similar to: Authentication Auditing

Hello, I believe there may be a bug with accounts getting erroneously locked in v4.4.5+. I've checked at all the Internet facing services to find the source of account lockout and I've done packet captures at the DCs, but I cannot find the source of lockout. I've got several accounts locking out for seemingly no reason including some service accounts where the passwords

Replication has been running smoothly until I upgraded to 4.5.0. I had various errors with all BDCs and a force sync didn't resolve it. I shutdown all BDCs, demoted them with --remove-other-dead-server then joined new BDCs with new names. At first replication was intermittently failing (consecutive failures counter kept resetting), but it seemed OK, just slow if anything. Now they all

The errors went away, but replication still isn't working properly. There are objects missing on all DCs, but it isn't consistent at all. showrepl: http://pastebin.com/bYfCZcNG Thanks, Arthur On 10/17/2016 12:32 PM, Arthur Ramsey wrote: > This fixed DNS issues. > > samba_upgradedns --dns-backend=BIND9_DLZ > /usr/local/samba/bin/samba-tool domain exportkeytab >

Executing the following with nsupdate seems to have fixed replication. update add 28f7281f-3955-4885-8a7d-42a36ee87590._msdcs.mediture.dom. 900 A 192.168.222.5 show send update add 8b750a53-3d39-4bc0-8fe9-9bffa9e413aa._msdcs.mediture.dom. 900 A 172.16.1.106 show send update add fe066b13-6f9e-4f3c-beb4-37df1292b8cb._msdcs.mediture.dom. 900 A 192.168.168.65 show send New DNS records I create

I forgot to associate inter-site links (all using default), which fixed a lot though I'm still having an issue. * vsc site o vsc-dc01 o vsc-dc02 * aws site o aws-dc01 * epo site o epo-dc01 * vsc-dc01 => anywhere: OK * vsc-dc02 => anywhere: not replicating * aws-dc01 => anywhere: OK * epo-dc01 => anywhere: OK I've tried with samba_kcc =

On 3/13/2017 2:15 PM, Arthur Ramsey via samba wrote: > Upgraded to 4.6.0 on all nodes. Still seeing the same issue. > > If I create an object on vsc-dc02, epo-dc01 or aws-dc01 DCs it doesn't > replicate. If I create it on vsc-dc01 (PDC emulator) then it does > replicate. > > On 03/13/2017 12:13 PM, Arthur Ramsey wrote: >> >> I believe the problem is a lack

On 10/20/2016 01:52 PM, Rowland Penny via samba wrote > Have you given Administrator a uidNumber attribute ? Yes, I have. > > It might still help to see the smb.conf Here: http://pastebin.com/M9m8x1DZ This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this

I've googled and I believe that SASL method DIGEST-MD5 is supported and I see it in the samba startup, but it doesn't work. ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Operations error (1) additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER [root at dc03 ~]# samba

I had the same issue with 4.5.1 vanilla. I was able to reverse the fixes from 11520 against 4.5.1. You can see the resulting patch here: http://pastebin.com/4wTQdLKL. A 4.5.1 build with that patch applied is working fine for me. Thanks, Arthur This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended

I seem to be having the same issue as https://lists.samba.org/archive/samba/2012-December/170426.html. I don't see that he ever reached a solution. Nov 20 16:02:58 appdb01-qa sshd[31622]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/appdb01-qa.mediture.dom@\n Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1:

That's too bad, I was trying to get the Vasco Identikey server working with samba4 as a backend for FIPS 140-2 compliant OTP, which will only bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to the domain as a domain controller. Thanks for clarifying, Arthur On 07/10/2015 04:38 AM, Andrew Bartlett wrote: > On Tue, 2015-07-07 at 15:10 -0500, Arthur Ramsey wrote:

[2017/09/28 03:46:51.256663, 1] ../source4/dsdb/kcc/kcc_topology.c:2730(kcctpl_get_spanning_tree_edges) ../source4/dsdb/kcc/kcc_topology.c:2730: failed to run Kruskal's algorithm: NT_STATUS_INVALID_PARAMETER [2017/09/28 03:46:51.256953, 1] ../source4/dsdb/kcc/kcc_topology.c:3283(kcctpl_create_connections) ../source4/dsdb/kcc/kcc_topology.c:3283: failed get spanning tree edges:

I've had this problem as well. We created a domain with two 4.4.4 DCs and everything worked. Sometime after we upgraded the DCs to 4.5.0, the machine joins and some user logons displayed the invalid SID message. We tried recreating the domain from scratch with 4.5.0, but had the same problem. We recreated everything with 4.4.4 , and did not have problems so far. Em 20/10/2016 18:47,

I believe the problem is a lack of outbound replication for non PDC emulator DCs. You'll notice isn't even trying because last successful was epoch (never) yet there are no errors. Inbound replication for this DC seems fine. [root at vsc-dc02 ~]# samba-tool drs showrepl [...]==== OUTBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=mediture,DC=dom aws\AWS-DC01 via RPC DSA object GUID:

Hello, I'm running Samba 4.5.0 and bind-9.8.2-0.47.rc1.el6_8.1. One DC of four, the PDC, is magnitudes slower running /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names. When that is running on that DC it seems to block any queries. The load average is usually under 0.5. The DC was unsafely halted, which could have corrupted something. I ran a dbcheck with samba-tool and it

Error joining Linux member to Samba 4.5.0 DC. /usr/bin/net join -w MEDITURE -S dc01.mediture.dom -U Administrator Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain 'MEDITURE.DOM' over rpc: Indicates the SID structure is not valid. ADS join did not work, falling back to RPC... Thanks, Arthur This e-mail and any attachments may contain

I have 4 samba 4.5.0 DCs. I can connect via smb to two of them and can't connect to another two. I get an error "The request is not supported". Those same two DCs I cannot connect to via smb also have issues via ADUC. I get an "RPC server is unavailable" when trying to connect with ADUC. Here's my smb.conf: http://pastebin.com/7J8hNd0Y. Thanks, Arthur This

Well vsc-dc01 is actually dc01 for the host name, sorry I forgot about that. This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the

On Thu, 2017-12-14 at 18:52 -0600, Arthur Ramsey wrote: > Thanks Andrew, much better than vanilla 4.7.3 but it is still performs > much worse than vanilla 4.7.0 especially for DLZ zones. I understand. The key issue is that to support the wildcards we changed the way we use the database, the SCOPE_ONELEVEL index (compared with SCOPE_BASE used exclusively in the past) over 7000 possible

OK, I have now tried three versions of Samba and all react the same way. This tells me that I physically have an issue with a database or something. Is it going to be faster for me to simply wipe the entire AD, restore my Windows Server clean install image, and start over? I have until midnight to make this work. It is 1810hrs now. Lead IT/IS Specialist Reach Technology FP, Inc On 10/27/2016