search for: weremczuk

Hi Rowland, I've decided to roll back samba on DC1 to the state from a couple of weeks ago, before I started all this mess... Since the email subject change :) Stopped bind9 and sernet-samba-ad and copied /var/lib/samba aside. Restored samba folder from backup, started sernet-samba-ad but bind9 fails to start: Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic DNS Jul

On 22/07/2019 16:12, Adam Weremczuk via samba wrote: > Following deeper analysis I have found some permission differences in > sysvol policies files, e.g: > > WORKING: > > # file: > samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI > # owner: 3000000 > # group: Domain\040U...

> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to > /var/lib/samba/private/dns/sam.ldb The good news is I believe I've found the problem: RUNNING: # file: samba/private # owner: root # group: root user::rwx group::r-x group:bind:r-x mask::r-x other::--- RESTORE: # file: samba/private # owner: root # group: root user::rwx group::r-x other::--- The bad news is

On 13/06/2019 16:05, Adam Weremczuk via samba wrote: > I got authentication (bind credentials) working for account2 on the > old DC (Samba 4.0.9): > > CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK > CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL > MATRIXSCIENCE.CO.UK\account1 --->...

Hi all, I'm running old Sernet samba 4.0.9 on Debian and trying to set up LDAP authentication for https://www.reviewboard.org/docs/manual/3.0/admin/configuration/authentication-settings/ To cut a long story short about half of users can log in and half not without any obvious reasons that ldapsearch comparisons would reveal. So I really want to see what the server is saying. I've

Hi all, I have an old dc (4.0.9). Let's call it dc1. I also have a new one (4.5.16) which I'm planning to switch to. Let's call it dc2. After initial set up of dc2 I initialised replication and things looked ok for a couple of weeks. Recently I've managed to mess it up. Possibly by editing users and DNS records. Or copying Kerberos cache and trying to use it elsewhere for

Hi all, I'm trying to make pfSense talk to Samba AD LDAP through "bind credentials to resolve distinguished names" option. One account them successfully connects (Samba logs): [2019/06/12 14:34:41.517364, ?3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ? ldb_wrap open of secrets.ldb [2019/06/12 14:34:41.520731, ?3]

...C=co,DC=uk ---> FAIL MATRIXSCIENCE.CO.UK\account1 ---> FAIL MATRIXSCIENCE.CO.UK\account2 ---> FAIL I suspected this might be due to some difference in smb.conf files on both controllers. They are now almost identical to no joy and I'm running out of ideas... On 13/06/19 09:26, Adam Weremczuk wrote: > > Hi all, > > I'm trying to make pfSense talk to Samba AD LDAP through "bind > credentials to resolve distinguished names" option. > > One account them successfully connects (Samba logs): > > [2019/06/12 14:34:41.517364, ?3] > ../lib/ldb-samba/...

On 20/06/2019 12:55, Adam Weremczuk wrote: > Hi Rowland, > > I don't want to to run an AD DC on firewall device, barely DHCP and > maybe DNS. > > What you have pointed me to is similar to what I have in place: > > https://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-m...

> On Jun 20, 2019, at 5:37 AM, Adam Weremczuk via samba <samba at lists.samba.org> wrote: > > That's helpful. > About half of our DHCP clients are Unixes. > Maybe I'll find a way to make pfSense perform a Kerberos handshake with Samba for the sake of updating DNS. > If not, I'll just install isc-dhcp-server on...

On 16/07/2019 15:19, Adam Weremczuk via samba wrote: > Hi all, > > I'm simply overwhelmed with both the speed and quality of responses. > > I wish all mailing lists and forums were like this! > > I'm going to follow your suggestions and try to follow the template > below. > > My choice of new DC...

On 16/07/19 15:38, Rowland penny via samba wrote: > I would fix DC1, then create a new DC running Debian stretch (this > will give you Samba 4.5.16), join this to your old DC and once it is > working correctly, transfer the FSMO roles to it and demote DC1. > Upgrade stretch to buster (make sure to back everything up) then start > to use Louis's repo. Anything wrong with

On 17/07/2019 16:05, Adam Weremczuk via samba wrote: > Hello again, > > I'm trying to follow instructions for demoting: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > > I don't think I need to transfer FSMO roles since both controllers own > them: Oh dear, you do have a borked AD, only one...

On 18/07/2019 11:18, Adam Weremczuk via samba wrote: > Hi Rownland, > > The file is is pretty big for our company size - 124k lines when edited. > I've spend about an hour carefully removing, editing and skipping > entries referencing old dc1. > Unfortunately upon saving all my changes were discarded without a...

On 18/07/2019 12:17, Adam Weremczuk via samba wrote: > On 18/07/19 11:42, Rowland penny via samba wrote: > >> Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to >> create it yourself. >> >> Easiest way will be to remove all mention of the dead DC, then use >> 's...

On 18/07/2019 15:35, Adam Weremczuk via samba wrote: > On 18/07/19 13:19, Rowland penny via samba wrote: > >> OK, from my understanding DC1 is using the internal dns and DC2 is >> using Bind9. > > It's the other way round. > On dc1 port 53 is mapped to /usr/sbin/named -u bind. > On dc2 it's /usr...

On 22/07/19 16:54, Rowland penny via samba wrote: > On 22/07/2019 16:12, Adam Weremczuk via samba wrote: >> Following deeper analysis I have found some permission differences in >> sysvol policies files. >> >> Would it be enough to justify the error below and cause a complete >> DNS failure? > I wouldn't have thought so. It's not just policy...

On 22/07/19 13:01, Rowland penny via samba wrote: > You could try restarting Samba, this should recreate any caches, but I > think you will need to remove DC2. There are two ways of doing this, > manually with ldbdel etc or starting climbing the Samba versions until > you get to a point that you can backup everything and be able to run > the demote with

On 23/07/19 16:04, Rowland penny via samba wrote: > Do you want to post it somewhere and then provide a link, this list > strips attachments. > > Rowland > Not my post but my prompt is identical: https://www.dtonias.com/wp-content/uploads/2018/02/forced-removal-domain-controller-metadata-cleanup-03.png

On 18/07/2019 12:55, Adam Weremczuk via samba wrote: > On 18/07/19 12:33, Rowland penny via samba wrote: > >> I would clone the DC you want keep, move the clone away from the >> domain (easiest way, unplug the ethernet) then remove the old dead DC >> from this and ensure it works. If you want to use Bind9 an...