similar to: S4 AD Domain Up; but no DNS auto-registration

samba-4.0.0 x86_64, CentOS6.3 My Samba4 / AD is up and running after migrating this weekend. Testing looked good and the domain *is working* but there are some issues. My log.samba file is full of the following; I'm not certain of the significance of these. [2012/12/17 05:59:09, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid

> > Initially, it appears to have worked. ... > > It shows the same on one of the S4 DCs, but the > > DomainDnsZonesMasterRole still shows as "no current owner" on the > > third S4 DC [all Sernet 4.5.2].  Argh. > You could try checking the database on the third DC, 'samba-tool > dbcheck --help' for more info. > You could also try forcing

I believe a schema change on a Windows DC (2008rc) has broken replication with our S4 DCs. Anyone have any tips or pointers to resolve this? I have three S4 DCs [CentOS6] and one Windows 2008R2 DC. The Windows 2008R2 DC has the schema master FSMO, and I believe the Exchange schema was added. I am willing to pay US dollars to get this issue resolved. I need the replication restored, the

I removed a DC using the DC removal tool mentioned in http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3 as https://bugzilla.samba.org/show_bug.cgi?id=10734 prevents normal DC demotion. The DC was still all over in DNS, so I had to pick it out. Now replication between the remaining three DCs is broken [root at larkin26 ~]# samba-tool drs showrepl

We'd like to add an adm (administrative template) to our Samba4 server. I see where the .adm files are in the filesystem - /opt/s4/var/locks/sysvol/micore.us/Policies/{ED429C7D-156A-4F75-B21D-92DB8E10ACAB}/Adm/conf.adm - but how can I add a new ADM file? The ADM file in question allows the controlling of IE Favorites and a few other items on XP (not available in the default templates for

I added three DCs to a single DC Samba4 AD domain. They initially replicated and came up - but replication does not appear to be ongoing. A change made to a user via MMC connected to one DC does not appear on another DC. It the logs I see bursts of the following message: [2014/08/12 15:08:08.026270, 0] ../source4/librpc/rpc/dcerpc_util.c:660(dcerpc_pipe_auth_recv) Failed to bind to uuid

On Sat, 2016-11-19 at 09:57 +1300, Andrew Bartlett wrote: > On Fri, 2016-11-18 at 09:41 -0500, Adam Tauno Williams wrote: > > On Fri, 2016-11-18 at 21:32 +1300, Andrew Bartlett wrote: > > > I believe a schema change on a Windows DC (2008rc) has > > > > > > broken > > > > sernet-samba-4.2.14-23.el6.x86_64 - the same package on all > > > >

I have Microsoft Key Management server on a Windows 2003 server - joined to my new Samba4 AD domain. But the KMS is not available. In the event log it says: Event Type: Error Event Source: Software Licensing Service Event Category: None Event ID: 12293 Date: 1/4/2013 Time: 3:05:38 PM User: N/A Computer: IPECACA Description: Publishing the Key Management Service (KMS) to DNS in the

Package: sernet-samba-4.2.14-23.el6.x86_64 These DCs were very recently upgraded from a prior version. [2016/09/19 09:32:55.168161, 0] ../source4/libcli/smb2/signing.c:116(smb2_check_signature) Bad SMB2 signature for message of size 202 [2016/09/19 09:32:55.168511, 0] ../lib/util/util.c:559(dump_data) [0000] 77 B3 94 9B 70 78 8B 21 1E 56 D0 78 E1 80 BB 5C w...px.! .V.x...\ [2016/09/19

On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote: > On Mon, 19 Sep 2016 10:42:34 -0400 > Adam Tauno Williams via samba <samba at lists.samba.org> wrote: > > On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba wrote: > > > No it shouldn't be replicated, the big hint is > > > 'FLAG_ATTR_NOT_REPLICATED', it should only be on the

I have shutdown the last Samba4 DC in the domain, so only Windows 2008 DCs remain. I can access one Samba file server, with either username+password or kerberos (-k) To access another file server only kerberos -k works.  Attempting to access with username+password fails with NT_STATUS_ACCESS_DENIED $ smbclient -d10 -U adam -W BACKBONE \\\\arabis- red.micore.us\\cis_packs ... NTLMSSP Sign/Seal -

On Sun, 2015-04-12 at 16:14 -0400, Adam Tauno Williams wrote: > I removed a DC using the DC removal tool mentioned in > http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3 > as https://bugzilla.samba.org/show_bug.cgi?id=10734 prevents normal DC > demotion. > The DC was still all over in DNS, so I had to pick it out. > Now replication between

On Mon, 2016-12-12 at 19:45 +0000, Rowland Penny via samba wrote: > You seem to be missing two FSMO roles: > > > DomainDnsZonesMasterRole > > > ForestDnsZonesMasterRole > > > Just what version of Samba are you using ? > > My Samba 4.5.2 domain also appears to be missing these roles. > > Can I simply seize these roles? > > [root at larkin27 ~]#

Logon scripts assigned to a user do not execute when the user logs on; it did before the upgrade. I can run the script from the command line and it completes OK [like \\{DOMAIN}\netlogon\logon.bat]. I can also browse to the [netlogon] share without issue. Upgrade was from a late 4.0.x to 4.1.x to current 4.2.x. User's can logon without other issues [apparently]. Platform: CentOS7

Attempting to debug issues with replication I ldapcmd finds differences with the case of the "DC" attribute? Is this normal? LARKIN28 is Samba4 4.5.4, while WINDC1 is Windows 2008R2. [root at larkin28 samba]# samba-tool ldapcmp ldap://larkin28.micore.us ldap://windc1.micore.us -Uadministrator dnsdomain Password for [BACKBONE\administrator]: * Comparing [DNSDOMAIN] context... *

On Mon, 2016-09-19 at 09:31 -0400, Adam Tauno Williams via samba wrote: > Package: sernet-samba-4.2.14-23.el6.x86_64 > These DCs were very recently upgraded from a prior version. > [2016/09/19 09:32:55.168161, 0] > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > Bad SMB2 signature for message of size 202 > ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed

Quoting Adam Tauno Williams <awilliam at whitemice.org>: >>>> It should work, it sounds like a mis-configuration somewhere, can you >>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and >>>> /etc/krb5.conf from the member server. >>> "wbinfo -u" lists 415 lines >>> "getent passwd" returns 93 lines

I have a site with a working Samba4 AD domain with a single DC. It works. I've added three new DCs to the domain [using the SerNet packages for 4.0.21]. The intention is to then demote the old, original Samba4 DC. But problems exist for netlogon/sysvol. One of the new DCs - the second one added - works, clients can access netlogon & sysvol. However the other two DCs have ACL errors

On Mon, 2016-09-19 at 20:57 +0200, Marc Muehlfeld wrote: > > Logon scripts assigned to a user do not execute when the user logs > > on; it did before the upgrade. > * What kind of upgrade are you talking about? > NT4 to AD? (migration) > x.y to 4.2? AD 4.0.21 -> 4.2.x This worked prior to the upgrade. > * Is this an PDC or DC? They are DCs. > * Where have you

On Mon, 19 Sep 2016 11:57:38 -0400 Adam Tauno Williams via samba <samba at lists.samba.org> wrote: > On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote: > > On Mon, 19 Sep 2016 10:42:34 -0400 > > Adam Tauno Williams via samba <samba at lists.samba.org> wrote: > > > > On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba wrote: > >