similar to: Intermittent AcceptSecurityContext 54f response to LDAP bind

Executing the following with nsupdate seems to have fixed replication. update add 28f7281f-3955-4885-8a7d-42a36ee87590._msdcs.mediture.dom. 900 A 192.168.222.5 show send update add 8b750a53-3d39-4bc0-8fe9-9bffa9e413aa._msdcs.mediture.dom. 900 A 172.16.1.106 show send update add fe066b13-6f9e-4f3c-beb4-37df1292b8cb._msdcs.mediture.dom. 900 A 192.168.168.65 show send New DNS records I create

I seem to be having the same issue as https://lists.samba.org/archive/samba/2012-December/170426.html. I don't see that he ever reached a solution. Nov 20 16:02:58 appdb01-qa sshd[31622]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/appdb01-qa.mediture.dom@\n Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1:

Replication has been running smoothly until I upgraded to 4.5.0. I had various errors with all BDCs and a force sync didn't resolve it. I shutdown all BDCs, demoted them with --remove-other-dead-server then joined new BDCs with new names. At first replication was intermittently failing (consecutive failures counter kept resetting), but it seemed OK, just slow if anything. Now they all

I believe the problem is a lack of outbound replication for non PDC emulator DCs. You'll notice isn't even trying because last successful was epoch (never) yet there are no errors. Inbound replication for this DC seems fine. [root at vsc-dc02 ~]# samba-tool drs showrepl [...]==== OUTBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=mediture,DC=dom aws\AWS-DC01 via RPC DSA object GUID:

The errors went away, but replication still isn't working properly. There are objects missing on all DCs, but it isn't consistent at all. showrepl: http://pastebin.com/bYfCZcNG Thanks, Arthur On 10/17/2016 12:32 PM, Arthur Ramsey wrote: > This fixed DNS issues. > > samba_upgradedns --dns-backend=BIND9_DLZ > /usr/local/samba/bin/samba-tool domain exportkeytab >

On 10/26/2016 01:29 PM, Andrew Bartlett wrote: > I'm very sceptical that this is the underlying issue, it just doesn't > line up with the error. I agree, I was surprised. I applied the patch for that issue trying to solve a different issue I was having on 4.4.5 and discovered that it was the source of this issue. > Have you filed a bug for the SID structure > issue, and

Well vsc-dc01 is actually dc01 for the host name, sorry I forgot about that. This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the

Hello, I'm looking for a way to log the following attributes for all authentication activity (LDAP bind, Kerberos, SMB / CIFS, etc.). I would like to see: * Principle name (user name) * Source IP * Timestamp (including at least seconds if not milliseconds) * Authentication result (success / failure) * Reason for failure: bad password, account lockout, account expired,

On 10/20/2016 01:52 PM, Rowland Penny via samba wrote > Have you given Administrator a uidNumber attribute ? Yes, I have. > > It might still help to see the smb.conf Here: http://pastebin.com/M9m8x1DZ This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this

Error joining Linux member to Samba 4.5.0 DC. /usr/bin/net join -w MEDITURE -S dc01.mediture.dom -U Administrator Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain 'MEDITURE.DOM' over rpc: Indicates the SID structure is not valid. ADS join did not work, falling back to RPC... Thanks, Arthur This e-mail and any attachments may contain

Did you check that these groups were actually consistent before you upgraded (have you got a backup to look at the old groups)? The consistency checking definitely got stricter in 4.7, but there may still be a bug here. Cheers, Garming On 29/09/17 10:02, Arthur Ramsey via samba wrote: > I fixed this with the following process. > > 1. Identify affected groups with "samba-tool

I had the same issue with 4.5.1 vanilla. I was able to reverse the fixes from 11520 against 4.5.1. You can see the resulting patch here: http://pastebin.com/4wTQdLKL. A 4.5.1 build with that patch applied is working fine for me. Thanks, Arthur This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended

On 3/13/2017 2:15 PM, Arthur Ramsey via samba wrote: > Upgraded to 4.6.0 on all nodes. Still seeing the same issue. > > If I create an object on vsc-dc02, epo-dc01 or aws-dc01 DCs it doesn't > replicate. If I create it on vsc-dc01 (PDC emulator) then it does > replicate. > > On 03/13/2017 12:13 PM, Arthur Ramsey wrote: >> >> I believe the problem is a lack

[2017/09/28 03:46:51.256663, 1] ../source4/dsdb/kcc/kcc_topology.c:2730(kcctpl_get_spanning_tree_edges) ../source4/dsdb/kcc/kcc_topology.c:2730: failed to run Kruskal's algorithm: NT_STATUS_INVALID_PARAMETER [2017/09/28 03:46:51.256953, 1] ../source4/dsdb/kcc/kcc_topology.c:3283(kcctpl_create_connections) ../source4/dsdb/kcc/kcc_topology.c:3283: failed get spanning tree edges:

4.4.5 seems to work fine for me too, so I guess it is a regression from changes added to 4.4.6 and 4.5.0? On 10/21/2016 3:12 PM, Arthur Ramsey wrote: > I can confirm that rolling back to 4.4.4 resolved the issues for me. > I had the same problem with 4.4.6. > > Thanks, > Arthur This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH

I've had this problem as well. We created a domain with two 4.4.4 DCs and everything worked. Sometime after we upgraded the DCs to 4.5.0, the machine joins and some user logons displayed the invalid SID message. We tried recreating the domain from scratch with 4.5.0, but had the same problem. We recreated everything with 4.4.4 , and did not have problems so far. Em 20/10/2016 18:47,

On Thu, 20 Oct 2016 20:21:17 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Thu, 20 Oct 2016 14:06:18 -0500 > Arthur Ramsey via samba <samba at lists.samba.org> wrote: > > > On 10/20/2016 01:52 PM, Rowland Penny via samba wrote > > > Have you given Administrator a uidNumber attribute ? > > Yes, I have. > > > > > >

Hello, I believe there may be a bug with accounts getting erroneously locked in v4.4.5+. I've checked at all the Internet facing services to find the source of account lockout and I've done packet captures at the DCs, but I cannot find the source of lockout. I've got several accounts locking out for seemingly no reason including some service accounts where the passwords

I forgot to associate inter-site links (all using default), which fixed a lot though I'm still having an issue. * vsc site o vsc-dc01 o vsc-dc02 * aws site o aws-dc01 * epo site o epo-dc01 * vsc-dc01 => anywhere: OK * vsc-dc02 => anywhere: not replicating * aws-dc01 => anywhere: OK * epo-dc01 => anywhere: OK I've tried with samba_kcc =

I have 4 samba 4.5.0 DCs. I can connect via smb to two of them and can't connect to another two. I get an error "The request is not supported". Those same two DCs I cannot connect to via smb also have issues via ADUC. I get an "RPC server is unavailable" when trying to connect with ADUC. Here's my smb.conf: http://pastebin.com/7J8hNd0Y. Thanks, Arthur This