbpasswd gaio New SMB password: Retype new SMB password: root at vdcpp1:~# pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3...

Hai, The steps shown here dont work? https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC If that is the case and you besides that free of errors. Then upgrade, and try again once your on at least samba 4.9 or 4.10. As im hoping you are upgrade straight to Buster. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens

On 02/10/2019 14:42, Marco Gaiarin via samba wrote: > Mandi! Rowland penny via samba > In chel di` si favelave... > >>> samba-tool dbcheck --cross-ncs --fix >>> Yes, should be possible, but i normaly do that after i do the following. >> Yes, but why wasn't it removed in the first place ? > [...] >>> Run : >>> dig CNAME

...060b28c-e27e-45f0-89c1-527474a6919c>;<RMD_ADDTIME=131533251720000000>;<RMD_CHANGETIME=131533251720000000>;<RMD_FLAGS=0>;<RMD_INVOCID=bc3f89e3-8ce4-4ddd-956a-ea740e8b2f12>;<RMD_LOCAL_USN=6174>;<RMD_ORIGINATING_USN=6174>;<RMD_VERSION=0>;CN=NTDS Settings,CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it Not removing dangling forward link ERROR: no target object found for GUID component for msDS-NC-Replica-Locations in object CN=58eba604-07e5-4c5d-a104-9e6f4907248f,CN=Partitions,CN=Configuration,DC=ad,DC=fvg,D...

...-45f0-89c1-527474a6919c>;<RMD_ADDTIME=131533251720000000>; <RMD_CHANGETIME=131533251720000000>;<RMD_FLAGS=> 0>;<RMD_INVOCID=bc3f89e3-8ce4-4ddd-956a-ea740e8b2f12>;<RMD_LOC AL_USN=6174>;<RMD_ORIGINATING_USN=6174>;<RMD_VERSION=0>;CN=NTDS > Settings,CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it > ERROR: no target object found for GUID component for > msDS-NC-Replica-Locations in object > CN=58eba604-07e5-4c5d-a104-9e6f4907248f,CN=Partitions,CN=Confi guration,DC=ad,DC=fvg,DC=lnf,DC=it - &...

...n chel di` si favelave... > > No. Anyway, note that query return correctly 'result: 0 Success', > > simply return no data. > That just means the search retuned without error Eh. Query succeded and return no data. Yes. > If you run the command: > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" > Does it produce the entire users object ? No, query succeded and return no data. root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Re...

...; Feb 11 13:59:52 vdcpp2 shutdown[33452]: shutting down for system > reboot > > at '14:00:30' bind, ntp and (i suppose) samba was stared. > > > After that, i've upgraded and rebooted the second DC in that site > (really, the first ;): > > Feb 11 14:03:09 vdcpp1 shutdown[26601]: shutting down for system > reboot > > again, for 14:04:00 was up&runing. > > > But the mail server refuse to deliver messages, fortunately all admin > messages to an admin users (was loop: messages undeliverability > errors, email go to postmaster, so...

> Why?! Sorry but... someone can point me in the right direction? Really i don't know how to look for that problem... I summarize: a) an LDAP lookup for some data works in ALL DC past one b) in that non-working DC, a direct query against the sam.ldb reveal that data are here (so, seems to me an ACL problem) c) checking sync status between DCs reveal no sync troubles. Where i can

...g,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 past ONE dc, that does not return nothing: root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password: # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (cn=prova123) # requesting: rfc822...

On Wed, 30 Jan 2019 17:25:19 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > nscd caches certain things, as does winbind, if you want to run nscd > > with winbind, you need to stop nscd caching the things that winbind > > does, when you do this, nscd isn't caching very much,

You guys mix to things. > AFAIK is the 'privileges' that are host-specific. Is correct. >the policies are on the domain (in the LDAP data, > the root DN, look at them!). Yes, but only the GPO policies and these are not applied to the samba server. And because of that, samba-tools password settings needs to be set on every DC. Greetz, Louis > -----Oorspronkelijk

...re attributes that do not get replicated between DC's, > the majority are, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it objectClass: top objectClass: nisMailAlias cn: prova123 instanceType: 4 whenCreated: 20171218110150.0Z uSN...

...his morning i've copied the 'idmap.ldb' from the DC with FSMO roles to the mulfunctioning DC, but still i get empty answer from the mulfunctioning DC. I've done a 'ldap compare' and all seems in sync: root at vdcsv1:~# samba-tool ldapcmp ldap://vdcsv1.ad.fvg.lnf.it ldap://vdcpp1.ad.fvg.lnf.it -U gaio Password for [LNFFVG\gaio]: * Comparing [DOMAIN] context... * Objects to be compared: 1312 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1673 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] cont...

...tainer. reboot on 'vdcpp2' happen on: Feb 11 13:59:52 vdcpp2 shutdown[33452]: shutting down for system reboot at '14:00:30' bind, ntp and (i suppose) samba was stared. After that, i've upgraded and rebooted the second DC in that site (really, the first ;): Feb 11 14:03:09 vdcpp1 shutdown[26601]: shutting down for system reboot again, for 14:04:00 was up&runing. But the mail server refuse to deliver messages, fortunately all admin messages to an admin users (was loop: messages undeliverability errors, email go to postmaster, so to admin, so error, ...). 2019-02-11...