Re: [Samba] DNS issue with second samba DC
Quick update: If I add domain ncs.k12.de.us to /etc/resolv.conf on the second DC, names resolve. However, I don't need this entry on the PDC. Sincerely, Dave Hopkins - Original Message - From: dahopk...@comcast.net To: "samba" Sent: Friday, August 2, 2013 3:57:28 PM Subject: [Samba] DNS issue with second samba DC I have samba4 installed on two systems: ncssamba1 and ncssamba2. ncssamba1 is the PDC, ncssamba2 was joined to the domain using the instructions here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC I had to manually add the DNS information as mentioned on that page. I can add a user and the user is replicated. However, I have some issues with DNS resolving hostnames. Specifically, on the PDC, $ nslookup ncsfs1 Server: 10.179.2.25 Address: 10.179.2.25#53 Name: ncsfs1.ncs.k12.de.us Address: 10.179.2.6 But the same system is not found on the second DC $ nslookup ncsfs1 Server: 10.179.2.24 Address: 10.179.2.24#53 Non-authoritative answer: *** Can't find ncsfs1: No answer resolv.conf is identical between the two systems. /usr/local/samba/etc/smb.conf is likewise the same (except for netbios name) [global] workgroup = NEWARKCHARTER realm = ncs.k12.de.us netbios name = NCSSAMBA1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder=10.1.1.10 allow dns updates=nonsecure and secure [netlogon] path = /usr/local/samba/var/locks/sysvol/ncs.k12.de.us/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No A second DNS issue is that I have other systems that are multihomed (e.g. 10.179.2.13 and 192.168.0.254). Allowing the updates means that the 192.168.0.254 gets added to DNS which I do not want to happen. I want the dns updates only for the 10.179 addresses. Can this be done? Finally, I have to relocate the second DC to a new IP address (10.186.2.25/19) at a remote site. I found instructions here: https://lists.samba.org/archive/samba-technical/2013-May/092260.html But I assume I will need to manually create the reverse lookup zone? Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS issue with second samba DC
I have samba4 installed on two systems: ncssamba1 and ncssamba2. ncssamba1 is the PDC, ncssamba2 was joined to the domain using the instructions here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC I had to manually add the DNS information as mentioned on that page. I can add a user and the user is replicated. However, I have some issues with DNS resolving hostnames. Specifically, on the PDC, $ nslookup ncsfs1 Server: 10.179.2.25 Address: 10.179.2.25#53 Name: ncsfs1.ncs.k12.de.us Address: 10.179.2.6 But the same system is not found on the second DC $ nslookup ncsfs1 Server: 10.179.2.24 Address: 10.179.2.24#53 Non-authoritative answer: *** Can't find ncsfs1: No answer resolv.conf is identical between the two systems. /usr/local/samba/etc/smb.conf is likewise the same (except for netbios name) [global] workgroup = NEWARKCHARTER realm = ncs.k12.de.us netbios name = NCSSAMBA1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder=10.1.1.10 allow dns updates=nonsecure and secure [netlogon] path = /usr/local/samba/var/locks/sysvol/ncs.k12.de.us/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No A second DNS issue is that I have other systems that are multihomed (e.g. 10.179.2.13 and 192.168.0.254). Allowing the updates means that the 192.168.0.254 gets added to DNS which I do not want to happen. I want the dns updates only for the 10.179 addresses. Can this be done? Finally, I have to relocate the second DC to a new IP address (10.186.2.25/19) at a remote site. I found instructions here: https://lists.samba.org/archive/samba-technical/2013-May/092260.html But I assume I will need to manually create the reverse lookup zone? Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error running samba-tool dbtool --reset-well-known-acls
Am 02.08.2013 18:08, schrieb Achim Gottinger: Am 28.07.2013 16:14, schrieb Achim Gottinger: Hi, I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run debian wheezy and the add was created at the beginning of the year with an classic upgrade to version 4.0.0. Recent release notes do not provide information about required upgrade tasks. So i ran. samba-tool dbcheck --reset-well-known-acls. On the first DC it found a few errors about missong members in computer groups whom where fixable with samba-tool dbcheck --reset-well-known-acls --fix. On my second DC however one issue remains. >samba-tool dbcheck --reset-well-known-acls Checking 336 objects Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local Please use --fix to fix these errors Checked 336 objects (1 errors) >samba-tool dbcheck --reset-well-known-acls --fix Checking 336 objects Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local? [y/N/all/none] y Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!") Checked 336 objects (1 errors) This is the global section of my smb.conf on DC1. Only netbios name and dns forwarder are different on DC2. # Global parameters [global] workgroup = DOMAIN realm = domain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.200.200 idmap_ldb:use rfc2307 = yes log level = 1 strict allocate = yes acl:read=false template shell = /bin/bash wins support = Yes deadtime = 10 socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5 ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no map hidden = no I connected to both DC's with ADSI and checked rIDNextRID DC1: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247 CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0 DC2: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not defined (german Nicht Festgelegt) CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714 Unfortunately i was not able to change that attribute from undefined to 0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate suggestions. Thanks in advance achim Hi again, So far this error does not seem to cause any trouble in the domain. DC1 is my rid Master. When I try to move the rid role to DC2 i get the follwoing error: samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Afterwards the role is assigned to DC2 in samba-tool fsmo show. I get the same error when i try to move the role back to DC1. Does anyone have an clue what is going wrong here? Thanks in advance, Achim Ok, seize was nor a good choice tried samba-tool fsmo transfer--role=rid instead, which works without errors, but it does not fix the rIDNextRID issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error running samba-tool dbtool --reset-well-known-acls
Am 28.07.2013 16:14, schrieb Achim Gottinger: Hi, I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run debian wheezy and the add was created at the beginning of the year with an classic upgrade to version 4.0.0. Recent release notes do not provide information about required upgrade tasks. So i ran. samba-tool dbcheck --reset-well-known-acls. On the first DC it found a few errors about missong members in computer groups whom where fixable with samba-tool dbcheck --reset-well-known-acls --fix. On my second DC however one issue remains. >samba-tool dbcheck --reset-well-known-acls Checking 336 objects Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local Please use --fix to fix these errors Checked 336 objects (1 errors) >samba-tool dbcheck --reset-well-known-acls --fix Checking 336 objects Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local? [y/N/all/none] y Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!") Checked 336 objects (1 errors) This is the global section of my smb.conf on DC1. Only netbios name and dns forwarder are different on DC2. # Global parameters [global] workgroup = DOMAIN realm = domain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.200.200 idmap_ldb:use rfc2307 = yes log level = 1 strict allocate = yes acl:read=false template shell = /bin/bash wins support = Yes deadtime = 10 socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5 ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no map hidden = no I connected to both DC's with ADSI and checked rIDNextRID DC1: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247 CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0 DC2: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not defined (german Nicht Festgelegt) CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714 Unfortunately i was not able to change that attribute from undefined to 0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate suggestions. Thanks in advance achim Hi again, So far this error does not seem to cause any trouble in the domain. DC1 is my rid Master. When I try to move the rid role to DC2 i get the follwoing error: samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Afterwards the role is assigned to DC2 in samba-tool fsmo show. I get the same error when i try to move the role back to DC1. Does anyone have an clue what is going wrong here? Thanks in advance, Achim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debian Package Updates
The debian package of samba4 is still sitting at 4.0.3 in experimental. Please could someone (Andrew?) upload an updated package now that we are up to 4.0.7? http://packages.qa.debian.org/s/samba4.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NDR decoding
Hi Volker "Volker Lendecke" wrote in message news:e1v582p-008rya...@intern.sernet.de... On Thu, Aug 01, 2013 at 08:00:06PM +0100, Markus Moeller wrote: Apologies if this is off topic. I'd like to decode the Kerberos PAC which is NDR decoded and I know Samba has all the code to decode a PAC. I looked at http://msdn.microsoft.com/en-us/library/cc237933.aspx as an example and read the opengroup document, but I am still lost. Is there a good book, link, course about NDR endocding/decoding ? http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19 and possibly http://msdn.microsoft.com/en-us/library/cc243560.aspx No tutorial, basic specs. I read them, but still I get lost in the pointer sections refereing to referent identifiers and from the MS example I can't understand howthe get to the position of the UNICODE string. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Thank you Markus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 domain trust
Hi there, I know domain trusts are currently not finished (as far as I know you can trust a Samba4 domain but not the other way). Is that still correct ? And my main question: Does it matter if it is a Samba4-Only Domain or Samba4/Windows DC domain ? In my case it's Samba4 only with two different domains i would like to trust each other... Best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem to demote samba4 dc
But what roles Andrew? All 5 roles are already on windows DC. What's those 2 left roles and how can we transfer? Em 01/08/2013 23:11, Andrew Bartlett escreveu: On Wed, 2013-07-31 at 15:10 +0200, Davy HUBERT wrote: Hi all, I recently migrated our samba 3 domain to an AD domain using Samba 4 classic upgrade tool. Well, every seems to work fine since i'm still alive ;) . I promoted a Windows 2k8 box as a new DC of this domain and I transfer the 5 FSMO roles to it. Now I would like to demote the Samba4 DC but when I tried I got this message : # samba-tool domain demote ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC When check the fsmo roles status via "samba-tool fsmo show" it confirms that the Samba 4 DC doesn't own anything. How can I manage to demote the Samba 4 box ? The best option would be to turn off the Samba DC, and then use ADUC on Windows and tell it that the Samba DC is permanently off-line. The roles can be seized from there. Andrew Bartlett -- = *Jonis Maurin Ceará* Analista de Sistemas FEA-RP/USP - Ramal: 42-4485 / 42-3927 DDR: (16) 3602-4485 / 3602-3927 Atendimento Web: http://sistemas.fearp.usp.br/suporte = -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: "./configure" LDAP checks failing on AIX
2013/8/2 Andrew Bartlett : > If you can confirm, then if I can have a team member review and/or push > this for me, that would be great. We can then backport it to 4.0 and > 4.1 for the next releases of those branches. I confirm: tu be sure I've restarted from scratch, applied the patch then ran configure again. Here's the ldap tests part of the output: Checking for library ldap : yes Checking for ldap_init : ok Checking for ldap_init_fd : ok Checking for ldap_initialize : ok Checking for ldap_set_rebind_proc : ok Checking for ldap_add_result_entry : ok Checking whether ldap_set_rebind_proc takes 3 arguments : ok Building with Active Directory support. PS: could I be the only one in the whole known universe trying to compile samba on AIX with builtin AD support using waf based configure ? -- Gilles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba