similar to: Winbind does not read uidNumber

Hi Marc, >> The cause is that the password change didn' reach both AD DCs, but only >> one. The other one still had the old value as could be seen by >> samba-tool ldapcmp. Restarting the DCs and waiting for a couple of >> seconds brings them back to sync and Windows logons work as they used to. >> Any idea, what I should do next time to obtain valuable output

If I query the AD DC I see: root at samba4:/# ldapsearch -H ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' SASL/GSSAPI authentication started SASL username: Administrator at AD.MICROSULT.DE SASL SSF: 56 SASL data security layer installed. I would like to see SASL SSF: 112. Does anyone know whether and where this can be configured? Regards, - lars.

I'm trying to configure a Samba 3.6.6 file server running on a Synology NAS to use uid/gid from RFC2307. The file server knows the users from the AD, but it does not use the uid stored in the AD. The smb.conf: [global] printcap name=cups winbind enum groups=yes workgroup=AD encrypt passwords=yes security=ads local master=no

My tool is growing fast and it takes me to the finishing line for setting up my new user database. But nw I came across another strange issue: I'd like to change the primaryGroupID. It is currently set to 513, which simply does not exist. I wanted to set to 100, which exists and actually the user is a member of this group, but then I get the following exception: ldap.UNWILLING_TO_PERFORM:

This topic has been on the list two years ago, already, but apparently to no conclusion. I'm trying to join a Debian Wheezy machine (Samba 3.6.6) to my freshly made backports AD (Samba 4.1.7). This is what I see: root at samba4:/# net ads join -U Administrator at AD.MICROSULT.DE Enter Administrator at AD.MICROSULT.DE's password: Using short domain name -- AD Joined 'SAMBA4' to

And some more information about this strange effect apparently no-one has seen before. I now added the missing zone: samba-tool dns zonecreate verdandi 10.16.172.in-addr.arpa -U Administrator and it claims that the zone is okay, but the next one is missing: Dec 29 10:31:12 verdandi named[2601]: Loading 'ad.microsult.de' using driver dlopen Dec 29 10:31:12 verdandi named[2601]:

It's probably difting slightly off the topic, but I know that there are some people listening here, who have a decent expertise. I'm trying to setup a file server (nfs4 at ad.domain) and mount from a client (hunin at ad.domain) using the user database and especially Kerberos provided by my AD (samba at ad.domain). It already works nicely, if I forget about krb5, i.e. idmapd is

Last month I struggled with a severe DLZ issue and today I could solve it. Credits for the important idea go to Peter Serbe, thanks! I checked the DNS contents using RSAT. There was nothing wrong with SOA nor NS entries, but the reverse zones were actually forward zones with proper names in the in-addr.arpa. domain. I built proper reverse zones and deleted the forward-reverse zones and Bind

I just upgraded bind9 on my backup DC to 9.9.5-7-Debian and restarting the service failed: Dec 22 12:25:55 verdandi named[18534]: starting BIND 9.9.5-7-Debian -u bind -4 Dec 22 12:25:55 verdandi named[18534]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'

I set-up a basic AD DC using samba 4.1.9 successfully. I joined my NAS to the domain, i.e. I saw no errors and see the users and groups of my AD listed in the GUI of the NAS. When I try to connect to a share of the NAS the following happens: mgr at ws1:~$ smbclient -U 'AD\mgr' //nas/Test Enter AD\mgr's password: Domain=[AD] OS=[Unix] Server=[Samba 3.6.9] tree connect failed:

I'm launching the final phase of getting my new Samba4 AD DC productive. I wanted to join the first real workstation, but it failed: # net ads join -U Administrator Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain 'AD.MICROSULT.DE' over rpc: Invalid server state This issue was reported already here:

It did happen again and this time I was a little less panicked and took some time to figure out what happened. On my primary DC (SAMBA) I did not notice anything extraordinary. However, my secondary (VERDANDI) reported issues: root at verdandi:~# samba-tool drs showrepl Default-First-Site-Name\VERDANDI DSA Options: 0x00000001 DSA object GUID: a03bbb51-1dca-44ae-a4d9-7aa8cb4a1ace DSA

I hopefully cleared all SAMBA files and set up a fresh ADC using: samba-tool domain provision --use-rfc2307 --domain=UAC --realm=UAC.MGR --server-role=dc --dns-backend=SAMBA_INTERNAL --targetdir=/srv/files --adminpass="secret" --option="dns forwarder=172.16.6.11" The provisioning seemed okay, i.e. nothing hints at any errors and I see a DOMAIN SID as the final entry as

On 29/12/14 09:40, Lars Hanke wrote: > And some more information about this strange effect apparently no-one > has seen before. > > I now added the missing zone: > > samba-tool dns zonecreate verdandi 10.16.172.in-addr.arpa -U > Administrator > > and it claims that the zone is okay, but the next one is missing: > > Dec 29 10:31:12 verdandi named[2601]: Loading

Greg, > Unfortunately, these attributes do not exist as standard, so you would > either have to add a user with ADUC or manually add them yourselves with > ldbedit. As standard on windows, they both start at '10000', though you > can set them to whatever you require, just make sure that they do not > interfere with any local Unix users. If you like to manage Unix users

Dear Roland, and here we have one reasons / prove regarding Debian and current Samba BIND DLZ issues : http://metadata.ftp-master.debian.org/changelogs//main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u3_changelog MSG >> " * disable dlz until we get a patch to make it build again" Well Debian Maintainers seems seeking missing the dlz patches that RHEL & SLES maintainers created

I dug somewhat deeper into what is going on below and it seems even stranger. The reverse zone without SOA or NS does not even exist: root at verdandi:~# samba-tool dns query localhost 10.16.172.in-addr.arpa @ ALL -U Administrator Password for [AD\Administrator]: ERROR(runtime): uncaught exception - (9714, 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST') File

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>> OK, you can get winbind to update your keytab, you need to alter your >>> smb.conf slightly. You need to change 'kerberos method = secrets >>> only' >>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>> = >>> system keytab' and add the line

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 02.02.2015 um 13:30 schrieb Sven Schwedas: > On 2015-02-02 12:56, Lars Hanke wrote: >> I currently plan to move my storage to Gluster. One of the >> anticipated advantages is to have Gluster replicate data among >> physical nodes, i.e. if one node dies the file service can live >> on. >> >> AD for

On Thu, Dec 13, 2018 at 08:25:31PM -0500, Lyude Paul wrote: > There should be no functional changes here Would be good to explain what you did refactor here, instead of me trying to reconstruct it from the patch. Especially pre-coffee that helps :-) > > Signed-off-by: Lyude Paul <lyude at redhat.com> > Cc: Juston Li <juston.li at intel.com> > --- >