Displaying 20 results from an estimated 2000 matches similar to: "Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates"
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> It should work ;-)
> Can you post your smb.conf and /etc/named.conf files
> Rowland
Hello Rowland. Of course I can:
cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = SVMETAL
realm = samdom.svmetal.cz
netbios name = DC01
server services = -dns
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
allow dns updates =
2017 Sep 05
3
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Thank you both, Rowland and Louis.
I'll try to answer you both and give you more info about our domain.
Generally:
In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages
before, never upgraded). In 2015 I finally decided to migrate to Samba 4
AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no
errors. AD worked (and working) as expected.
This summer, I
2017 Sep 05
1
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
To Rowland:
> This was perfectly common, nobody thought this would ever be a
problem,mainly because you had to have a user or group in /etc/passwd>
or /etc/group mapped to a Samba. Now with AD, you do not need a user or
group in /etc/passwd or /etc/group, so any user or group that uses the
RID as a Unix ID is> probably too low and is denying the use of any
local Unix users
Yes, but where
2017 Sep 05
0
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Hai,
I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that.
The script was made in such a way that it should not matter what uid/gids are where used.
The script looks them up for you, but it must be error free so we are sure what is set is correct.
If you look in the script, you see the four SID.
DC_SERVER_OPERATORS="S-1-5-32-549"
2017 Sep 04
2
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> There doesn't seem anything wrong there, the only comment I would make,
> is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version
> of named ?
Yes
cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
database "dlopen
2018 Aug 22
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Hello, guys.
First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists.
Louis:
> ; TSIG error with server: tsig verify failure
>
> Mayabe update/setup your TSIG key.
>
2018 Aug 21
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
; TSIG error with server: tsig verify failure
Mayabe update/setup your TSIG key.
https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key
Im also wondering why RH is using : '--disable-isc-spnego'
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org]
2018 Aug 22
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
I just tested samba_dnsupdate --verbose --all-names on our test domain.
Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4.
And it just work.
But with Internal DNS it threw ; TSIG error with server: tsig verify
failure and Failed nsupdate: 2, same as in production domain.
So you are right, Rowland, it's problem with Bind - Samba
communication. But I don't know, why in test
2018 Aug 24
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
I have one more interesting thing.
I copied DC01 to LAB environment. I demoted "dead" servers DC02X and
DC03X. After that I changed DNS backend to BIND.
Now samba_dnsupdate --verbose --all-names run as expected (without TSIG
errors).
Also, I have one problematic client joined to domain during
troubleshooting and it cannot do DNS update with Bind. So I also cloned
it to LAB like DC01.
2020 Oct 05
3
Upgrade to Samba 4.12 question
Hello, guys.
I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes,
REMOVED FEATURES, I see this:
?Retiring DES encryption types in Kerberos.
------------------------------------------
With this release, support for DES encryption types has been removed
from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).?
In
2018 Aug 21
3
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> So you never read this:
> https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC
> Which means that you probably never ran the aptly named
> 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D
If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made
2018 Aug 24
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Hello, everyone.
To recapitulate the results of our research:
1) I can confirm Samba 4.8 and Bind 9.9.4 (distribution package) on CentOS 7 (tested od 7.5) work even with dynamic DNS updates without any additional fixes or need to recompile Bind package.
I think it will work also on other RHEL 7 clones, so we should update Wiki page:
2018 Aug 22
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> Yes, it is a failure, but a failure of the script, it shouldn't print
> all those Python errors, it should print something like 'No update
> required' for each attempted update and then 'No updates required'
Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws
;
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Tue, 21 Aug 2018 16:50:19 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> ; TSIG error with server: tsig verify failure
>
> Mayabe update/setup your TSIG key.
> https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key
>
> Im also wondering why RH is using :
2017 Sep 05
1
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Well, we are getting somewere...;)
>It is probably 'greyed' out because no Windows tools use it or will
add it. You will probably need to use Unix tools (ldb or ldap) to
remove>them, but you can if you so wish ignore them. What you should
never do is to rely on them being there, because they may or may not be
there.Ok, I'll let it be there> You need to remove the gidNumber
2017 Sep 06
3
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>When you provision a new domain, it is set 3000000, but, seemingly,
when you run the classicupgrade it gets sets to a lower number (never
actually run a classicupgrade) based on what is in your old domain.
> Not sure what to suggest here, do you feel up to sending me (offlist)
a copy of your idmap.ldb ?
>
>Rowland
Thank you again, Rowland, for your time.
I think that different ID
2020 Nov 20
2
winbind use default domain = yes doesn't work on Samba 4.13?
Yes.
In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL,
as you cas see in smb.conf.
[global]
netbios name = fs0001
workgroup = SVMETAL
security = ADS
realm = SAMDOM.SVMETAL.CZ
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
acl allow execute always = True
idmap config *:backend = tdb
idmap config *:range = 70001-99999
idmap config
2018 Nov 01
2
Internal DNS migrate to Bind9_DLZ
Hello,
sorry, but I cannot find start of this discussion thread, so my question may be stupid.
Is your domain classicupgraded from Samba 3 or provisioned from scratch?
I have similar problem with our domain which is upgraded. If I provision the new domain everything works, but in old domain there is something broken inside.
For Rowland:
Does exist utility with similar function as "net rpc
2017 Sep 06
1
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at
lists.samba.org
( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel
this all has something to do with the classicupgrade, the>> command
works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> Yes.
Take a look:wbinfo