similar to: DC replacement and DNS issue

Hey, Thank you Louis for this script, I didn't yet took time to dig in but I'll do. I didn't took time neither to perform another test. That should be done today. Anyway I waited for DC synchronisation before posting. I joined my DC and removed the old ones almost at same time then I gave more than 12 hours to my DC to synchronize. Then I tried to understand what happened, I wrote

Hai, If you just upgrade / changed the samba servers, then most probily replication is in progress.. Depanding on the numbers of objects this can take some time, so dont be to quick with checking. So take some time and wait... get koffie (maybe beer) ;-) Get this script , if needed change it and run it https://secure.bazuin.nl/scripts/samba-check-db-repl.sh it check up to 10 domain

Back from another test: rather than build new DCs, join them and use one of them to seize FSMO roles, I just seize FSMO with one of my current DCs. Once more the SOA was not updated, which seems to mean there is a real issue about that as seizing these roles has chances to precede removal of old FSMO owner. To update SOA record using samba-tool: 1) If not created, create a NS record for the DC

Hi all, I'd like to perform some ldapsearch against my AD domain. And I'd like to be able to perform these ldapsearch using GSSAPI to avoid usage of password in scripts. DC are using default configuration file: ---------------------------------------- # Global parameters [global] workgroup = SAMBA.DOMAIN realm = SAMBA.DOMAIN.TLD netbios name = M707 server

Hi Ole, I'm still not answering your issue but I come back to speak about TTL. Perhaps someone would be able to bring us some light on that. This morning I'm trying to reproduce the way I do broke my test AD domain. This leads me to deal with SOA record (I broke my test AD seizing FSMO roles before removing old FSMO owner, SOA was not changed during that process and I suspect this was

On 11/20/2015 10:17 AM, mathias dufresne wrote: > > > 2015-11-20 15:11 GMT+01:00 James <lingpanda101 at gmail.com > <mailto:lingpanda101 at gmail.com>>: > > On 11/20/2015 7:40 AM, Ole Traupe wrote: > > > > Am 20.11.2015 um 11:54 schrieb mathias dufresne: > > Hi Ole, > > I'm still not answering your issue

On 11/20/2015 7:40 AM, Ole Traupe wrote: > > > Am 20.11.2015 um 11:54 schrieb mathias dufresne: >> Hi Ole, >> >> I'm still not answering your issue but I come back to speak about >> TTL. Perhaps someone would be able to bring us some light on that. >> >> This morning I'm trying to reproduce the way I do broke my test AD >> domain. This

Things goes further. To use GSSAPI and so the Kerberos ticket obtained with kinit I was missing "-Y GSSAPI". It seems GSSAPI and TLS are meant to be used together: ---------------------------------------- ldapsearch -Y GSSAPI -LLL -H ldaps://SAMBA.DOMAIN.TLD SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info:

Hi all, I'm unable to delete a DNS entry, this entry does not exist. The entry is A record in _msdcs zone for an old DC which was demoted. I tried to use samba-tool dns to delete it but without success: samba-tool dns delete m703 _msdcs.ad.domain.tld \ m701._msdcs.ad.domain.tld A 10.16.28.27 -k yes ERROR: Record does not exist I found undeleted entry in LDAP, removed it without success:

ERRATUM: It seems GSSAPI and TLS are *NOT* meant to be used together: 2015-10-15 16:20 GMT+02:00 mathias dufresne <infractory at gmail.com>: > Things goes further. To use GSSAPI and so the Kerberos ticket obtained > with kinit I was missing "-Y GSSAPI". > > It seems GSSAPI and TLS are meant to be used together: > ---------------------------------------- >

On Mon, 2015-11-16 at 16:50 +0100, mathias dufresne wrote: > transaction: operations error at > ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147 Looking at that line in your version of Samba may give you some idea why it failed. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer,

Hi all, After installing a bunch of new AD DC using the 4.3.1 version I decided to remove the old ones. On one DC I've set up log level as follow: log level = 1 auth:9 registry:7 winbind:7 passdb:7 sam:3 rpc_srv:2 rpc_cli:2 First I'm not sure this is the right way to declare specific log levels but man smb.conf gives me: Example: log level = 3 passdb:5 auth:10 winbind:2 So it sems, to

Hi, I've been experiencing intermittent filesystem corruption on a Compaq Armada M700 laptop w/ IBM Travelstar 30GB drives (both the 40GN and 30GN models). This happens mostly under RH 7.2, w/ ext3 filesystems, but I think it's also happened under win98. All seems fine until power-down, power-up, and boot, where the corruption is discovered. Searching these archives, I found that there

On 10/12/15 14:00, Ole Traupe wrote: > > > Am 10.12.2015 um 14:38 schrieb Rowland penny: >> On 10/12/15 13:25, Ole Traupe wrote: >>> Is it possible that kdc server is always the SOA, at least if >>> derived from DNS and not specified *explicitly* in the krb5.conf? >>> >>> In my DNS-Manager console I find that >>> >>>

On 10/12/15 14:40, Ole Traupe wrote: > >>> However, my 2nd DC is not that new, I restarted it many times, just >>> again (samba service). No DNS records are created anywhere. >>> >>> If I go through the DNS console, in each and every container there >>> is some entry for the 1st DC, but none for the 2nd (except on the >>> top levels: FQDN

I am also seeing this in smbd.log: [2020/07/03 09:20:18.211558, 1] ../../auth/kerberos/gssapi_helper.c:391(gssapi_check_packet) GSS VerifyMic failed: A token had an invalid MIC: unknown mech-code 2529638943 for mech 1 2 840 113554 1 2 2 [2020/07/03 09:20:18.211625, 0] ../../source4/auth/gensec/gensec_gssapi.c:1347(gensec_gssapi_check_packet)

Hi I know that this has been addressed before but I couldn't find a solution. Summary: when attempting to write a dns record using nsupdate, nothing gets written to the zone due to the error: ; TSIG error with server: tsig verify failure Everything is working. We can login to the domain from the same client and we have sssd sending the dyndns update requests which also produce the same

You're right, but I tried successfully -k only with smbclient which accept -U and -k together (now I'm here I must say smbclient uses -k without argument). For net command I was not able to make -k nor "--kerberos yes" m707:~# net rpc service list --kerberos=yes Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed:

Hello, I have recently compiled, installed and configured samba4 to run on a FreeBSD server. samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb. The server has working BIND 9.9 and ISC-DHCP services running on it. I have provisioned samba 4 to use the BIND_DLZ DNS backend. On the whole things seem to be working. local names are being resolved. phpLDAPAdmin shows the new

I am trying to setup dynamic updates with bind_dlz backend, but for some reason if any windows client or linux with nsupdate tries to remove AAAA record, server just 'cancelling transaction', while A and PTR records (both on reverse ipv4 and ipv6) working fine. If i'am remove AAAA record manually via samba-tool or windows mmc then AAAA record can be updated, but after that it again