similar to: Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

> So you never read this: > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > Which means that you probably never ran the aptly named > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made

Hello, guys. First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists. Louis: > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. >

; TSIG error with server: tsig verify failure Mayabe update/setup your TSIG key. https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key Im also wondering why RH is using : '--disable-isc-spnego' Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org]

> It should work ;-) > Can you post your smb.conf and /etc/named.conf files > Rowland Hello Rowland. Of course I can: cat /etc/samba/smb.conf # Global parameters [global] workgroup = SVMETAL realm = samdom.svmetal.cz netbios name = DC01 server services = -dns server role = active directory domain controller idmap_ldb:use rfc2307 = yes allow dns updates =

I have one more interesting thing. I copied DC01 to LAB environment. I demoted "dead" servers DC02X and DC03X. After that I changed DNS backend to BIND. Now samba_dnsupdate --verbose --all-names run as expected (without TSIG errors). Also, I have one problematic client joined to domain during troubleshooting and it cannot do DNS update with Bind. So I also cloned it to LAB like DC01.

Hello everyone. In our company we use Samba 4 for about 3 years (classic upgraded from Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain controllers and with Bind bundled in this distro was impossible to use dynamic DNS updates. And because I don't like using compiled SW on production servers, we used Samba internal DNS, which worked well (dynamic updates). With one non

Hello, everyone. To recapitulate the results of our research: 1) I can confirm Samba 4.8 and Bind 9.9.4 (distribution package) on CentOS 7 (tested od 7.5) work even with dynamic DNS updates without any additional fixes or need to recompile Bind package. I think it will work also on other RHEL 7 clones, so we should update Wiki page:

I just tested samba_dnsupdate --verbose --all-names on our test domain. Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4. And it just work. But with Internal DNS it threw ; TSIG error with server: tsig verify failure and Failed nsupdate: 2, same as in production domain. So you are right, Rowland, it's problem with Bind - Samba communication. But I don't know, why in test

> Yes, it is a failure, but a failure of the script, it shouldn't print > all those Python errors, it should print something like 'No update > required' for each attempted update and then 'No updates required' Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws ;

On Tue, 21 Aug 2018 16:50:19 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. > https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key > > Im also wondering why RH is using :

Thank you both, Rowland and Louis. I'll try to answer you both and give you more info about our domain. Generally: In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages before, never upgraded). In 2015 I finally decided to migrate to Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no errors. AD worked (and working) as expected. This summer, I

Hello everyone. I'm trying to fix sysvol rights, because i see errors in output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}

Yes. In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL, as you cas see in smb.conf. [global] netbios name = fs0001 workgroup = SVMETAL security = ADS realm = SAMDOM.SVMETAL.CZ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab acl allow execute always = True idmap config *:backend = tdb idmap config *:range = 70001-99999 idmap config

Hello, guys. I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes, REMOVED FEATURES, I see this: ?Retiring DES encryption types in Kerberos. ------------------------------------------ With this release, support for DES encryption types has been removed from Samba, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC-6649).? In

On Tue, 6 Nov 2018 11:24:43 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > > I'm struggling with an error for secure dynamic dns updates for > reverse lookup zones. > > My environment: > > 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos > 7.5. Samba was compiled from source with default heimdal kerberos

I"m seeing this as well, after I updated my CentOS 7 hosts to the latest release. Something seems to have broken! On 10 May 2018 at 17:54, Tom Diehl via samba <samba at lists.samba.org> wrote: > Hi, > > I have 2 self compiled samba 4 DCs running 4.7.7 on Centos 7.5. One of them > is operating normally. On the other DC bind will not start. I turned up > debugging on

Hi, I have 2 self compiled samba 4 DCs running 4.7.7 on Centos 7.5. One of them is operating normally. On the other DC bind will not start. I turned up debugging on dlz_bind as per https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module When I try to start named I get the following in the logs: May 10 13:19:44 vdc2 named[23773]: starting BIND

samba_dlz: Failed to find our own NTDS Hi All! Got a FreeBSD 9.2-RELEASE system with Samba4.0.8 Dc + AD. the BIND 9.9.4 as a DNS service . I try to adjust of dynamic updating zones......for update DDHCP+DDNS The Bind starting errores: BIND 9.9.4 (Extended Support Version) <id:8f9657aa> built with '--disable-chroot' '--with-gssapi=/usr/local/gssapi'

All, I'm hoping somebody could help explain this: with the Wiki dhcp_dyndns.sh script and "allow dns updates = secure and nonsecure", I have the following log snippet for a single machine: Jan 22 13:37:35 DC1 dhcpd: Commit: IP: 172.250.250.19 DHCID: > 1:be:a9:c5:4f:5f:cd Name: SERVER > <stuff> > Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on

Hello, I'm struggling with an error for secure dynamic dns updates for reverse lookup zones. My environment: 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos 7.5. Samba was compiled from source with default heimdal kerberos (./configure --with-systemd --enable-gnutls) /I know now that --with-systemd is not needed, but didn't now that the time of compilation/.