similar to: Samba DC and DNS best practices

Hi Rowland, On Fri, Jun 28, 2019, 04:55 Rowland penny via samba <samba at lists.samba.org> wrote: > You should be doing it the other way around. Your AD clients should be > using the AD DC's as their nameservers and anything outside the AD dns > domain should be forwarded to an external DNS server. > On this wiki page [1] it says: > For high traffic environments, it is

Hey all. I've got working samba AD server with dlz backend. To avoid performance issues I'm using external DNS which forwards queries for the AD zone to the Samba server, like that: zone "myadzone.int" { > type forward; > forwarders { 192.xx.x.xx; }; > }; 192.xx.x.xx = my AD Samba. This way it works alright, but on the external DNS I'm getting

Sorry to hop on an existing conversation but this seemed like a good point to jump in with this question. Say I have a service account, with a random password that is set to never expire. What component is expected to periodically renew (or request anew) the Kerberos TGT using that password? I see lots of information about SSSD handling this, but less so with Samba. Also, I understand that in

Hello, while investigating a report from Jan-Piet Mens (resulting in http://wiki.powerdns.com/trac/changeset/3109), we discovered that NSD (both 3.2.15 and 4.0.0b4) compresses labels in RP content. As far as I can see, this is not allowed by RFC3597 section 4 paragraph 1/2. PowerDNS Recursor, like Unbound and BIND, now deals with this as 3597 section 4 paragraph 4 says we SHOULD. Nevertheless,

On 16/07/2019 14:16, Jonathon Reinhart wrote: > On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 16/07/2019 14:02, Jonathon Reinhart wrote: >>> Rowland, >>> >>> You could go another step further and run that with "notify" to >>> monitor for changes, instead of having to run it in a cron

On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smblist at rednsx.org> wrote: > My guess would be not much, because BIND9_DLZ exists and (mostly) gives you > the best of both worlds. Which does bring up a question. It seems that outside of a feature or two and some added flexibility that there is, at the core, no difference between Samba's internal DNS and BIND9_DLZ as there are no text

On 16/07/2019 16:40, Jonathon Reinhart wrote: > On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 16/07/2019 14:16, Jonathon Reinhart wrote: >>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba >>> <samba at lists.samba.org> wrote: >>>> On 16/07/2019 14:02, Jonathon Reinhart wrote:

On Sun, Apr 7, 2019 at 2:17 PM Rowland Penny via samba < samba at lists.samba.org> wrote: > > On Sun, 7 Apr 2019 13:45:11 -0400 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > Interesting, I'm getting the same error using the LDB tools: > > > > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H > >

On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smblist at rednsx.org> wrote: > My guess would be not much, because BIND9_DLZ exists and (mostly) gives you > the best of both worlds. If you want to use bind with MS DNS servers, then > you have to go that route, but it's not necessary with Samba 4 and > BIND9_DLZ. That's clear but I was thinking more of the analogous

Interesting, I'm getting the same error using the LDB tools: ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H ldap://localhost ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return

On 16/07/2019 14:02, Jonathon Reinhart wrote: > Rowland, > > You could go another step further and run that with "notify" to > monitor for changes, instead of having to run it in a cron job. In my > experience, "notify" works using smbclient, but not so with > libsmbclient. Problem is, the script is written to be run on DC's that do not hold the PDC

On Tue, 26 Mar 2019 07:37:54 -0400 Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > I recently went through these steps from the wiki and took the > following notes which I had not yet shared / suggested for the wiki. > (This is from mobile, sorry for the terse message.) > > - You need to clear the idmap cache after copying idmap.ldb ("net > cache

Hello, I'm trying to use the "notify" API of libsmbclient, testing against a Samba AD DC. The function is returning with errno=22 (mapped from NT_STATUS_REVISION_MISMATCH), and I'm getting the following error message: smb1cli_req_writev_submit: called for dialect[SMB3_11] server[dc1.example.com] It looks like libsmbclient is, for some reason, using SMB1 but needs to be

On 7/25/19 6:48 AM, rainer at ultra-secure.de wrote: > Am 2019-07-25 15:41, schrieb hw: >> On 7/25/19 2:53 PM, rainer at ultra-secure.de wrote: >>> Am 2019-07-25 14:51, schrieb hw: >>>> Hi, >>>> >>>> how can DNS reliability, as experienced by clients on the LAN who are >>>> sending queries, be increased? >>>>

On 7/25/19 2:53 PM, rainer at ultra-secure.de wrote: > Am 2019-07-25 14:51, schrieb hw: >> Hi, >> >> how can DNS reliability, as experienced by clients on the LAN who are >> sending queries, be increased? >> >> Would I have to set up some sort of cluster consisting of several >> servers all providing DNS services which is reachable under a single

On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba <samba at lists.samba.org> wrote: [snip] > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use > > "template homedir" and "template shell", and will not respect the RFC > > 2307 attributes in LDAP. Is that correct? > > Yes and no ;-) > > If you use the

Hello, A client is asking about disabling, deleting or renaming the domain "Administrator" account on a Samba AD. I've seen this done on Windows AD domains for security purposes. Assuming the risk of being locked-out is mitigated (i.e. an equivalent user is created and is a member of the same groups), is there any reason this can't be done on a Samba AD as well? Is the

Thanks for the example, Rowland. Does ldb work against remote servers as well? I thought it was only for local, file-based access. In general, I just wanted to use my Samba AD as an environment to learn more about writing software against using LDAP. There are a few applications I'm planning to develop, and I'd like to use actual LDAP so they could be applicable to Samba or Microsoft AD

Hello, A user of my "adman" utility recently opened this issue [1]: "Add support for setting uidNumber for machine account" I was aware that computer accounts were also users in AD, but I hadn't considered assigning a uidNumber to them. It makes sense that winbind (in idmap="ad" mode) would not "see" the accounts with a uidNumber. Naturally, groups of

On Wed, Apr 13, 2016 at 10:29 AM, Sketch <smblist at rednsx.org> wrote: > My understanding of Unbound is that designed as a caching nameserver, not an > authoratative nameserver. It's supposed to serve DNS to clients from > another server, such as BIND or Samba's internal DNS server. Pointing it to > your domain's authoratative Samba/BIND9_DLZ DNS servers seems like