similar to: Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

> It should work ;-) > Can you post your smb.conf and /etc/named.conf files > Rowland Hello Rowland. Of course I can: cat /etc/samba/smb.conf # Global parameters [global] workgroup = SVMETAL realm = samdom.svmetal.cz netbios name = DC01 server services = -dns server role = active directory domain controller idmap_ldb:use rfc2307 = yes allow dns updates =

Thank you both, Rowland and Louis. I'll try to answer you both and give you more info about our domain. Generally: In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages before, never upgraded). In 2015 I finally decided to migrate to Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no errors. AD worked (and working) as expected. This summer, I

To Rowland: > This was perfectly common, nobody thought this would ever be a problem,mainly because you had to have a user or group in /etc/passwd> or /etc/group mapped to a Samba. Now with AD, you do not need a user or group in /etc/passwd or /etc/group, so any user or group that uses the RID as a Unix ID is> probably too low and is denying the use of any local Unix users Yes, but where

Hai, I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that. The script was made in such a way that it should not matter what uid/gids are where used. The script looks them up for you, but it must be error free so we are sure what is set is correct. If you look in the script, you see the four SID. DC_SERVER_OPERATORS="S-1-5-32-549"

Hello everyone. I'm trying to fix sysvol rights, because i see errors in output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}

> There doesn't seem anything wrong there, the only comment I would make, > is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version > of named ? Yes cat /var/lib/samba/bind-dns/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x database "dlopen

Hello, guys. First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists. Louis: > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. >

; TSIG error with server: tsig verify failure Mayabe update/setup your TSIG key. https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key Im also wondering why RH is using : '--disable-isc-spnego' Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org]

I just tested samba_dnsupdate --verbose --all-names on our test domain. Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4. And it just work. But with Internal DNS it threw ; TSIG error with server: tsig verify failure and Failed nsupdate: 2, same as in production domain. So you are right, Rowland, it's problem with Bind - Samba communication. But I don't know, why in test

I have one more interesting thing. I copied DC01 to LAB environment. I demoted "dead" servers DC02X and DC03X. After that I changed DNS backend to BIND. Now samba_dnsupdate --verbose --all-names run as expected (without TSIG errors). Also, I have one problematic client joined to domain during troubleshooting and it cannot do DNS update with Bind. So I also cloned it to LAB like DC01.

Hello, guys. I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes, REMOVED FEATURES, I see this: ?Retiring DES encryption types in Kerberos. ------------------------------------------ With this release, support for DES encryption types has been removed from Samba, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC-6649).? In

> So you never read this: > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > Which means that you probably never ran the aptly named > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made

Hello, everyone. To recapitulate the results of our research: 1) I can confirm Samba 4.8 and Bind 9.9.4 (distribution package) on CentOS 7 (tested od 7.5) work even with dynamic DNS updates without any additional fixes or need to recompile Bind package. I think it will work also on other RHEL 7 clones, so we should update Wiki page:

> Yes, it is a failure, but a failure of the script, it shouldn't print > all those Python errors, it should print something like 'No update > required' for each attempted update and then 'No updates required' Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws ;

On Tue, 21 Aug 2018 16:50:19 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. > https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key > > Im also wondering why RH is using :

Well, we are getting somewere...;) >It is probably 'greyed' out because no Windows tools use it or will add it. You will probably need to use Unix tools (ldb or ldap) to remove>them, but you can if you so wish ignore them. What you should never do is to rely on them being there, because they may or may not be there.Ok, I'll let it be there> You need to remove the gidNumber

>When you provision a new domain, it is set 3000000, but, seemingly, when you run the classicupgrade it gets sets to a lower number (never actually run a classicupgrade) based on what is in your old domain. > Not sure what to suggest here, do you feel up to sending me (offlist) a copy of your idmap.ldb ? > >Rowland Thank you again, Rowland, for your time. I think that different ID

Yes. In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL, as you cas see in smb.conf. [global] netbios name = fs0001 workgroup = SVMETAL security = ADS realm = SAMDOM.SVMETAL.CZ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab acl allow execute always = True idmap config *:backend = tdb idmap config *:range = 70001-99999 idmap config

Hello, sorry, but I cannot find start of this discussion thread, so my question may be stupid. Is your domain classicupgraded from Samba 3 or provisioned from scratch? I have similar problem with our domain which is upgraded. If I provision the new domain everything works, but in old domain there is something broken inside. For Rowland: Does exist utility with similar function as "net rpc

>On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at lists.samba.org ( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel this all has something to do with the classicupgrade, the>> command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> Yes. Take a look:wbinfo