similar to: Generating keytab on a read-only file system

Hai Taner, > -----Oorspronkelijk bericht----- > Van: Taner Tas [mailto:taner76 at gmail.com] > Verzonden: donderdag 27 december 2018 12:30 > Aan: L.P.H. van Belle via samba > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] Generating keytab on a read-only file system > > > > > > First, I suggest read : > >

> First, I suggest read : > https://wiki.samba.org/index.php/Keytab_Extraction I did. > Second, it his for > a member or AD-DC? Thats because of the location of the keytab and > the ad-dc creates its own keytab file. Thirth, are any other services > going to use it? Last, root must be able to write the keytab file. > They're members. The intent is to auto join clients

> > dedicated keytab file = /tmp/krb5.keytab > > For which programs do you use the keytab? I already tried that. But still tries to write at /etc. It seems this parameter used when you have a keytab already. __ Taner Tas

> Why do you feel you need sssd ? > Winbind will mostly do everything on a Unix domain member that sssd > does and what it doesn't do, there are other ways of doing them. Lets say "easiness". I actually stumbled that how it is easy to migrate Linux clients into AD structure with sssd comparing with my other attempts. Regards, __ Taner Tas

On Thu, 27 Dec 2018 14:29:59 +0300 Taner Tas via samba <samba at lists.samba.org> wrote: > > > > > First, I suggest read : > > https://wiki.samba.org/index.php/Keytab_Extraction > > I did. > > > Second, it his for > > a member or AD-DC? Thats because of the location of the keytab and > > the ad-dc creates its own keytab file. Thirth, are

On Fri, 03 Aug 2018 12:28:38 +1200 Andrew Bartlett <abartlet at samba.org> wrote: > On Thu, 2018-08-02 at 22:37 +0300, Taner Tas wrote: > > > Nobody has looked into it yet. Likely just an extra build rule > > > required, I would need to see the 9.11 and 9.12 DLZ header files to > > > check. > > > > > > Aaron Haslett (CC'ed) may be able

Hai, First, I suggest read : https://wiki.samba.org/index.php/Keytab_Extraction Second, it his for a member or AD-DC? Thats because of the location of the keytab and the ad-dc creates its own keytab file. Thirth, are any other services going to use it? Last, root must be able to write the keytab file. If you place the keytab in an other non-default location like : With : dedicated keytab

> Nobody has looked into it yet. Likely just an extra build rule > required, I would need to see the 9.11 and 9.12 DLZ header files to > check. > > Aaron Haslett (CC'ed) may be able to help once he fights past the other > BIND9 issues he is looking at. > > Andrew Bartlett Thanks for response. I actually looked it myself. Since there is no DLZ ABI changes since

> > OK, get the 'Windows sysadmin' to go to the 2012 DC and run > 'rendom /end' on it, see if this fixes your problem. > > Rowland Thanks Rowland, that did the fix the problem related with WERR_DS_DOMAIN_RENAME_IN_PROGRESS error. But the problem evolved into a new one: "WERR_DS_DIFFERENT_REPL_EPOCHS" ... Starting replication Join failed - cleaning up

> > I'm trying to join a Samba 4.9.1 Debian Strech installation > > Please define 'installation', do you mean that you have installed the > required Samba packages and have not provisioned or something else ? Yes, I just installed required packages prior to join a DC. Just like preparing a join to any other Samba DC. Since there's already two Windows DC's

Hi, I tried to replicate two DC's (on test setup) with "--full-sync" option but fails with error message below. I tried "--full-sync" because I wonder if it has any effect on some diverged entries reported by "samba-tool ldapcmp". # samba-tool drs replicate dc1 dc2 --full-sync DC=samdom,DC=com ERROR(<class 'samba.drs_utils.drsException'>): DRS

On Wed, 26 Dec 2018 12:49:10 +0300 Taner Tas via samba wrote: > I have to tell "net ads join" or "net ads keytab create" commands to > create keytab file to a writable location. Can I do that? dedicated keytab file = /tmp/krb5.keytab For which programs do you use the keytab?

> > Hmm, i think its good that you read: > https://www.freedesktop.org/software/systemd/man/systemd.exec.html > > Check ProtectSystem= PrivateTmp= ReadWritePaths= > And basicly the sandboxing part. I had an opinion about that a systemd based distro won't suit for my customization needs then I choose Devuan. I'm actually using Devuan Ascii as nfs root and I

> Hi all, > > We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba > 4.3.11. We are planning to upgrade it to a recent version, probably > 4.8.3. > > I think that I have two options: > > a) Package upgrade via 3rd party repositories (Louis Van Belle's repo) > by following wiki. > > b) A fresh install of 4.8.3 on another VM then join it to

Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below: ------ smb.conf ------security = ADS workgroup = MYDOMAINrealm = MYDOMAIN.ORG log file = /var/log/samba/%m.loglog level = 6enable core files = no idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range =

Hi, I'm trying to figure out to import the schema below to Samba LDAP. I tried to modify class names, DN etc but it didn't help. I don't paste here because of some long lines. Here is the link of ldif file: https://raw.githubusercontent.com/Pardus-LiderAhenk/lider-ahenk-installer/master/src/conf/liderahenk.ldif Thanks. --- Taner Tas

Hi, I need some info regarding what conditions make dhcp dynamic dns updates essential? Has Samba a limitation with accepting dns record update requests from logged clients? The wiki page doesn't contain such information except: "You must stop your windows clients from trying to update their own records, as this will fail and fill your logs with errors." Does this mean it is

Hi, I recently noticed that when doing "samba_dns --all-names --verbose" against Bind-9.12, I can't update dns records. I'm getting these error messages for each record to update: . . . update failed: REFUSED Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com alpine.samdom.com 389 Calling nsupdate for SRV

Hi all, We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba 4.3.11. We are planning to upgrade it to a recent version, probably 4.8.3. I think that I have two options: a) Package upgrade via 3rd party repositories (Louis Van Belle's repo) by following wiki. b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as backup DC, then transfer all FSMO roles on new and

Hello taner and guys, Can you send me the patch? I would like to test on a version of samba 4.9 with bind 9.12.x. Thanks in advance! On Sat, Aug 4, 2018 at 11:32 AM Taner Tas via samba <samba at lists.samba.org> wrote: > On Fri, 03 Aug 2018 12:28:38 +1200 > Andrew Bartlett <abartlet at samba.org> wrote: > > > On Thu, 2018-08-02 at 22:37 +0300, Taner Tas wrote: >