similar to: Rights issue on GPO

On 08/06/16 15:34, mathias dufresne wrote: > Hi all, > > Here is our smb.conf: > [global] > workgroup = AD > realm = AD.DOMAIN.TLD > netbios name = DC200 > server role = active directory domain controller > > server services = -dns > idmap_ldb:use rfc2307 = yes > > #kccsrv:samba_kcc=true >

Hi Le 09/06/2016 à 20:42, Rowland penny a écrit : > On 08/06/16 15:34, mathias dufresne wrote: >> Hi all, >> >> [snip] >> And we get issue with Linux ACLs: they are not the same because some >> BUILTIN users and/or groups do not have same id mapping on all DC. >> >> How to force all DC to get same id mapping? >> >> Using

Thank you all for these replies. 2016-06-10 9:26 GMT+02:00 Rowland penny <rpenny at samba.org>: > On 10/06/16 07:52, Sébastien Le Ray wrote: > >> Hi >> >> >> Le 09/06/2016 à 20:42, Rowland penny a écrit : >> >>> On 08/06/16 15:34, mathias dufresne wrote: >>> >>>> Hi all, >>>> >>>> [snip]

I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs were here to replace RFC2307 UID/GID declared into AD/LDAP objects. In others words, if you configure correctly idmap into smb.conf I expect you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's GPO this morning, the one giving

To see which DC is used by Windows client: open a MSDOS console, type "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le

Complete event id of : > But still, events log show a warning about kerberos ticket from LsaSrv > source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba

Hi Louis, Marc, list, Quick update: On 7-10-2015 12:25, L.P.H. van Belle wrote: > Marc, > > Its for mourik important, because he wants to know why he has this error in his event logs. (i want to know also.) (learning mode) > > Mourik Jan, reboot the computer and login again, do you still see the error message, just to check if this wasnt an old message. > And/or, maybe this pc

Ok, where your pc's get the DNS info from? Server : AD-DC + DNS Or Server : AD-DC + Some other server with DNS Can you give the output of dig NS your.domain.tld and tel us what what is. > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray > Verzonden: dinsdag 29 maart 2016 16:31 > Aan: samba at

I found this one. Check which one works for you. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm Im sure this is not a samba configuration problem. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: dinsdag 29 maart 2016 16:18 > Aan: samba at

I hate 'me too' replies - but I have also been struggling with this for some years in my multi-DC environment. (yes, replicated sysvol via lsyncd + rsync; permissions looked identical via getfacl last time I checked). Sometimes a client machine will run gpupdate just fine; other times it will fail, seemingly randomly. My next step was going to be to run wireshark on a client machine to

ok, I've investigated the problem more closely. First of all, I didn't mention that I have 2 domain controllers: dc(initial) and bdc (backup). Rsync command /usr/bin/rsync -XAavz --delete-after dc:/usr/local/samba/var/locks/sysvol/* /usr/local/samba/var/locks/sysvol/ fires every 5 minutes on bdc. However, if I try to gpupdate from bdc I get the above error. Gpupdating from dc works

On Thu, Apr 28, 2016 at 2:13 AM, Rowland penny <rpenny at samba.org> wrote: > On 28/04/16 07:31, Mueller wrote: >> >> This is a normal behaviour if you are using several dcs. Users und groups >> do have another gid/uid on each server >> until you fix it manually. This was a hard experiennce and work even fo >> rme which I suggest that this should be >>

Really my user IDs are different, but I can not adjust it. Using Samba 4.3.3 (Upgrade from 4.2 -> 4.3 -> 4.3.3), I think it has something it was initially used with Windows 2003 (no longer usaddo) to replicate data Win 2003 -> Samba. Today only own Samba (which had to increase Schema) Em 29-03-2016 10:27, Sketch escreveu: > On Tue, 29 Mar 2016, Carlos A. P. Cunha wrote: >

Hello everyone! Whenever replicate the Sysvol need to run the DC command that received the data /opt/samba/bin/samba-tool ntacl sysvolreset This solves the problem (at least in min). Em 29-03-2016 08:28, mathias dufresne escreveu: > Check rights on sysvol (using samba-tool), check rsync process if several > DC. > > 2016-03-29 13:07 GMT+02:00 barış tombul <bbtombul at

On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: > And did you add those IDs to the sysvol share permissions? > I guess you used samba-tool since I cannot find any gid/uid fields in RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/)

Hey guys, thanks for your time. Unfortunately, I've been busy so I wasn't able to test it again. Just today I started to read, investigate and test all this stuff you suggested me. I don't fully understand yet how uidNumbers and xidNumbers work, all I know is that Zentyal is using the old winbind daemon instead of the new winbindd. There are many concepts that I don't know how

On 10/06/16 07:52, Sébastien Le Ray wrote: > Hi > > > Le 09/06/2016 à 20:42, Rowland penny a écrit : >> On 08/06/16 15:34, mathias dufresne wrote: >>> Hi all, >>> >>> [snip] >>> And we get issue with Linux ACLs: they are not the same because some >>> BUILTIN users and/or groups do not have same id mapping on all DC. >>>

Hi Same here, GPO work without UID/GID on machine account (since issue "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this

About sysvolreset errors: send them to us. There is (at least) one error from sysvolcheck which is not too much important (if I have well understood it): ACL is set on FS to Local Admins when it should be Domain admins (or the contrary). That one should be a simple warning, or it is and it can be ignored (once more: according to my memory). 2016-03-29 15:14 GMT+02:00 mathias dufresne

Hi all, A working search using ldapsearch on some object containing parenthesis in attribute's value: ------------------------------------------------------------------------------------------------- ldapsearch -Y GSSAPI -h dc200 -b 'DC=ad,DC=domain,DC=tld' -s sub 'CN=CID 85 \(Join\)' dn SASL/GSSAPI authentication started SASL username: administrator at AD.DOMAIN.TLD SASL SSF: