Displaying 20 results from an estimated 700 matches similar to: "Query for DC in the same site..."
2019 Feb 15
0
Demoted/removed a DC, and the NS records?
Hi Marco,
> Following:
> https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
>
> i've demoted and removed a DC. Seems all went as expected:
>
> root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio
> Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion
> Password for [LNFFVG\gaio]:
> Deactivating inbound replication
>
2019 Dec 06
2
Account locked and delayed user data propagation...
Mandi! Rowland penny via samba
In chel di` si favelave...
> You cannot create an ldap filter using the above, you would have to filter
> the result of the ldap search.
I can confirm:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed
# record 1
dn:
2017 Dec 18
0
[Curiosity] 'netbios aliases' works in AD mode?
> Ahem no one reply me.
Still no feedback. I've done some test by myself.
a) i've added in smb.conf:
netbios aliases = CUPSSV FILESV
b) i've registered the alias as SPNs, now i've:
root at vdcsv1:~# samba-tool spn list vdmsv1$
vdmsv1$
User CN=VDMSV1,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it has the following servicePrincipalName:
HOST/VDMSV1
2019 Feb 15
6
Demoted/removed a DC, and the NS records?
Following:
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
i've demoted and removed a DC. Seems all went as expected:
root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio
Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion
Password for [LNFFVG\gaio]:
Deactivating inbound replication
Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize
2019 Oct 01
3
Removed a DC but...
Some month ago a local branch office closed; the local branch had a DC,
that i've simply removed the dc with:
samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio
(see https://lists.samba.org/archive/samba/2019-February/221195.html)
But this leave some old DNS records, eg:
root at vdcsv1:~# host -t SRV _kerberos._udp.ad.fvg.lnf.it | awk '{print $NF}'| sed
2017 Dec 18
0
[Curiosity] 'netbios aliases' works in AD mode?
Hai Marco,
I dont get what your goal is, sorry.. :-/
If you follow this template.
The computername should always have an A + PTR recored.
Now create an CNAME and point to the computer name, and this one can be in any zone.
Does not have to be the primary dns zone, as long as the zones are withing the kerberos domain.
On a member you have, by default : dns proxy = yes , man smb.conf for
2018 Nov 22
0
NTP strangeness...
Hi Marco,
As far i can see here.
Are all your ADDC servers set to the same source NTP ( preffered a stratum 1 or 2 ) server. ( and not pool ntp sources )
Because below i see stratum 4 and stratum 3 servers and a timeout on one server.
When i look at this.
> C:\Users\gaio>w32tm /query /peers
> N. peer: 1
2018 Nov 26
3
Different LDAP query in different DC...
I need to do a simple query, against some LDAP data in 'laster draft
schema' format i've added to te samba/AD schema.
All LDAP query return the same result on all (6) of the DC:
root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember
Enter LDAP Password:
2018 Nov 22
2
NTP strangeness...
In our network we found some client with clock differences.
Some machine have effectively some troubles, eg have NO 'Windows Time'
service defined, probably some glitches happened when moving from our
old NT-like domain.
Anyway, catching for that, we have found some other strangeness.
Windows time service run:
C:\Users\gaio>sc query w32time
NOME_SERVIZIO: w32time
TIPO
2019 Dec 08
3
Account locked and delayed user data propagation...
On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba wrote:
> On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
> > Mandi! Rowland penny via samba
> > In chel di` si favelave...
> >
> > > You cannot create an ldap filter using the above, you would have
> > > to filter
> > > the result of the ldap search.
> >
> > I can
2018 Jun 15
4
Samba, AD, 'short' name resolving...
Im wondering why your log below shows this order, i just noticed.
Why is the computer tring to set the A records 2 x.
Lines 1-13, show a successfull commit of the A/AAAA records.
( TSIG key ok )
If you count the below lines, after line 13, my logs shows.
samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa
Yours is trying again to update
samba_dlz: starting transaction on zone
2018 Nov 28
2
Different LDAP query in different DC...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> If an ldap lookup works on every DC, except for one and the data is
> definitely there on the one DC it doesn't work on, then it must be
> something on that DC. is there a firewall or apparmor/selinux in the
> way ?
No. Anyway, note that query return correctly 'result: 0 Success',
simply return no data.
Another
2017 Oct 23
0
Some hint reading password expiration data...
Sorry, i came back on this, but:
> In another, more generic, way: how password policies are enforced?
still i need an answer on this question.
I've done some tests, using my account, that pdbedit say:
root at vdcsv1:~# LANG=C pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID:
2017 Oct 23
3
Some hint reading password expiration data...
On Mon, 23 Oct 2017 16:52:05 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> Sorry, i came back on this, but:
>
> > In another, more generic, way: how password policies are enforced?
>
> still i need an answer on this question.
>
>
> I've done some tests, using my account, that pdbedit say:
>
> root at vdcsv1:~# LANG=C
2017 Oct 27
2
Some hint reading password expiration data...
Mandi! Andrew Bartlett via samba
In chel di` si favelave...
> It is an operational attribute. simply add
> msDS-UserPasswordExpiryTimeComputed
> to the list of attributes requested when searching for the user.
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base "" maxPwdAge
# record 1
dn:
2017 Oct 20
2
Some hint reading password expiration data...
In my current ''production'' NT-like domain (samba 4.2, OpenLDAP
backend), password policies seems to ''get written'' to user data.
EG, if i set:
pdbedit -P "maximum password age" -C 7776000
and i change my password, 'Password must change' have a meningful value,
eg 90 days more then the last password change:
root at armitage:~# pdbedit -v
2017 Sep 26
0
Domain member server: user access
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> Im pretty sure this is a bug in the DC part.
Ahem, sorry, but i'm lost in following this therad. I've hust setup my
test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
lous) on a debian jessie.
Very minimal configuration:
root at vdcsv1:~# samba-tool testparm
Press enter to see a dump of your
2017 Sep 26
1
Domain member server: user access
On Tue, 26 Sep 2017 12:49:26 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > Im pretty sure this is a bug in the DC part.
>
> Ahem, sorry, but i'm lost in following this therad. I've hust setup my
> test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
2020 Jan 07
2
Domain 'resync', DC with FSMO roles LDAP troubles...
Happy new year to all!
Samba 4.9.17 on stretch, Louis package.
On 22/12, at midnight, office closed, i suffered a network outgage that 'broke in
two' my domain.
On 23/12, at 14.00, network come back. After that, some scripts written
around ldbsearch i run on DM (against vdcsv1 that is the DC with FSMO
roles) start to complain:
Failed to bind - LDAP client internal error:
2017 Nov 09
2
Best practice for creating an RO LDAP User in AD...
On Thu, 9 Nov 2017 11:08:26 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > I dont beleave it.
>
> Eh. «De gustibus non disputandum est». ;-)
>
>
> > The setup for the Ad in the link below is the same but if you want
> > access without auth, Have you tried to