similar to: samba 4.8.3 with BIND dynamic dns update failed

Hi, you're right about kvno. kvno dc gives me: dc at DOMAIN.NET.PL: kvno = 1 I'm pretty sure I didn't change dc$ password nor keytab wasn't recreated (the file is from 2015). I've checked other DCs. It looks like two of them with CentOS 7 have kvno = 2, and one with CentOS 6 has also v 1. DCs on CentOS 7 are pretty new, with samba version 4.7.4 from the scratch. Main DC

Hello, I found this bugged record with ldbsearch -H path/to/samba/bind-dns/dns/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=SUBDOMAIN\,DC\=DOMAIN\,DC\=PL.ldb '(name=49)' So I have a couple of questions - hopefully someone can shed some light: - am I looking in correct .ldb for bind-dns? - can I remove this record? If yes what's the best method? Should samba and/or bind be stopped? As I

Try verifying kvno from the client that gives the error message. That kvno = 2 for dc$ must've come from somewhere. You can also double check e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If  kvno is definately 1 that means that client connecting has some error, if it's 2, than it means that dc has outdated keytab. And if it's the former, than I really am not sure

Hello, I stumbled upon weird error/bug. My setup: 4.8.3 AD on centos 7.5 (compiled from source). BIND as dns running on AD DC with secure dns updates setup and working. Most of the DNS updates are dynamic, some added manually using windows DNS manager. One of the PTR entries in reverse lookup zone went missing. It's not visible in the windows DNS manager, it's nowhere to be found

Hello, I've realised that there was an error on this server, wrong idmap.ldb, 3000002 should be one of the built-in users or groups instead of machine own account. Unfortunately fixing idmap (I imported idmap.ldb from DC with correct mapping) didn't fix my original error, as it still appears each time samba is restarted. Regards, Kacper W dniu 02.07.2018 o 10:52, Kacper Wirski via

what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated? If You made some upgrades, maybe during process You for example rejoined the domain (that would set new

Hello, Centos 7.5 samba 4.8.3 installation, compiled from source working as AD DC. It was an update from 4.7 (not an in place update, but added new DC's to existing domain and demoted 4.7.x DC's). After adding to my smb.conf: /apply group policies = yes/ I see errors on samba star: ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)   /usr/local/samba/sbin/samba_gpoupdate: SID

On Sat, 21 Jul 2018 20:57:07 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > > I found this bugged record with > > ldbsearch -H > path/to/samba/bind-dns/dns/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=SUBDOMAIN\,DC\=DOMAIN\,DC\=PL.ldb > '(name=49)' > > So I have a couple of questions - hopefully someone can shed some > light: >

Thank You for the prompt reply. By "sam.ldb" you mean the samba/bind-dns/dns/sam.ldb right? After executing: ldbsearch --cross-ncs -H /path/to/samba/bind-dns/dns/sam.ldb '(name=49)' I do find same records, as with previous search including the one I need to delete as it is bugged. It's dn is:

Hello, I'll try to be as brief as possible. I'm testing samba 4.8.3 on centos 7.5. Fresh installation joined to existing AD domain that was ran with samba 4.7.6. I did add 2 DC's with 4.8.3, then removed all 4.7.6 DC's. Everything seemed to work fine, except for adding DNS entries on one of the machines. Samba by itself was unable to add them throwing error in log that dnsupdate

To answer my own question: Yes, it's seems like a feature. I ran basic ldbsearch query: ldbsearch -H /usr/local/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: dNSTombstoned: TRUE Overall there are a couple hundred entries with as such. So now my question is: How can I safely remove them, any tips/guideliness? I thought that

On Tue, 3 Jul 2018 08:06:44 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > > I've realised that there was an error on this server, wrong > idmap.ldb, 3000002 should be one of the built-in users or groups > instead of machine own account. Unfortunately fixing idmap (I > imported idmap.ldb from DC with correct mapping) didn't fix my >

I've noticed myself similiar issue. Windows 10 (v 1803) - window with security tab open crashes on certain files (yes, just the window, not whole OS). Just before crash i see unresolved SID which looks like nothing I know (doesn't look like domain SID - maybe local user SID from samba member server?). All files that cause this issue are from any of the samba servers. Same files I can

W dniu 21.11.2018 o 21:09, Rowland Penny via samba pisze: > On Wed, 21 Nov 2018 20:48:34 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> So in my case - is it safe to delete directly using ldbdel or using >> windows ADSI gui ldap editor? Or is there another way? What is the >> right way to do it? >> >> something like: >>

Hello, Since noone answered, I'll add some more information - maybe I'm unclear about the nature of the issue? I re-read samba wiki, especially about DNS management and I didn't find any information pointing to such behaviour. I was deleting all entries using windows DNS management console (which is in the sama wiki, so I suppose it's supported) I don't have

So in my case - is it safe to delete directly using ldbdel or using windows ADSI gui ldap editor? Or is there another way? What is the right way to do it? something like: ldbdel -H /usr/local/samba/private/sam.ldb -b"DC=DomainDnsZones,DC=mydomain,DC=com '(dNSTombstoned: TRUE)' ? I read in samba 4.9 new features release notes about scavenging but I'm not sure if it's the

As I said, I haven't got time to look at what's really happening, just that sometimes windows 10 + some file = security tab just closes/crashes instantly and clearly there is a long SID that's not like anything I recognize, might be well known SID (not well known enough though I'd say, as it's unresolved ;) ). I'm not sure if my experiences are related to those of OP,

Hello, I've posted about this issue some time ago, but I maybe didn't explain myself enough and/or didn't supply enough information. My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. I noticed that some windows clients stopped doing secure dns dynamic updates because of insufficient rights error. Upon further digging I realized that all of the entries, that were

On Wed, 21 Nov 2018 19:39:53 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote: > To answer my own question: > > Yes, it's seems like a feature. Yes, it is a feature, an AD feature ;-) > > I ran basic ldbsearch query: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output

Maybe try something like this, dont know it its right, i cant test it atm, and i never used its so.. But in krb5.conf try to match the failty one with a rule. auth_to_local = RULE:[1:SAMDOM:$1] Maybe it works maybe not, but imo, try-able ;-) , just an idee.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Kacper