similar to: DC with outdated secrets

2 hours and I am a little further: Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass which updated the machine password as well as the keytab. After a restart samba keeps complaining now that the (outdated) KVNO 6 is no longer part of the secrets.keytab: [2019/11/03 16:22:12.319958, 1] ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal) GSS

On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote: > 2 hours and I am a little further: > Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass > which updated the machine password as well as the keytab. > After a restart samba keeps complaining now that the (outdated) KVNO 6 is > no longer part of the secrets.keytab: > [2019/11/03

Hi, This is strange what you are writing. Are you saying, that if Administrator is in Domain Users group = ALL my users have admins rights? Hard to believe. Moreover, I'm unable to delete Administrator from Domain Users group, as this is my basic group (I received such an info). I believe the keytab is needed to sth, cause without it I keep receiving: [2018/04/03 17:32:39.331938, 1]

Hi Andrew, thanks a lot, however, I am not entirely sure I understand your hint: I have 3 DCs in the domain, the third of which is having the issue described. Now, here is what I did: > samba-tool drs replicate DC3 DC2 dc=my,dc=domain --local -k no Partition[dc=my,dc=domain] objects[0] linked_values[0] Incremental replication of 0 objects and 0 links from DC2 to

Hi Marc, Thanks for your reply! > Check if your dynamic DNS works. For details and troubleshooting, see: > https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates I'm not sure about the "--all-names" option, but the regular "samba_dnsupdate --verbose" updated all dns records for all DCs shortly after I joined them. The problematic dns records here are

Hello everyone since now a certain time I pull my hair and do not understand the source of my problem. after a samba 3 pdc migration to samba 4.8.5 AD, when a windows client starts the gpo computer is not applied to the boot. in the windows logs there are 1058 GPO errors and server side samba here are the logs: GSS server Update (krb5) (1) Update failed: Miscellaneous failure (see text): Failed

There was lack of membership in Administrators domain/Builtin group. I had only: Domain Users Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins I've added and I'll try. Thank you. Any hint with the recreation of keytab file? Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent:

Bonjour à tous depuis maintenant un certain temps je tire mes cheveux et ne comprends pas la source de mon problème. après une migration de samba 3 pdc vers samba 4.8.5 AD, au démarrage d’un client Windows, l’ordinateur gpo n’est pas appliqué au démarrage. Dans les journaux Windows, il y a 1058 erreurs d'objet de stratégie de groupe et samba côté serveur. Voici les journaux: Mise à jour du

THANK YOU FOR YOUR REPLY THE RESULT : KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/samba4 at FSS.LAN (des-cbc-crc) 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc) 1 SAMBA4$@FSS.LAN (des-cbc-crc) 1 HOST/samba4 at FSS.LAN (des-cbc-md5) 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5) 1 SAMBA4$@FSS.LAN (des-cbc-md5) 1

Hi, I migrated our DCs from 4.5/internal dns to 4.7.1/bind9_dlz. Short summary of the steps taken: - added a new temp dc, - removed the old DCs - cleaned sam database - installed new DCs, with their old dns/ip - removed the temp dc again - synced sysvol and all is looking well: no db errors, no replication issues, ldapcmp matches across DCs, etc. So, I took things to production today, and

We have 3 ADCs based on Samba-4.7.4 (compiled from source,internal DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO roles. The 3 ADCs are on different locations connected via IPSec based VPN. No traffic is filtered out. All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com

Can someone help me with samba4 with internal dns. Something strange showing in log.smbd when computers are doing gpupdate (becouse of this error computers cant apply gpo) log.smbd on DC1: [2017/01/13 13:49:16.075361, 1] ../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find

Hello Samba team ! I'am in a very delicate situation. After an upgrade to debian Stretch my DRS stopped working. I have three DCs (fichdc, fichds01, fichds02), all Debian Stretch, all with the same problem. Everything seems to be fine except DRS. -> File shares works -> DNS (with bind9 DLZ) works -> "kinit administrator" works -> "kinit -k FICHDC$" works ->

On Wed, 27 Dec 2017 13:00:05 +0100 "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.org> wrote: > There is additional info in the logs of the source DC (dcdo1, log > level 2, manually triggered another replication): > ==================== > [2017/12/27 12:31:29.695121,  2] >

Not even sure where to begin. I've attempted to setup a Ubuntu 14.04 box as a 2nd AD controler in a Windows 2008 domain. The main domain controller is an actual windows machine. Unfortunaly it is an older domain and is a ".local" which I know gives y'all heartburn. After installign samba, I did not provsion it but ran this: "sudo samba-tool domain join MYDOMAIN.LOCAL DC -U

what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated? If You made some upgrades, maybe during process You for example rejoined the domain (that would set new

Try verifying kvno from the client that gives the error message. That kvno = 2 for dc$ must've come from somewhere. You can also double check e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If  kvno is definately 1 that means that client connecting has some error, if it's 2, than it means that dc has outdated keytab. And if it's the former, than I really am not sure

I've cleared all DNS records (indeed, they were still there). I'm not sure if that was the issue, cause I've discovered that the real problem is related to insufficient Administrator rights. I was able to join that DC to domain using credentials of my second user (member of domain admins group). The first one had to get out from Domain admins. Can this be related to fixing the

Hi, I suggest you post this to samba at list.samba.org that more for these questions. Try this setting in resolv.conf search domain.net.pl nameserver 10.1.10.11 # IP of DC itself. #nameserver # and extra nameserver that has access to the DC dns info. (a second dc maybe) nameserver 8.8.8.8 # IP of forwarder in SMB.conf as backup for internet access. # and max 3 nameservers in

Sorry for the translation. actually my first installation is a samba put into production, to avoid errors, I cloned on a new VM not to break my current system. on this one I redid an installation with DEB packages "https://dev.tranquil.it" I then made a restoration. I presice that the supply is a samba3 pdc migration to samba4 dc "samba-tool domain samba3upgrade". I only have