similar to: Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

I have one more interesting thing. I copied DC01 to LAB environment. I demoted "dead" servers DC02X and DC03X. After that I changed DNS backend to BIND. Now samba_dnsupdate --verbose --all-names run as expected (without TSIG errors). Also, I have one problematic client joined to domain during troubleshooting and it cannot do DNS update with Bind. So I also cloned it to LAB like DC01.

Hello everyone. In our company we use Samba 4 for about 3 years (classic upgraded from Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain controllers and with Bind bundled in this distro was impossible to use dynamic DNS updates. And because I don't like using compiled SW on production servers, we used Samba internal DNS, which worked well (dynamic updates). With one non

> It should work ;-) > Can you post your smb.conf and /etc/named.conf files > Rowland Hello Rowland. Of course I can: cat /etc/samba/smb.conf # Global parameters [global] workgroup = SVMETAL realm = samdom.svmetal.cz netbios name = DC01 server services = -dns server role = active directory domain controller idmap_ldb:use rfc2307 = yes allow dns updates =

On Tue, 21 Aug 2018 16:50:19 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. > https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key > > Im also wondering why RH is using :

> There doesn't seem anything wrong there, the only comment I would make, > is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version > of named ? Yes cat /var/lib/samba/bind-dns/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x database "dlopen

I just tested samba_dnsupdate --verbose --all-names on our test domain. Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4. And it just work. But with Internal DNS it threw ; TSIG error with server: tsig verify failure and Failed nsupdate: 2, same as in production domain. So you are right, Rowland, it's problem with Bind - Samba communication. But I don't know, why in test

Hello, guys. First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists. Louis: > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. >

> Yes, it is a failure, but a failure of the script, it shouldn't print > all those Python errors, it should print something like 'No update > required' for each attempted update and then 'No updates required' Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws ;

; TSIG error with server: tsig verify failure Mayabe update/setup your TSIG key. https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key Im also wondering why RH is using : '--disable-isc-spnego' Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org]

> So you never read this: > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > Which means that you probably never ran the aptly named > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made

Thank you both, Rowland and Louis. I'll try to answer you both and give you more info about our domain. Generally: In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages before, never upgraded). In 2015 I finally decided to migrate to Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no errors. AD worked (and working) as expected. This summer, I

To Rowland: > This was perfectly common, nobody thought this would ever be a problem,mainly because you had to have a user or group in /etc/passwd> or /etc/group mapped to a Samba. Now with AD, you do not need a user or group in /etc/passwd or /etc/group, so any user or group that uses the RID as a Unix ID is> probably too low and is denying the use of any local Unix users Yes, but where

Hello everyone. I'm trying to fix sysvol rights, because i see errors in output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}

Alright, I'm taking the plunge: We're switching our three AD DCs from Samba internal to BIND_DLZ back end. I needed a version of BIND with DLZ, as it appears support for that is not so ubiquitous. I went here first: https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates We use Ubuntu 14.04 here, and the Debian/Ubuntu instructions fail on apt-get

Hello, The error described in the email title happens in version 9.10 of the bind that I have installed in our main DC. In face of that, I found the samba wiki article that talks about this problem. https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates I made a new installation via source with the suggested options: root at dc3:~# fakeroot ./configure

On Mon, 2 Jul 2018 10:27:58 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote: > Hello, > > The error described in the email title happens in version 9.10 of the > bind that I have installed in our main DC. In face of that, I found > the samba wiki article that talks about this problem. >

On Wed, 31 Oct 2018 18:36:52 +0200 Eben Victor <eben.victor at gmail.com> wrote: > Hello Rowland, > > I have already checked and the DN's are in AD, see attached. > > SOA: > <domain>.corp. 3600 IN SOA psad102zadprh.<domain>.corp. . > 9766 3600 600 86400 3600 > > See below NS, but the 1st NS (zatprdc001) doesn't exsit, and I

On Wed, 31 Oct 2018 23:34:38 +0200 Eben Victor <eben.victor at gmail.com> wrote: > Hi Rowland, > > I didn't build samba, I'm running the sernet packages, > # rpm -qa | grep sernet > sernet-samba-libsmbclient0-4.8.6-16.el7.x86_64 > sernet-samba-ad-4.8.6-16.el7.x86_64 > sernet-samba-libs-4.8.6-16.el7.x86_64 > sernet-samba-client-4.8.6-16.el7.x86_64 >

Well, we are getting somewere...;) >It is probably 'greyed' out because no Windows tools use it or will add it. You will probably need to use Unix tools (ldb or ldap) to remove>them, but you can if you so wish ignore them. What you should never do is to rely on them being there, because they may or may not be there.Ok, I'll let it be there> You need to remove the gidNumber

Hai, I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that. The script was made in such a way that it should not matter what uid/gids are where used. The script looks them up for you, but it must be error free so we are sure what is set is correct. If you look in the script, you see the four SID. DC_SERVER_OPERATORS="S-1-5-32-549"