similar to: Generating keytab on a read-only file system

> First, I suggest read : > https://wiki.samba.org/index.php/Keytab_Extraction I did. > Second, it his for > a member or AD-DC? Thats because of the location of the keytab and > the ad-dc creates its own keytab file. Thirth, are any other services > going to use it? Last, root must be able to write the keytab file. > They're members. The intent is to auto join clients

> > dedicated keytab file = /tmp/krb5.keytab > > For which programs do you use the keytab? I already tried that. But still tries to write at /etc. It seems this parameter used when you have a keytab already. __ Taner Tas

> > Hmm, i think its good that you read: > https://www.freedesktop.org/software/systemd/man/systemd.exec.html > > Check ProtectSystem= PrivateTmp= ReadWritePaths= > And basicly the sandboxing part. I had an opinion about that a systemd based distro won't suit for my customization needs then I choose Devuan. I'm actually using Devuan Ascii as nfs root and I

> Why do you feel you need sssd ? > Winbind will mostly do everything on a Unix domain member that sssd > does and what it doesn't do, there are other ways of doing them. Lets say "easiness". I actually stumbled that how it is easy to migrate Linux clients into AD structure with sssd comparing with my other attempts. Regards, __ Taner Tas

On Thu, 27 Dec 2018 14:29:59 +0300 Taner Tas via samba <samba at lists.samba.org> wrote: > > > > > First, I suggest read : > > https://wiki.samba.org/index.php/Keytab_Extraction > > I did. > > > Second, it his for > > a member or AD-DC? Thats because of the location of the keytab and > > the ad-dc creates its own keytab file. Thirth, are

On Fri, 03 Aug 2018 12:28:38 +1200 Andrew Bartlett <abartlet at samba.org> wrote: > On Thu, 2018-08-02 at 22:37 +0300, Taner Tas wrote: > > > Nobody has looked into it yet. Likely just an extra build rule > > > required, I would need to see the 9.11 and 9.12 DLZ header files to > > > check. > > > > > > Aaron Haslett (CC'ed) may be able

Hi, I tried to replicate two DC's (on test setup) with "--full-sync" option but fails with error message below. I tried "--full-sync" because I wonder if it has any effect on some diverged entries reported by "samba-tool ldapcmp". # samba-tool drs replicate dc1 dc2 --full-sync DC=samdom,DC=com ERROR(<class 'samba.drs_utils.drsException'>): DRS

Hi all, We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba 4.3.11. We are planning to upgrade it to a recent version, probably 4.8.3. I think that I have two options: a) Package upgrade via 3rd party repositories (Louis Van Belle's repo) by following wiki. b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as backup DC, then transfer all FSMO roles on new and

> Nobody has looked into it yet. Likely just an extra build rule > required, I would need to see the 9.11 and 9.12 DLZ header files to > check. > > Aaron Haslett (CC'ed) may be able to help once he fights past the other > BIND9 issues he is looking at. > > Andrew Bartlett Thanks for response. I actually looked it myself. Since there is no DLZ ABI changes since

Hi! Have been using Fedora as my dovecot server for some time and am struggling with systemd at every update. Fedora insists on setting ProtectSystem=full in both dovecot.service and postfix.service at every update of the packages. This makes my mailstore which is in /usr/local/var/mail Read-only. And this makes the incoming emails delivered through dovecot-lda disappear into /dev/null until I

Hi, I recently noticed that when doing "samba_dns --all-names --verbose" against Bind-9.12, I can't update dns records. I'm getting these error messages for each record to update: . . . update failed: REFUSED Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com alpine.samdom.com 389 Calling nsupdate for SRV

Hi, I'm trying to figure out to import the schema below to Samba LDAP. I tried to modify class names, DN etc but it didn't help. I don't paste here because of some long lines. Here is the link of ldif file: https://raw.githubusercontent.com/Pardus-LiderAhenk/lider-ahenk-installer/master/src/conf/liderahenk.ldif Thanks. --- Taner Tas

> > OK, get the 'Windows sysadmin' to go to the 2012 DC and run > 'rendom /end' on it, see if this fixes your problem. > > Rowland Thanks Rowland, that did the fix the problem related with WERR_DS_DOMAIN_RENAME_IN_PROGRESS error. But the problem evolved into a new one: "WERR_DS_DIFFERENT_REPL_EPOCHS" ... Starting replication Join failed - cleaning up

Hi, I need some info regarding what conditions make dhcp dynamic dns updates essential? Has Samba a limitation with accepting dns record update requests from logged clients? The wiki page doesn't contain such information except: "You must stop your windows clients from trying to update their own records, as this will fail and fill your logs with errors." Does this mean it is

Hi, I'm trying to implement an auto-join procedure for diskless (nfs root) thin clients. I'm able to issue "net ads join" command but /etc/krb5.keytab can't be created due to the read-only /etc directory. I'm using read-write tmpfs file system for other directories such as /tmp, /run, /var/log etc. but /etc supposed to be read-only. I have to tell "net ads

> > I'm trying to join a Samba 4.9.1 Debian Strech installation > > Please define 'installation', do you mean that you have installed the > required Samba packages and have not provisioned or something else ? Yes, I just installed required packages prior to join a DC. Just like preparing a join to any other Samba DC. Since there's already two Windows DC's

> Hi all, > > We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba > 4.3.11. We are planning to upgrade it to a recent version, probably > 4.8.3. > > I think that I have two options: > > a) Package upgrade via 3rd party repositories (Louis Van Belle's repo) > by following wiki. > > b) A fresh install of 4.8.3 on another VM then join it to

Hi, There is a discussion in June regarding Bind 9.12 and Samba but that discussion has no any updated information. I checked out git but it seems that there's no related update on upstream either. Is there any progress on this? Maybe I should file a bug report. I sent a email to bugzilla-maintenance for a bugzilla acount but no response yet. *

Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below: ------ smb.conf ------security = ADS workgroup = MYDOMAINrealm = MYDOMAIN.ORG log file = /var/log/samba/%m.loglog level = 6enable core files = no idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range =

Hi, I'm trying to join a Samba 4.9.1 Debian Strech installation (also tested with 4.8.6) to a Windows 2012 R2 Server which runs in 2008-R2 functional level. This is a production system and it is going to be first Samba DC in domain. There is currently two Windows DC's in domain. All FSMO roles hold by DC1. It seems there's something going on with Widows DC's bu I'm not able