Displaying 20 results from an estimated 2000 matches similar to: "Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates"
2018 Aug 24
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
I have one more interesting thing.
I copied DC01 to LAB environment. I demoted "dead" servers DC02X and
DC03X. After that I changed DNS backend to BIND.
Now samba_dnsupdate --verbose --all-names run as expected (without TSIG
errors).
Also, I have one problematic client joined to domain during
troubleshooting and it cannot do DNS update with Bind. So I also cloned
it to LAB like DC01.
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Hello everyone.
In our company we use Samba 4 for about 3 years (classic upgraded from
Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain
controllers and with Bind bundled in this distro was impossible to use
dynamic DNS updates. And because I don't like using compiled SW on
production servers, we used Samba internal DNS, which worked well
(dynamic updates).
With one non
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> It should work ;-)
> Can you post your smb.conf and /etc/named.conf files
> Rowland
Hello Rowland. Of course I can:
cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = SVMETAL
realm = samdom.svmetal.cz
netbios name = DC01
server services = -dns
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
allow dns updates =
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Tue, 21 Aug 2018 16:50:19 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> ; TSIG error with server: tsig verify failure
>
> Mayabe update/setup your TSIG key.
> https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key
>
> Im also wondering why RH is using :
2018 Aug 21
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> There doesn't seem anything wrong there, the only comment I would make,
> is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version
> of named ?
Yes
cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
database "dlopen
2018 Aug 22
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
I just tested samba_dnsupdate --verbose --all-names on our test domain.
Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4.
And it just work.
But with Internal DNS it threw ; TSIG error with server: tsig verify
failure and Failed nsupdate: 2, same as in production domain.
So you are right, Rowland, it's problem with Bind - Samba
communication. But I don't know, why in test
2018 Aug 22
1
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Hello, guys.
First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists.
Louis:
> ; TSIG error with server: tsig verify failure
>
> Mayabe update/setup your TSIG key.
>
2018 Aug 22
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> Yes, it is a failure, but a failure of the script, it shouldn't print
> all those Python errors, it should print something like 'No update
> required' for each attempted update and then 'No updates required'
Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws
;
2018 Aug 21
0
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
; TSIG error with server: tsig verify failure
Mayabe update/setup your TSIG key.
https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key
Im also wondering why RH is using : '--disable-isc-spnego'
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org]
2018 Aug 21
3
Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> So you never read this:
> https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC
> Which means that you probably never ran the aptly named
> 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D
If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made
2017 Sep 05
3
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Thank you both, Rowland and Louis.
I'll try to answer you both and give you more info about our domain.
Generally:
In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages
before, never upgraded). In 2015 I finally decided to migrate to Samba 4
AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no
errors. AD worked (and working) as expected.
This summer, I
2017 Sep 05
1
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
To Rowland:
> This was perfectly common, nobody thought this would ever be a
problem,mainly because you had to have a user or group in /etc/passwd>
or /etc/group mapped to a Samba. Now with AD, you do not need a user or
group in /etc/passwd or /etc/group, so any user or group that uses the
RID as a Unix ID is> probably too low and is denying the use of any
local Unix users
Yes, but where
2017 Sep 04
2
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
2016 Apr 12
2
Failed to re-index objectSid after botched DLZ back-end update
Alright, I'm taking the plunge: We're switching our three AD DCs from Samba internal to BIND_DLZ back end.
I needed a version of BIND with DLZ, as it appears support for that is not so ubiquitous.
I went here first: https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates
We use Ubuntu 14.04 here, and the Debian/Ubuntu instructions fail on apt-get
2018 Jul 02
2
client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
Hello,
The error described in the email title happens in version 9.10 of the bind
that I have installed in our main DC. In face of that, I found the samba
wiki article that talks about this problem.
https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates
I made a new installation via source with the suggested options:
root at dc3:~# fakeroot ./configure
2018 Jul 02
0
client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
On Mon, 2 Jul 2018 10:27:58 -0300
Elias Pereira via samba <samba at lists.samba.org> wrote:
> Hello,
>
> The error described in the email title happens in version 9.10 of the
> bind that I have installed in our main DC. In face of that, I found
> the samba wiki article that talks about this problem.
>
2018 Oct 31
0
Internal DNS migrate to Bind9_DLZ
On Wed, 31 Oct 2018 18:36:52 +0200
Eben Victor <eben.victor at gmail.com> wrote:
> Hello Rowland,
>
> I have already checked and the DN's are in AD, see attached.
>
> SOA:
> <domain>.corp. 3600 IN SOA psad102zadprh.<domain>.corp. .
> 9766 3600 600 86400 3600
>
> See below NS, but the 1st NS (zatprdc001) doesn't exsit, and I
2018 Oct 31
0
Internal DNS migrate to Bind9_DLZ
On Wed, 31 Oct 2018 23:34:38 +0200
Eben Victor <eben.victor at gmail.com> wrote:
> Hi Rowland,
>
> I didn't build samba, I'm running the sernet packages,
> # rpm -qa | grep sernet
> sernet-samba-libsmbclient0-4.8.6-16.el7.x86_64
> sernet-samba-ad-4.8.6-16.el7.x86_64
> sernet-samba-libs-4.8.6-16.el7.x86_64
> sernet-samba-client-4.8.6-16.el7.x86_64
>
2017 Sep 05
1
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Well, we are getting somewere...;)
>It is probably 'greyed' out because no Windows tools use it or will
add it. You will probably need to use Unix tools (ldb or ldap) to
remove>them, but you can if you so wish ignore them. What you should
never do is to rely on them being there, because they may or may not be
there.Ok, I'll let it be there> You need to remove the gidNumber
2017 Sep 05
0
BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Hai,
I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that.
The script was made in such a way that it should not matter what uid/gids are where used.
The script looks them up for you, but it must be error free so we are sure what is set is correct.
If you look in the script, you see the four SID.
DC_SERVER_OPERATORS="S-1-5-32-549"