similar to: procedure to change DC password

On Wed, 23 Apr 2025 14:35:16 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote: > What is the best approach to change samba ad dc's own password? > Windows machines change periodically, linux domain members can simply > re-join domain, but when it comes to DC's I can't find any > recommended steps? Is re-joining domain as domain controller viable >

Hello, net ads changetrustpw this command works fine on domain members, but on domain controller there is hard fail with: ads_change_trust_account_password: Machine account password change only supported on a DOMAIN_MEMBER W dniu 23.04.2025 o?15:32, Rowland Penny via samba pisze: > net ads changetrustpw -- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie

It's definately not that, i'm running local pki and CA is distributed to all station, new win 11 24h2 has the root CA is the proper store (one of the things I double checked), and samba ad dc servers use certificates issued by this CA. Do You have windows 11 24h2 in samba ad with no issues? Which samba version You're running? Regards, Kacper W dniu 13.02.2025 o?22:19, Luca

I just want to add, that this week I introduced first windows 11 24h2 to AD - everything up to 23h2 is working fine - but windows 11 24h2 has some strange kerberos-related issues. I added pc to domain successfully and can log in, but I can't access sysvol and netlogon and gpupdate fails. Automatic DNS update from the workstation fails with insufficient rights (running bind on samba ad dc)

Hello, I have issue with samba-tool domain exportkeytab command, that is exporting keytab only with RC4 encryption, even though account (--principal) in the command has msDS-SupportedEncryptionTypes": 24 so, only AES128 AND AES256, I can later add other encryption types to the keytab, but I think I shouldn't have to, in the wiki section of samba in generating keytabs it's

I had similiar issue on samba 4.8 domain member (new files with wrong permissions), when I realised that You need to list all modules that You wish to use in "vfs objects" every time , there is no inheritance from global -> shares that is if You have e.g. [global] ... vfs object = acl_xattr .. [some share] ... vfs object = recycle .. On samba DC "acl_xattr" is

On Mon, 17 Feb 2025 11:20:28 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > > I have issue with samba-tool domain exportkeytab command, that is > exporting keytab only with RC4 encryption, even though account > (--principal) in the command has msDS-SupportedEncryptionTypes": 24 > > so, only AES128 AND AES256, > > I can later

Hi Kacper, maybe you've overlooked my answer from April 23th. Kees has written a script especially for this: See "dc_password_change" on https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts This script works in my AD without problems for some time... Regards Ingo https://github.com/WAdama Kacper Wirski via samba schrieb am 02.05.2025 um

Hello, Since nobody picked this up I will try to answer myself (hopefully correctly). I think I just misread documentation on wiki, but I would really appreciate a clarification. In the wiki it states: "To enable other accounts than the domain administrator to set permissions on Windows, grant |Full control| (|rwx|) to the user or group you granted the |SeDiskOperatorPrivilege|

Hello, I've been setting up new file server using samba 4.8.3 (centos 7 RPM), as samba 4 AD member server using my earlier smb.conf when I realised that I was  previously somewhat circumventing the SeDiskOperatorPrivilege by using "admin users map" to SAMDOM\Domain admins" parameter in smb.conf. I decided to change my smb.conf and setup shares following samba wiki. All

On Wed, 23 Apr 2025 15:55:56 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Thank You, > > I already changed krbtgt, I meant computer account. Does changing > domain controller password with this command require restart of samba > service, won't it interrupt replication between controllers etc.? I > have 3 dc's in my environment, that's why

You can add windows server 2012 to samba 4 domain as a domain member (without AD DC role) without any issues. I myself have added multiple windows 2012, 2012r2 and 2016 member servers without any issues. And, what's important, You actually DON'T want to make them DC, because of what Rowland just wrote. Regards, Kacper. W dniu 04.05.2019 o 20:19, Rowland Penny via samba pisze: >

Ok, thank You for confirmation, I was a bit worried I have something misconfigured. On my file server I'm using backend = rid, mainly (but only) because of this (to not set in AD uid/gid for Domain Admins group). Regards, Kacper Wirski W dniu 03.06.2019 o 14:07, Rowland penny via samba pisze: > On 03/06/2019 12:29, Kacper Wirski via samba wrote: >> Hello, >> >> Since

Roland, It has been suggested that the program can run on W10 dedicated workstation. Acting as a Access database server. That statement gave me the idea that why could it not just be W2012 server and IT be the workstation OS. (But, they also said it is more efficient on W2012.) I am still weighing my options. Kacper, Your statement backs up the information that I am "gleaning" from

El 13/2/25 a les 19:43, Kacper Wirski via samba ha escrit: > I just want to add, that this week I introduced first windows 11 24h2 to > AD - everything up to 23h2 is working fine - but windows 11 24h2 has > some strange kerberos-related issues. > > I added pc to domain successfully and can log in, but I can't access > sysvol and netlogon and gpupdate fails. Automatic DNS

Hello, I'm using samba 4.9.x compiled from source on centos 7.6 Today I ran into an unknown behaviour before, which I'm not sure if it's a bug, a feature or.. just "is". I realised, that I'm unable to edit particular GPOs, with "access denied"  error, when this criteria are met: - I have user "john" that is a member of "domain admins"

Hello, I'm setting up AD user logins for centos 7.4 box. I've almost managed to do everything the way I want and the way I think it should be, but I'm missing last piece:   For ssh access I read parts of the https://wiki.samba.org/index.php/OpenSSH_Single_sign-on Most docs recommend using setting in smb.conf: winbind use default domain = no that means that all domain users have

Hi, We are running a 3 DC samba AD domain, and use 802.1x authentication for the win10 workstations to access the wired network. We are facing the issue where, following windows updates, our windows clients keep changing back the 802.1x settings to the windows default, namely: to verify the server identity and do computer authentication only. The latter is no problem, but the first one

Hello, Thank You for fast response. I'm glad that it's a mistake somewhere on my side, it means it will work when I fix it :) Ok, first of all: Everything is on centos 7.4 All config files will be below, but to start off: behaviour is stranger than I thought, but there is a pattern: when doing [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using default cache: /tmp/krb5cc_101003

On 10/06/2019 08:51, Tom?? Havl?n wrote: > Hello > my smb.conf + working and no working ACL share folders > > [global] > netbios name = FENIX > realm = PFCZ.INTRA > server role = active directory domain controller > workgroup = PFCZ > idmap_ldb:use rfc2307 = yes > dns forwarder = 10.254.254.1 > > unix extensions = no > wide links = yes > follow symlinks =