search for: westernwares

I'm looking for some general advice. I'm beginning to set up a Raspberry Pi 4 as a SOHO server with Samba on Raspbian Buster. I will be running as a member of an existing Windows AD (JOIN), then allow logging in from Windows and Linux clients. (I previously got Samba 4.11 to join my domain successfully using a Ubuntu VM.) I am also planning to install BIND9 DNS with dynamic updates

Got past this one.. see below... > > I cannot get bind9 to run now - it fails because bind9_dlz cannot update the reverse lookup > > zone: > Not sure about this, I use dhcp to update the records, but I seem to > remember something about the windows clients needing to be configured to > update the reverse because they do not do this by default. > > > > Feb 15

A small update... I was able to remove the "Cannot reach a KDC" errors by disabling Apparmor. However, the original WERR_DNS_ERROR_RCODE_NAME_ERROR error remains and is now the first error in the log. > Thanks for the help with this, Rowland. > > > Where these 2008 DCs upgraded from an earlier version ? (2000, 2003) > > Yes, the two Windows servers were migrated

Progress maybe... I tried running sysvolcheck with strace and noticed something really odd.... This was in the trace: getxattr("/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}", "security.NTACL", NULL, 0) = -1 ENOENT But I knew that folder was in my sysvol folder: ??? [drwxrwx--- root???? BUILTIN\administrators]

> Probably because AD says there are three GPOs and there are only two on > disc in /var/lib/samba/sysvol. > > Provided there are the required directories and files in sysvol and you > delete the GPO in AD that has the DN > 'CN={C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC},CN=Policies,CN=System,DC=samdom,DC=example,DC=com' > I think sysvolreset should work. > > Rowland

I'm still digging for the solution to this problem... The error seems to be triggered by some failure with talking to the NBTNS service (lmhosts) on the windows machine. (Port 137) Here is the section of the winbindd log where it fails to fetch the machine account: ... [2020/02/13 01:18:42.759943, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain:

I'm been stumped trying to resolve a samba error when it runs samba_dnsupdate to resync with a Windows Server 2008 DC. This is on a Debian 9 VM on which I have configured a Samba 4.5.16 / BIND 9.10.3 server joined as a DC to an existing Windows 2008 domain. It's mostly working now, but I can't get rid of one error that is preventing some additions to the _msdcs for the new Samba

Hi Rowland, > Can you try the join command like this: > samba-tool domain join office.example.com DC -UAdministrator > --password=TheActualPassword --dns-backend=BIND9_DLZ > Rowland When I run samba-tool like this without specifying the server, it chooses the older backup server that runs Server 2008 (named PE2600). Joining to this server results in a different error: .... INFO

> > I'm looking for some general advice. > > > > I'm beginning to set up a Raspberry Pi 4 as a SOHO server with Samba on Raspbian Buster. > > > > I will be running as a member of an existing Windows AD (JOIN), then allow logging in from > > Windows and Linux clients. > > Do you mean as a Unix domain member or as an AD DC ? > > This is a

Thanks for the help with this, Rowland. > Where these 2008 DCs upgraded from an earlier version ? (2000, 2003) Yes, the two Windows servers were migrated over the years to Server 2008 (one is 2008 R2). I've now moved the _msdcs folder and made it a zone in the forest, restarted NETLOGON, and set the functionality of the forest to Server 2008, then rebooted both windows servers. This

Rowland and Michael... Thanks for the help - it sounds like I should be close to getting this working. More troubleshooting... Here is what my test Samba AD has after being freshly provisioned: [drwxr-xr-x root???? root??? ] /var/lib/samba/sysvol/sambatest327.com/Policies ??? [drwxr-xr-x root???? root??? ] {31B2F340-016D-11D2-945F-00C04FB984F9} ??? ??? [-rwxrwx--- root???? 3000000 ]?

Thanks for your response, Rowland. As far as newer versions of Debian/Samba, I actually started with Ubuntu 18.04, which had Samba 4.7. But I ran into another problem trying to use it, so I backed off to an older version that I was hoping was more stable. See: https://bugzilla.samba.org/show_bug.cgi?id=13298 Meanwhile, I did find out more about what was causing this error by looking at the

Dug deeper (i.e. into the source code)... no answer yet. The samba join process is failing when fetching the domain's machine password from the secrets.tdb database, which presumably it has just built as part of the JOIN.. Specifically, it is looking for an entry: "SECRETS/$MACHINE.ACC/OFFICE" in secrets.tdb. When that fails, samba looks in secrets.ldb in "cn=Primary

Thanks for your advice, Rowland > > Yes, I am setting up a new Samba-based AD DC. > If you are joining? to an existing domain, then you cannot be setting up > a new domain ;-) Yes - joining a new DC to an existing domain. > > Should I install BIND9 and DHCP first, then install Samba and do the join? > > I personally would do it in stages, set up the Rpi, add

Sorry about the HTML in the last email - I'm attempting to resend (with fingers crossed that my mailer doesn't throw in a bunch of HTML this time...) ----> I've taken the good suggestions and made some progress getting a bind-dhcp-samba server running on the Pi with Raspbian Buster. Rowland wrote: > The best way would be to find whatever is rewriting /etc/resolv.conf >

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title></title> <meta http-equiv="content-type" content="text/html;charset=utf-8"/>

>> Somehow sysvolcheck is using a LOWER CASE 'f' in the GUID folder name >> for the default GPO! >> >> Where is this coming from? Of course, in Windows this doesn't matter. >>> But in linux it is a showstopper. > I think it is coming from AD. > You will probably have to rename the GPO in AD, possibly along with the > 'name'

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title></title> <meta http-equiv="content-type" content="text/html;charset=utf-8"/>