similar to: Samba4 With extern LDAP

On Fri, May 05, 2017 at 10:21:05AM +0200, Sven Schwedas wrote: > On 2017-05-05 10:09, Volker Lendecke wrote: > > On Fri, May 05, 2017 at 09:42:47AM +0200, Sven Schwedas via samba wrote: > >>> root 9988 0.8 59.4 1571936 606488 ? S Apr26 114:41 /usr/sbin/samba > > > > Can you post /proc/9988/smaps somewhere? > > Sure,

Am 28.09.2016 um 04:01 schrieb Steve Litt via samba: > Why would ANYBODY type a command when they could perform a bunch of > mouse clicks. Better yet, you can automate Windows tools with a screen > scraper and a keyboard injector, or with a top notch language like > Powershell or Visual Basic *lol* why would ANYBODY click in a GUI when he have a console - and i mean that really

Ok, rechecked this, your correct. This did work fine. In now at samba 4.6.7, you? This worked untill ( last i checked ) 4.6.5 :-(( now sysvolreset is totaly broken. :-(( New thing for my ToDo list.. Try this script, the rights are my defaults "after a sysvol reset" Place the script somewhere within /var/lib/samba Preffered that location . Run it with : bash script.sh sysvol/ !

Today's episode of "why is AD break", brought to you by: > [2017/09/05 10:17:06.015617, 3] ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update) > Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not registered with our KDC: Miscellaneous failure (see text): Server (GC/graz-dc-1b.ad.tao.at/ad.tao.at at AD.TAO.AT) unknown > [2017/09/05 10:17:06.015717, 0]

Hello, Up till today I have only heard that it affects Windows clients and Servers. However I received this today that sparked my question https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf This suggests blocking port 445 for Samba specifically. First wouldn't blocking port 445 break all file and printer sharing functionality?

> Keytabs look reasonable, as far as I can see, but why does > graz-dc-sem have the same SPN output as graz-dc-1b in > addition to its own? A snapshotted server/cloned server? I dont know but thats not correct. I suggest, cleanup the DS with FSMO roles. Then remove a failty server and re-add it as a new installed DC. ( the good DS with FSMO) First backup:

Hai guys, After a few messages on the list on Buster, i decided to upgrade one of my production AD-DC's and see what happens. If noticed a few things here, so here are the steps and changes i made to upgrade and have a correct working AD-DC after the upgrade. Setup is as followed: Debian Stretch AD-DC with Bind9 DLZ and ntp time. This is still the base i used for my AD-DC

On somewhat long-running samba AD DC instances (4.5.8-Debian, Stretch), we're seeming massive RAM utilization even with little/no clients connected: > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 9937 0.0 0.7 532004 7364 ? Ss Apr26 0:00 /usr/sbin/samba > root 9980 0.0 0.4 532004 4304 ? S Apr26 0:00

On Tue, 23 Apr 2019 17:12:37 +0200 Sven Schwedas via samba <samba at lists.samba.org> wrote: > https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp > > Works on Samba AD as on Windows and can be queried by any LDAP client > and used in Bash/Powershell scripts. There's probably finished scripts > somewhere you can use. > Yes, you could use

> root at graz-dc-1b:~# samba --version > Version 4.5.8-Debian > root at graz-dc-1b:~# samba-tool ntacl sysvolreset && echo "no error" > no error > root at graz-dc-1b:~# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory

With some slight delay, we did actually manage to get all our old wonky compatibility solutions nuked (turned out there were a few more lurking in the shadows than expected?). Mail servers are no longer domain joined, and unencrypted LDAP is finally gone, together with the terrible PHP scripts that needed it. Which allowed me to finally cleanup all the samba setups:

/etc/hostname:villach-file /etc/hosts:# The following lines are desirable for IPv6 capable hosts /etc/hosts:::1 localhost ip6-localhost ip6-loopback /etc/hosts:ff02::1 ip6-allnodes /etc/hosts:ff02::2 ip6-allrouters /etc/hosts:127.0.0.1 localhost /etc/hosts:192.168.16.214 villach-file /etc/krb5.conf:[libdefaults] /etc/krb5.conf: default_realm = AD.TAO.AT /etc/krb5.conf: dns_lookup_realm = true

Hi, I am running Dell R630 Poweredge 1U with 32 cores vCPU's and 96 GB RAM. What should be the minimum numbers of CPU cores and memory that should be reserved for host OS (CentOS 7.6) and the remaining CPU cores and memory resources to be allocated for Guest OS? I look forward to hearing from you and thanks in advance. Best Regards, Kaushal

On Mon, 13 Nov 2017 14:32:11 +0100 Sven Schwedas via samba <samba at lists.samba.org> wrote: > Making no additional changes to the configuration, using "net ads > join" instead of "samba-tool domain join" immediately worked. I'd be > really curious where's the difference between the two and why > samba-tool pretends to not have run into any errors…

On 2017-04-07 13:44, Sven Schwedas via samba wrote: > In the end I just upgraded all DCs to 4.5 and remote-deleted the broken > ones. Seemed to work without a hitch, manual removal was only necessary > to remove the IPs from DNS\_msdcs.ourdomain\gc\. Apparently not, adding new DCs failed with "WERR_DS_DATABASE_ERROR". `samba-tool dbcheck --fix` solved that. With that out of

> > – I noticed a typo in the server's `netbios name` setting, corrected > it, and restarted the DC Where did you change this, in smb.conf or /etc/hosts ?? By default netbios name is adapted from the hostname. If you changed the hostname you might have found the source of your problem. > > – Noticed I had problems with the LDAP SSL certificates for this node > and

On 2017-09-08 14:21, Rowland Penny via samba wrote: > OK, you have convinced me ;-) If you know any other part of AD DNS that is tricky, I'd be interested to know before AD blows up again. ;-) > Seeing how you seem to know the required 'magic', do you feel up to > sharing it, if you do I will add a page to the Samba wiki. What magic? How to set up dnsmasq as caching proxy?

On Mon, 13 Nov 2017 15:20:05 +0100 Sven Schwedas <sven.schwedas at tao.at> wrote: > > > PS, your configs are still wrong. > > It would be *really* helpful if you explained *why*. Sprinkling magic > pixie dust over random config files isn't exactly purposeful > debugging. > Lets start with /etc/krb5.conf Samba doesn't need most of what you will find in it,

On Wed, 24 Apr 2019 11:00:39 +0200 Sven Schwedas via samba <samba at lists.samba.org> wrote: > > https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/ > > It was literally designed for *this exact use case*. > Yes, but not very well ;-) It actually says 'the lastLogontimeStamp will be 9-14

Hi, I'd like to report something here, so it will not happen to others. We moved all disabled users in our samba AD to a dedicated folder in ADUC, which we called 'disabled'. A little while after we did that, our network started 'falling apart'. Some things still worked, others did not. I could for example no longer start ADUC, some users could not logon or map drives, etc,