similar to: Group policies are not applied

Your setup is in consistant. > 127.0.0.1 localhost.localdomain localhost > 127.0.0.1 localhost I suggest run my debugscript, make sure the servers there base setup is the same. + set both DC's there /etc/resolv.conf search msi.mydomain.com mydomain.com # IF THIS IS DC1 nameserver 172.23.93.26 nameserver 172.23.93.25 nameserver 172.23.93.3 # and for DC0

I have 2 Ububtu DCs. One acting as a secondary/failover. At one point the users were replicated from primary to secondary. But now they are not replicating. The output from samba-tool drs showrepl is attached. What else may I provide to aid diagnostics? I know Samba does not replicate sysvol 'yet', so rsync is needed, but that does not seem to contain the users. Thank you,

Two attachments are not being sent. Pasting contents. DC0 smb.conf # Global parameters [global] netbios name = DC0 realm = MSI.MYDOMAIN.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = MSI # This line was added 190710 (DFD)

Hai, Why would you ever add Domain users to Local Admins? Thas really a very big NO NO, dont do that, really.. Dont.. If you want to be an victum of online crime, that thats the way to allow it to happen. Now your GPO. Its a new setup, correct? If so. Login on the AD and kinit Administrator Run : samba-tool ntacl sysvolreset -k Now, goto the Default Domain policy, is

Hai,   That -k  should use the kerberos auth. we should think about a bit better description here.   When your root/Administrator then it works ok also. Wel, you found the problem and you where able to fix it, so im happy.   and good to see that you did not have any errors running: samba-tool ntacl sysvolreset   Thanks for the notice back.   Greetz,   Louis       Van: durwin at

I looked into Windows EventViewer and I found 'Invalid Credentials'. But I do not know how to deal with it. I have authenticated with Domain Controller, why is it saying 'Invalid Credentials'? - System - Provider [ Name] Microsoft-Windows-GroupPolicy [ Guid] {aea1b4fa-97d1-45f2-a64c-4d69fffd92c9} EventID 1006 Version 0 Level 2 Task 0 Opcode 1

Can you run this script on both DC's. https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh Anonimize where needed but keep thing like. You.dom.tld like that, dont change that to example.tld. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Durwin via samba > Verzonden: vrijdag 28 februari

On 02/03/2020 18:59, Durwin via samba wrote: >> Can you run this script on both DC's. OK, dc0 seems to have the ipaddress: 172.23.93.25 ?????? dc1 seems to have the ipaddress: 172.23.93.26 So why does dc1 use 172.23.93.3 as its nameserver ? and what is 172.23.93.3 ? The /etc/krb5.conf files should be the same on both machines, I prefer this format: [libdefaults] ???????

> > DC1 smb.conf > > winbind use default domain = true > > winbind offline logon = false > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > > The above lines have no place in a DC smb.conf or are defaults Commented them out. > > Change the following files as shown:

> > *named.conf.options* > > options { > > directory "/var/cache/bind"; > > > > // If there is a firewall between you and nameservers you want > > // to talk to, you may need to fix the firewall to allow multiple > > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > > > // If

> > > > > Why are you using the internal dns server on one DC and Bind9 on the > > other ? > > I am very familiar with configuring Named on Fedora. I thought it > > would be > > just as easy on Ubuntu. After discovering the files were in different > > places > > and so many more being 'included', I decided to use internal on the

> > I followed this url to set up Samba AD DC. > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18. > 04-samba-AD_DC.txt > > > > I do have it working. I am testing with a Windows 10 VM as a member > > of the domain. > > The machine joins the domain. Also, as administrator, I can create > > and enforce > > Group Policies. from

+1 .. So fix both resolv.conf. Then both smb.conf DC1 : > dns forwarder = 172.23.93.3 DC0 : no forwarder. And reboot DC0. wait 1 min. Reboot DC1. Wait 1 min. And no check it all. Have a nice weekend. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden:

> > > > *named.conf.options* > > > > options { > > > > directory "/var/cache/bind"; > > > > > > > > // If there is a firewall between you and nameservers you want > > > > // to talk to, you may need to fix the firewall to allow > > multiple > > > > // ports to talk.

I followed this url to set up Samba AD DC. https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt I do have it working. I am testing with a Windows 10 VM as a member of the domain. The machine joins the domain. Also, as administrator, I can create and enforce Group Policies. from this Windows machine. I have a Fedora 29 server which serves DHCP and DNS (and

smb.conf # Global parameters [global] netbios name = DC0 dns forwarder = 192.168.2.4 realm = GRANMARMO.INTRANET server role = active directory domain controller workgroup = GRANMARMO ntlm auth = mschapv2-and-ntlmv2-only password hash userPassword schemes = CryptSHA256 CryptSHA512 rpc server dynamic port range = 50000-55000 loglevel = 30 auth:5 winbind:5 passdb:5 time server = yes

Hey guys, I had recently setup a new DC (called dc0) (in accordance with the wiki) and now I would like to demote the old DC (called pdc0 :)). I followed the wiki again, but I ran into the following issue. When trying to demote the old DC, I get this error message: pdc0 # samba-tool domain demote ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another

> Can you run this script on both DC's. > > https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh === BEGIN dc0 === Collected config --- 2020-02-28-08:30 ----------- Hostname: dc0 DNS Domain: msi.mydomain.com FQDN: dc0.msi.mydomain.com ipaddress: 172.23.93.25 ----------- Kerberos SRV _kerberos._tcp.msi.mydomain.com record verified ok, sample output:

> > > > > > Is this dns server also authoritative for the same dns domain as > > > the AD domain ? > > > > Yes, the Fedora29 server is authoritative. > > > > > > > > > > > Lets start with the smb.conf from the DC, your DC's FQDN and > > > ipaddress (sanitised if you have to) and the same for your Fedora

On 15/05/2019 21:43, durwin at mgtsciences.com wrote: > > > *named.conf.options* > > > options { > > >         directory "/var/cache/bind"; > > > > > >         // If there is a firewall between you and nameservers you want > > >         // to talk to, you may need to fix the firewall to allow > multiple > > >         //