similar to: upgrading DC 4.5.x to 4.7.x

02.12.2017 2:16, mj via samba пишет: > - power off the old DCs > - reize fsmo roles, cleanup the database, etc why not to transfer roles while old DC are online? > - add new 4.7.2 DCs using their old names/ips > - remove the temporary DC why not simply add new DCs to current production domain? I'm thinking about way to upgrade too, but using "separated environment"

I'm going to start with clean centos install, so I might as well use some additional guidelines, thank You. When You run kinit, does Your user have ticket already? What I noticed is that when user has a ticket already, kinit works fine, uses as default principal the one from ticket. Can you do kdestroy - then kinit? Also, on Fedora, did You install samba from source or from repo's RPM?

Hi, On 12/02/2017 03:49 PM, Mike Lykov via samba wrote: > 02.12.2017 2:16, mj via samba пишет: > >> - power off the old DCs >> - reize fsmo roles, cleanup the database, etc > > why  not to transfer roles while old DC are online? See your question two > >> - add new 4.7.2 DCs using their old names/ips >> - remove the temporary DC > > why not simply

I've noticed myself similiar issue. Windows 10 (v 1803) - window with security tab open crashes on certain files (yes, just the window, not whole OS). Just before crash i see unresolved SID which looks like nothing I know (doesn't look like domain SID - maybe local user SID from samba member server?). All files that cause this issue are from any of the samba servers. Same files I can

Hi, I have a problem with GPO editing. I have some GPO first created with RSAT and GPO editor on Win 7 x64. I have modified recently this object with RSAT and GPO editor on Win 10 x64 . If I try to edit the GPO back to Win7 I got the following error (in french): La ressource ? $(string.SiteDiscoveryEnableWMI) ? r?f?renc?e dans l?attribut displayName est introuvable. Fichier

Thank for all advice, I have a question about: "- add new 4.7.2 DCs using their old names/ips - remove the temporary DC" Do I understand correctly, You created new machine (or removed/reinstalled samba completely), used IP/hostname of the previous DC and just re-added as DC? Also, did You have any issues after removing temporary DC? Some time ago i had to remove one DC and I had

Hello, Thank You for fast response. I'm glad that it's a mistake somewhere on my side, it means it will work when I fix it :) Ok, first of all: Everything is on centos 7.4 All config files will be below, but to start off: behaviour is stranger than I thought, but there is a pattern: when doing [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using default cache: /tmp/krb5cc_101003

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

On Wed, 1 Nov 2017 19:49:32 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Wed, 1 Nov 2017 20:28:05 +0100 > Kacper Wirski <kacper.wirski at gmail.com> wrote: > > > I'm going to start with clean centos install, so I might as well use > > some additional guidelines, thank You. > > > > When You run kinit, does Your user have

By primary group I mean the group that is set by chgrp. that is the group returned after the pound key (#) from getfacl. In other words the Unix group and not the one managed by ACLs. / Kacper > Hello, > > I've seem to have found what looks like a bug in Samba 4.8.3. It's > the same problem as described in > https://lists.samba.org/archive/samba/2018-March/214589.html.

As I said, I haven't got time to look at what's really happening, just that sometimes windows 10 + some file = security tab just closes/crashes instantly and clearly there is a long SID that's not like anything I recognize, might be well known SID (not well known enough though I'd say, as it's unresolved ;) ). I'm not sure if my experiences are related to those of OP,

It is an issue that I myself would also like to solve. I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since

On Mon, 15 Jan 2018 14:55:55 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > It is not the SYSTEM user (that is a local user to the > > > workstation, so clearly does not exist on the domain). > > Yes it does. Look at "Builtin\system" which is also "NT

Hello, I have samba 4.5.10 file server as AD member (AD is also samba 4.5.10). I'm using unix extension for windows rsat to set UIDs for all users and on samba AD member i'd prefer to use idmap = ad to have consistent file permissions across multiple file servers. My issue is with machine accounts. RSAT extension doesn't allow for easy "uid" setting for machine

Hello, I've posted about this issue some time ago, but I maybe didn't explain myself enough and/or didn't supply enough information. My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. I noticed that some windows clients stopped doing secure dns dynamic updates because of insufficient rights error. Upon further digging I realized that all of the entries, that were

what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated? If You made some upgrades, maybe during process You for example rejoined the domain (that would set new

On 03/06/2019 12:29, Kacper Wirski via samba wrote: > Hello, > > Since nobody picked this up I will try to answer myself (hopefully > correctly). > > I think I just misread documentation on wiki, but I would really > appreciate a clarification. In the wiki it states: > > "To enable other accounts than the domain administrator to set > permissions on Windows,

Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by

Hello, I stumbled upon weird error/bug. My setup: 4.8.3 AD on centos 7.5 (compiled from source). BIND as dns running on AD DC with secure dns updates setup and working. Most of the DNS updates are dynamic, some added manually using windows DNS manager. One of the PTR entries in reverse lookup zone went missing. It's not visible in the windows DNS manager, it's nowhere to be found

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =