Displaying 20 results from an estimated 10000 matches similar to: "Samba DC and DNS best practices"
2019 Jun 28
3
AD DLZ backend - 'proper' way of doing it
Hi Rowland,
On Fri, Jun 28, 2019, 04:55 Rowland penny via samba <samba at lists.samba.org>
wrote:
> You should be doing it the other way around. Your AD clients should be
> using the AD DC's as their nameservers and anything outside the AD dns
> domain should be forwarded to an external DNS server.
>
On this wiki page [1] it says:
> For high traffic environments, it is
2019 Jun 28
4
AD DLZ backend - 'proper' way of doing it
Hey all.
I've got working samba AD server with dlz backend. To avoid performance
issues I'm using external DNS which forwards queries for the AD zone to the
Samba server, like that:
zone "myadzone.int" {
> type forward;
> forwarders { 192.xx.x.xx; };
> };
192.xx.x.xx = my AD Samba.
This way it works alright, but on the external DNS I'm getting
Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
2019 Apr 10
2
Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Sorry to hop on an existing conversation but this seemed like a good
point to jump in with this question.
Say I have a service account, with a random password that is set to
never expire. What component is expected to periodically renew (or
request anew) the Kerberos TGT using that password? I see lots of
information about SSSD handling this, but less so with Samba.
Also, I understand that in
2013 Mar 01
1
NSD compressing RP content
Hello,
while investigating a report from Jan-Piet Mens (resulting in http://wiki.powerdns.com/trac/changeset/3109), we discovered that NSD (both 3.2.15 and 4.0.0b4) compresses labels in RP content. As far as I can see, this is not allowed by RFC3597 section 4 paragraph 1/2.
PowerDNS Recursor, like Unbound and BIND, now deals with this as 3597 section 4 paragraph 4 says we SHOULD. Nevertheless,
2019 Jul 16
2
Syncing Sysvol
On 16/07/2019 14:16, Jonathon Reinhart wrote:
> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 16/07/2019 14:02, Jonathon Reinhart wrote:
>>> Rowland,
>>>
>>> You could go another step further and run that with "notify" to
>>> monitor for changes, instead of having to run it in a cron
2016 Apr 07
2
samba dns
On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smblist at rednsx.org> wrote:
> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
> the best of both worlds.
Which does bring up a question. It seems that outside of a feature or
two and some added flexibility that there is, at the core, no
difference between Samba's internal DNS and BIND9_DLZ as there are no
text
2019 Jul 16
5
Syncing Sysvol
On 16/07/2019 16:40, Jonathon Reinhart wrote:
> On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 16/07/2019 14:16, Jonathon Reinhart wrote:
>>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On 16/07/2019 14:02, Jonathon Reinhart wrote:
2019 Apr 07
2
"00002020: Operation unavailable without authentication" using python-ldap
On Sun, Apr 7, 2019 at 2:17 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
> On Sun, 7 Apr 2019 13:45:11 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Interesting, I'm getting the same error using the LDB tools:
> >
> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> >
2016 Apr 13
2
samba dns
On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smblist at rednsx.org> wrote:
> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
> the best of both worlds. If you want to use bind with MS DNS servers, then
> you have to go that route, but it's not necessary with Samba 4 and
> BIND9_DLZ.
That's clear but I was thinking more of the analogous
2019 Apr 07
3
"00002020: Operation unavailable without authentication" using python-ldap
Interesting, I'm getting the same error using the LDB tools:
ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
ldap://localhost
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -
<00002020: Operation unavailable without authentication> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
177, in _run
return
2019 Jul 16
2
Syncing Sysvol
On 16/07/2019 14:02, Jonathon Reinhart wrote:
> Rowland,
>
> You could go another step further and run that with "notify" to
> monitor for changes, instead of having to run it in a cron job. In my
> experience, "notify" works using smbclient, but not so with
> libsmbclient.
Problem is, the script is written to be run on DC's that do not hold the
PDC
2019 Mar 26
6
Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
On Tue, 26 Mar 2019 07:37:54 -0400
Jonathon Reinhart via samba <samba at lists.samba.org> wrote:
> I recently went through these steps from the wiki and took the
> following notes which I had not yet shared / suggested for the wiki.
> (This is from mobile, sorry for the terse message.)
>
> - You need to clear the idmap cache after copying idmap.ldb ("net
> cache
2019 Jul 03
2
Problem with libsmbclient notify
Hello,
I'm trying to use the "notify" API of libsmbclient, testing against a
Samba AD DC. The function is returning with errno=22 (mapped from
NT_STATUS_REVISION_MISMATCH), and I'm getting the following error
message:
smb1cli_req_writev_submit: called for dialect[SMB3_11]
server[dc1.example.com]
It looks like libsmbclient is, for some reason, using SMB1 but needs
to be
2019 Mar 03
2
(no subject)
On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
[snip]
> > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use
> > "template homedir" and "template shell", and will not respect the RFC
> > 2307 attributes in LDAP. Is that correct?
>
> Yes and no ;-)
>
> If you use the
2019 Jun 17
2
Disabling or deleting domain "Administrator" account
Hello,
A client is asking about disabling, deleting or renaming the domain
"Administrator" account on a Samba AD. I've seen this done on Windows
AD domains for security purposes.
Assuming the risk of being locked-out is mitigated (i.e. an equivalent
user is created and is a member of the same groups), is there any
reason this can't be done on a Samba AD as well?
Is the
2019 Jul 25
3
how to increase DNS reliability?
On 7/25/19 2:53 PM, rainer at ultra-secure.de wrote:
> Am 2019-07-25 14:51, schrieb hw:
>> Hi,
>>
>> how can DNS reliability, as experienced by clients on the LAN who are
>> sending queries, be increased?
>>
>> Would I have to set up some sort of cluster consisting of several
>> servers all providing DNS services which is reachable under a single
2019 Jul 25
4
how to increase DNS reliability?
On 7/25/19 6:48 AM, rainer at ultra-secure.de wrote:
> Am 2019-07-25 15:41, schrieb hw:
>> On 7/25/19 2:53 PM, rainer at ultra-secure.de wrote:
>>> Am 2019-07-25 14:51, schrieb hw:
>>>> Hi,
>>>>
>>>> how can DNS reliability, as experienced by clients on the LAN who are
>>>> sending queries, be increased?
>>>>
2019 Apr 07
2
"00002020: Operation unavailable without authentication" using python-ldap
Thanks for the example, Rowland.
Does ldb work against remote servers as well? I thought it was only for
local, file-based access.
In general, I just wanted to use my Samba AD as an environment to learn
more about writing software against using LDAP. There are a few
applications I'm planning to develop, and I'd like to use actual LDAP so
they could be applicable to Samba or Microsoft AD
2020 Feb 14
4
Setting uidNumber for machine accounts
Hello,
A user of my "adman" utility recently opened this issue [1]: "Add
support for setting uidNumber for machine account"
I was aware that computer accounts were also users in AD, but I hadn't
considered assigning a uidNumber to them. It makes sense that winbind
(in idmap="ad" mode) would not "see" the accounts with a uidNumber.
Naturally, groups of
2016 Apr 13
1
samba dns
On Wed, Apr 13, 2016 at 10:29 AM, Sketch <smblist at rednsx.org> wrote:
> My understanding of Unbound is that designed as a caching nameserver, not an
> authoratative nameserver. It's supposed to serve DNS to clients from
> another server, such as BIND or Samba's internal DNS server. Pointing it to
> your domain's authoratative Samba/BIND9_DLZ DNS servers seems like