similar to: Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Hello everyone. In our company we use Samba 4 for about 3 years (classic upgraded from Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain controllers and with Bind bundled in this distro was impossible to use dynamic DNS updates. And because I don't like using compiled SW on production servers, we used Samba internal DNS, which worked well (dynamic updates). With one non

> There doesn't seem anything wrong there, the only comment I would make, > is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version > of named ? Yes cat /var/lib/samba/bind-dns/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x database "dlopen

I just tested samba_dnsupdate --verbose --all-names on our test domain. Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4. And it just work. But with Internal DNS it threw ; TSIG error with server: tsig verify failure and Failed nsupdate: 2, same as in production domain. So you are right, Rowland, it's problem with Bind - Samba communication. But I don't know, why in test

I have one more interesting thing. I copied DC01 to LAB environment. I demoted "dead" servers DC02X and DC03X. After that I changed DNS backend to BIND. Now samba_dnsupdate --verbose --all-names run as expected (without TSIG errors). Also, I have one problematic client joined to domain during troubleshooting and it cannot do DNS update with Bind. So I also cloned it to LAB like DC01.

Thank you both, Rowland and Louis. I'll try to answer you both and give you more info about our domain. Generally: In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages before, never upgraded). In 2015 I finally decided to migrate to Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no errors. AD worked (and working) as expected. This summer, I

> So you never read this: > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > Which means that you probably never ran the aptly named > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made

Hello, guys. First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists. Louis: > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. >

To Rowland: > This was perfectly common, nobody thought this would ever be a problem,mainly because you had to have a user or group in /etc/passwd> or /etc/group mapped to a Samba. Now with AD, you do not need a user or group in /etc/passwd or /etc/group, so any user or group that uses the RID as a Unix ID is> probably too low and is denying the use of any local Unix users Yes, but where

Hello everyone. I'm trying to fix sysvol rights, because i see errors in output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}

; TSIG error with server: tsig verify failure Mayabe update/setup your TSIG key. https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key Im also wondering why RH is using : '--disable-isc-spnego' Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org]

Well, we are getting somewere...;) >It is probably 'greyed' out because no Windows tools use it or will add it. You will probably need to use Unix tools (ldb or ldap) to remove>them, but you can if you so wish ignore them. What you should never do is to rely on them being there, because they may or may not be there.Ok, I'll let it be there> You need to remove the gidNumber

Hello, everyone. To recapitulate the results of our research: 1) I can confirm Samba 4.8 and Bind 9.9.4 (distribution package) on CentOS 7 (tested od 7.5) work even with dynamic DNS updates without any additional fixes or need to recompile Bind package. I think it will work also on other RHEL 7 clones, so we should update Wiki page:

> Yes, it is a failure, but a failure of the script, it shouldn't print > all those Python errors, it should print something like 'No update > required' for each attempted update and then 'No updates required' Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws ;

On Tue, 21 Aug 2018 16:50:19 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. > https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key > > Im also wondering why RH is using :

>When you provision a new domain, it is set 3000000, but, seemingly, when you run the classicupgrade it gets sets to a lower number (never actually run a classicupgrade) based on what is in your old domain. > Not sure what to suggest here, do you feel up to sending me (offlist) a copy of your idmap.ldb ? > >Rowland Thank you again, Rowland, for your time. I think that different ID

Yes. In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL, as you cas see in smb.conf. [global] netbios name = fs0001 workgroup = SVMETAL security = ADS realm = SAMDOM.SVMETAL.CZ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab acl allow execute always = True idmap config *:backend = tdb idmap config *:range = 70001-99999 idmap config

Yes, that's exactly what I've done.Ok, my group has name "IT admins", but logic is same;)Thank you. However I have one more problem. If I create new group or user and give it UID/GID, this is immediately reachable on linux server. id user, or getent group/passwd and also wbinfo -u/-g/-i can list info about it. But if I assign group to user (or deassign), it spends a lot of time

Hello, guys. I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes, REMOVED FEATURES, I see this: ?Retiring DES encryption types in Kerberos. ------------------------------------------ With this release, support for DES encryption types has been removed from Samba, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC-6649).? In

Hai, I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that. The script was made in such a way that it should not matter what uid/gids are where used. The script looks them up for you, but it must be error free so we are sure what is set is correct. If you look in the script, you see the four SID. DC_SERVER_OPERATORS="S-1-5-32-549"

> You may get away with using the 'rid' backend, but this will have to be> your choice, but whatever you choose, I am sure we can help you get to> a working domain.> > RowlandSo I have an example. We have file and print server based on CentOS 7 with Samba 4.4.4. As wiki said (https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients)