similar to: 'check password script' and Join...

Did you run the command to disable the password check or complexabilty on all you DC's? That is needed. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 24 oktober 2017 15:33 > Aan: samba at lists.samba.org > Onderwerp: [Samba] 'check password script'

I've setup my second DC, following the samba wiki, without major trouble. Only three notes: a) i've followed the suggestion to move idmap.ldb from the first DC to the second (Rowland! Clap me! I've not sayed 'primary' and 'secondary'! ;-). After that, as suggested by the wiki, i've done a 'samba-tool ntacl sysvolreset' but: root at vdcpp1:~# samba-tool

Mandi! Rowland Penny via samba In chel di` si favelave... > If an ldap lookup works on every DC, except for one and the data is > definitely there on the one DC it doesn't work on, then it must be > something on that DC. is there a firewall or apparmor/selinux in the > way ? No. Anyway, note that query return correctly 'result: 0 Success', simply return no data. Another

I need to do a simple query, against some LDAP data in 'laster draft schema' format i've added to te samba/AD schema. All LDAP query return the same result on all (6) of the DC: root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password:

Mandi! Rowland Penny via samba In chel di` si favelave... > > No. Anyway, note that query return correctly 'result: 0 Success', > > simply return no data. > That just means the search retuned without error Eh. Query succeded and return no data. Yes. > If you run the command: > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D >

On Mon, 11 Feb 2019 14:47:01 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Sorry. Still on this issue. > > Today i'm upgrading my DC (with latest 4.5 from louis repo). Note that > i've 7 DC in total. > > In site 'PP' i've upgraded samba, then rebooted the container. reboot > on 'vdcpp2' happen on: > > Feb

Hai, The steps shown here dont work? https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC If that is the case and you besides that free of errors. Then upgrade, and try again once your on at least samba 4.9 or 4.10. As im hoping you are upgrade straight to Buster. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens

> Why?! Sorry but... someone can point me in the right direction? Really i don't know how to look for that problem... I summarize: a) an LDAP lookup for some data works in ALL DC past one b) in that non-working DC, a direct query against the sam.ldb reveal that data are here (so, seems to me an ACL problem) c) checking sync status between DCs reveal no sync troubles. Where i can

Doing some test i've done, as root, in one DC: root at vdcpp1:~# smbpasswd gaio New SMB password: Retype new SMB password: root at vdcpp1:~# pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 Full

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > Did you run the command to disable the password check or complexabilty on all you DC's? Oh, never minded about that. Sure. Instead of commenting 'check password script' i can do: samba-tool domain passwordsettings set --complexity=off sure! Thanks! But, why you say «on all you DC's»? The password policies

Following: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC i've demoted and removed a DC. Seems all went as expected: root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion Password for [LNFFVG\gaio]: Deactivating inbound replication Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize

Hello, I am stuck with a error when setting password for a couple of specific users. This error makes impossible to set the password for the affected users. In Windows I get an operation error but the samba-tool output is more informative: samba-tool user setpassword user2 --newpassword= New Password: ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103) ERROR: Failed to set

You guys mix to things. > AFAIK is the 'privileges' that are host-specific. Is correct. >the policies are on the domain (in the LDAP data, > the root DN, look at them!). Yes, but only the GPO policies and these are not applied to the samba server. And because of that, samba-tools password settings needs to be set on every DC. Greetz, Louis > -----Oorspronkelijk

Mandi! Rowland Penny via samba In chel di` si favelave... > Whilst there are attributes that do not get replicated between DC's, > the majority are, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch

In our network we found some client with clock differences. Some machine have effectively some troubles, eg have NO 'Windows Time' service defined, probably some glitches happened when moving from our old NT-like domain. Anyway, catching for that, we have found some other strangeness. Windows time service run: C:\Users\gaio>sc query w32time NOME_SERVIZIO: w32time TIPO

On 02/10/2019 14:42, Marco Gaiarin via samba wrote: > Mandi! Rowland penny via samba > In chel di` si favelave... > >>> samba-tool dbcheck --cross-ncs --fix >>> Yes, should be possible, but i normaly do that after i do the following. >> Yes, but why wasn't it removed in the first place ? > [...] >>> Run : >>> dig CNAME

On Wed, 30 Jan 2019 17:25:19 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > nscd caches certain things, as does winbind, if you want to run nscd > > with winbind, you need to stop nscd caching the things that winbind > > does, when you do this, nscd isn't caching very much,

Some month ago a local branch office closed; the local branch had a DC, that i've simply removed the dc with: samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio (see https://lists.samba.org/archive/samba/2019-February/221195.html) But this leave some old DNS records, eg: root at vdcsv1:~# host -t SRV _kerberos._udp.ad.fvg.lnf.it | awk '{print $NF}'| sed

Mandi! Robert Marcano via samba In chel di` si favelave... > Yes, check the documentation of krb5.conf. Ahem, 'apt-get install krb5-doc' misses. ;-) > In summary you will need to > disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and set > you admin and kdc hostnames there, something like: How can i determine kdc and master_kdc values? All DC server are

I'm doing some test moving from a NT domain to ad AD domain, using debian jessie samba (4.2) and obviously the 'classicupgrade' procedure. In my setup i use(d) extensively some script to reset password to users. I was (ab)used to have 'smbpasswd' behave differently if executed by root, eg change the password without taking in consideration password policy and check password