Re: [Samba] Remote Shutdown PC
Hi, Try winexe ( http://sourceforge.net/projects/winexe/) (or PSexec for that matter) One downside - this will install additional service winexesvc and issue commands (between ) in plain text. If you specify -U DOMAIN/User%password (instead of default LOCAL_SERVICE) this will also be plain-text visible from network kinit (for Kerberos ticket) winexe -k1 //NETBIOSNAME shutdown -s -f Works for me. 2013.09.29 14:11, Szymon Życiński rašė: W dniu 2013-09-29 13:04, Szymon Życiński pisze: Hello How can i remotely shutdown machines joined to Samba4 PDC? I tried: $ net rpc shutdown -C comment -I IPADDRESS -U USERNAME%PASSWORD using domain admin username and account but it does not work. I was only able to shutdown 1 XP machine. Vista and 7 didn't work. Do i have to add some GPO/Firewall settings? Szymon I have also tried local admin account but it does not work too. Szymon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Replication Samba PDC to Samba BDC
2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE * Did you AT LEAST search the mailing list??? Check if ping (or any program using GLIBC's *NSS* DNS resolver) can resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name Yes I searched the ML with no luck. Yes, I did and it works, I had to add 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.loca lto /etc/hosts and it works. So I thinks it's a DNS issue. Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers
Re: [Samba] Replication Samba PDC to Samba BDC
Hi, 2013.06.04 16:35, Ricky Nance rašė: @Giedrius Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers' (libnss_dns.so) issue that is ignoring hostnames with _ (*_*msdcs) Which OS's does that affect? I personally tested this on openSUSE 12.2 and 12.3 (bug report: https://bugzilla.novell.com/show_bug.cgi?id=822414) From the mailing list - seems this bug is much more wildspread @David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and on dcB ip.to.dc.b if so, what happens when you set them both to A? how about when you set them both to B? I'd play around with that a bit until you get a good replication, then restart samba on both DC's and set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) . I doubt this would change anything, given there is a working DNS, allow-query / firewall setup. but this is easily checked with host / dig / nslookup commands. And for that matter - his DNS setup is working: host / dig tests are not failing The problem is with the RESOLVER LIBRARY failing(at least in my case) to return replies from DNS , so changing DNS servers address will not in any way fix the problem. It simply will not be returned to the program through the system calls (at lease for me, tcpdump shown DNS *is* replying) Better solution is to fix that damn bug in glibc (or use /etc/hosts | mdns | whatever) and specify BOTH dcA AND dcB in resolv.conf. So that if one of them fails - the other replies. Ricky On Tue, Jun 4, 2013 at 1:59 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com mailto:i...@dghvoip.com wrote: On 6/4/2013 1:28 AM, Giedrius wrote: 2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614
Re: [Samba] Replication Samba PDC to Samba BDC
Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE * Did you AT LEAST search the mailing list??? Check if ping (or any program using GLIBC's *NSS* DNS resolver) can resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name I tried to check replication status but this error shows root@bdc:~# samba-tool drs showrepl Default-First-Site-Name\BDC DSA Options: 0x0001 DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 DSA invocationId: 609fd8be-7e0c-49ca-a5f5-1a68237ef03f INBOUND NEIGHBORS DC=mundo,DC=local Default-First-Site-Name\SAMBA via RPC DSA object GUID:
Re: [Samba] DNS capabilities
2013.06.02 16:10, Andrew Bartlett rašė: On Sun, 2013-06-02 at 01:50 -0700, Gary Maurizi wrote: I am sorry to waste space on the mailing list for such a simple question, but can anyone tell me: 1. Does samba_internal backend work with MX records yet? Not in a 4.0 release. (Patch is in the queue for the next 4.0.x release, and is in git master) 2. Will BIND9_FLATFILE allow dynamic DNS updates when a computer joins the domain? Yes, but if that much works, the dlz backend will also work, and will handle other aspects of being an AD DC much more cleanly. Don't use BIND9_FLATFILE (we may actually remove it to avoid further confusion). Please don't ... In my experience DLZ setup has more problems than good multi-master bind9 setup - namely records added to one samba DC are not always propagated to the others (replication working without errors) Also, how would it be event possible (without separate server) to even try setup anything other then BIND Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
2013.06.02 16:16, Andrew Bartlett rašė:
On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
This is a follow up to my previous...
Thomas, I have tried everything else I can think of, I WAS able to get
further debugging information out of samba, winbind, bind9_dlz, and whats
going wrong in this process for us, but I am not a developer I have no way
of knowing if this will be useful to you or anyone but I figure I should
put it out so someday this can get fixed, Thanks:
Hi Gary
I'm no expert but I have dyndns working on openSUSE with 9.9 both from
win7 and Linux clients. Maybe strip your config down to just this, then
add the other stuff afterwards if you get it going?
1. Make sure that named is not running chrooted. That was a real gotcha
for me: it's default on openSUSE.
This certainly could be the major issue here. I can imagine this
causing no end of drama if folks don't check for it.
2. for now, chown -R named.named /var/lib/named
I certainly agree, for now (try and restore a more secure set of
permissions later, but it is very worthwhile to test and rule out).
3. Use minimum options /etc/named.conf
options {
directory /var/lib/named;
managed-keys-directory /var/lib/named/dyn;
notify no;
tkey-gssapi-keytab /usr/local/samba/private/dns.keytab;
};
include /usr/local/samba/private/named.conf;
Also add:
tkey-domain KRB5 REALM;
tkey-gssapi-credential DNS principal;
BIND9 in openSUSE seems to require this to enable GSSAPI
Also try hard-linking /usr/local/samba/private/dns.keytab to
/etc/krb5.keytab
Somewhere in the mailing lists there was a report bind9 is
always using system default keytab
If you get errors loading krb5 principal after specifying
tkey-gssapi-credential, you might need to regenerate the dns.keytab
(changed password ?)
Good luck.
Steve
Indeed. We know BIND9 can be a real pain to get right, and that's why
the internal DNS server effort started. That also has challenges (due
to available developer attention), but is an indication of how seriously
we take this challenge.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
2013.06.03 01:14, Andrew Bartlett rašė:
On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
2013.06.02 16:16, Andrew Bartlett rašė:
On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
This is a follow up to my previous...
Thomas, I have tried everything else I can think of, I WAS able to get
further debugging information out of samba, winbind, bind9_dlz, and whats
going wrong in this process for us, but I am not a developer I have no way
of knowing if this will be useful to you or anyone but I figure I should
put it out so someday this can get fixed, Thanks:
Hi Gary
I'm no expert but I have dyndns working on openSUSE with 9.9 both from
win7 and Linux clients. Maybe strip your config down to just this, then
add the other stuff afterwards if you get it going?
1. Make sure that named is not running chrooted. That was a real gotcha
for me: it's default on openSUSE.
This certainly could be the major issue here. I can imagine this
causing no end of drama if folks don't check for it.
2. for now, chown -R named.named /var/lib/named
I certainly agree, for now (try and restore a more secure set of
permissions later, but it is very worthwhile to test and rule out).
3. Use minimum options /etc/named.conf
options {
directory /var/lib/named;
managed-keys-directory /var/lib/named/dyn;
notify no;
tkey-gssapi-keytab /usr/local/samba/private/dns.keytab;
};
include /usr/local/samba/private/named.conf;
Also add:
tkey-domain KRB5 REALM;
tkey-gssapi-credential DNS principal;
BIND9 in openSUSE seems to require this to enable GSSAPI
If that's required, then I think you have an older version of bind that
is known to be incredibly painful to configure for GSS-TSIG.
Also try hard-linking /usr/local/samba/private/dns.keytab to
/etc/krb5.keytab
I really wouldn't do that.
Somewhere in the mailing lists there was a report bind9 is
always using system default keytab
If you get errors loading krb5 principal after specifying
tkey-gssapi-credential, you might need to regenerate the dns.keytab
(changed password ?)
Which version is this?
BIND 9.9.2-P2
Without /etc/krb5.keytab the following error is seen in the syslog:
named[27908]: configuring TKEY: failure
named[27908]: reloading configuration failed: failure
Did not check if this is due to some limitation or if there are any
implicit environment variables
Without principal specifying DNS/domain realm DNS updates are
rejected this might be the leftovers from earlier:
DNS conversion INTERNAL-DLZ-FLATFILE or transfer to other DC:
dns-old_dc_name user in DB and principal with old FQDN.
Had to regenerate dns.keytab for it to event work.
[OT] is it event possible to change SOA in samba ???
FSMO was transfered to other DC with seize success-error bug,
but SOA as of /samba-tool dns query/ still points to old.realm
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Secondary DC Replication Concerns
Hi, 2013.05.31 13:26, Paul Littlefield rašė: On 31/05/13 10:21, Paul Littlefield wrote: I have restarted Samba on both DC1 and DC2. I am still getting errors... [2013/05/31 11:11:56, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0] [2013/05/31 11:16:56, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0] [2013/05/31 11:21:56, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0] Can you actually *ping* the GUID names? guid._msdcs.realm You might get host unknown error... there is a bug in glibc (at least 2.17) nss dns resolver, not resolving names with _ Workaround: put guid names in /etc/hosts if you experience this bug Paully -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
Hi,
had the same error trying to re-setup DNS keytab.
In my setup kvno was indeed existing, not seen by ktpass.sh
The problem:
1)ldbsearch -k 1 does not work with ldap://localhost or
ldap://IPyou *must*** use hostname of the machine
2)ldbsearch (at least in my setup) does not exists,
where ktpass.sh is trying to find it and ktpass.sh *does not
complain about it*
Try passing: --path-to-ldbsearch directory_of_ldbsearch
Or alternatively, apply attached path to your samba source tree (ne
recompile needed)
You can verify if you have this principal by: samba-tool spn list
your user that should have this principal
2013.04.29 19:52, Tim Vangehugten rašė:
Hi,
I was trying to get a new keytab in samba4 for my apache service. So I
tried the following command:
sh ktpass.sh --out /etc/apache.keytab --princ
HTTP/myhost.samba.my.dom...@samba.my.DOMAIN --pass VerySecure123 --enc
des-cbc-md5
I get the following error: Unable to find kvno for principal
HTTP/myhost.samba.my.dom...@samba.my.DOMAIN
Am I doing something wron or shouldn't I be using ktpass.sh?
Best Regards
Tim Vangehugten
diff --git a/source4/scripting/bin/ktpass.sh b/source4/scripting/bin/ktpass.sh
index e758eb3..b4583b1 100755
--- a/source4/scripting/bin/ktpass.sh
+++ b/source4/scripting/bin/ktpass.sh
@@ -54,10 +54,21 @@ if [ -z $enc ]; then
enc=rc4-hmac
fi
if [ -z $path ]; then
- path=`dirname $0`/../bin/
- if [ ! -f ${path}ldbsearch ]; then
-path=`dirname $0`/../../bin/
- fi
+path=`which ldbsearch 2/dev/null`
+if [ -f $path ]; then
+ path=`dirname $path`
+else
+ for d in $(dirname $0)/../bin $(dirname $0)/../../bin /opt/samba4 /usr/local/samba4 /usr/local /usr; do
+ [ ! -f $d/ldbsearch ] continue
+ path=$d
+ break;
+ done
+ if [ -z $path ]; then
+ echo Cannot figure out where do you have your ldbsearch
+ usage
+ fi
+fi
+path=$path/
fi
if [ -z $outfile -o -z $princ -o -z $pass ]; then
echo At least one mandatory parameter (--out, --princ, --pass) was not specified
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol replication
Hi, 5 DC's working with GlusterFS 3.4.0~qa9 You *must* mount glusterfs volume with -o acl,selinux The real filesystem can be mounted without implicitly specifying -o acl,user_xattr but others are having problems with this My setup: 5x openSUSE 12.3 x86_64 / 12.2 x86_64 btrfs for backend gluster 3.4.0~qa9-28.3 2013.04.14 23:34, Jim Potter rašė: Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba fsmo/demote/unjoin trouble after crash
Fixed this mess.
If anybody else needs this:
1) samba_backup on working good DC :)
2) rm -rfv private/* var/{lock,locks}/*.{t,l}db on bad server
3) rejoin with the same name *and* the same site it was on
4a) TRY to demote: this will luckily work but not for me
4b) samba-tool dbcheck --cross-ncs --fix --yes
Search for registered DC'as: ldbsearch
(invocationid=*) objectguid
Search for entries of your bad DC: ldbsearch
(objectguid=GUID_FROM_BAD_SERVER)
Here I've got only 1 entry: that is NTDS settings (maybe
there should be more?)
Only after i've deleted NTDS settings, I *was* *able* to
delete server from database (with windows DSA tools)
ldbdel CN=NTDS
Settings,CN=SERVER_NAME,CN=Servers,CN=SITE_NAME,
CN=Sites,CN=Configuration,YOUR_DOMAIN in form DC=DOMAIN,DC=EXAMPLE,DC=COM
You now *can* delete the server from sites services AND
computers users
samba-tool dbcheck --cross-ncs --fix --yes (haven't got any,
but who knows.
5) Rejoin your bad server again (if it *is* needed)
6) Everything is working flawlessly now.
Side note:
ldbsearch / ldbedit / ldbdel DID NOT WOTK for me with
kerberos (-k yes), though kinit is fine, so use it like this:
ldbsearch -UAdministrator --password your password
--cross-ncs ldap://localhost ..
All ldb* and dbcheck commands were run from *running**good DC*
If dbcheck complains about bad owner GUID on NTDS Settings,
you might have dublicated msDS-hasMasterNCs. and dbcheck is *NOT*
fixing this.
Just delete duplicated lines (for me this was ForestDnsZones
and DomainDnsZones) with ldbedit... otherwise samba will keep crashing
with SIGSEGV
One of the DC's was not able to replicate after first rejoin
- delete was needed
Double / tripple or even more *check the netbios name= in
your smb.conf* - this is how i've got 2 DC names in the database (but
only 1 join)
Demote *will not work*, if your bad server has DNS zones
configured (on SAMBA LDAP)
Demote complains about *2 roles still on server,* but no
list witch ones (presumably the ForestDnsZones and DomainDnsZones)
Thanks all for help
2013.05.21 00:46, Andrew Bartlett rašė:
On Wed, 2013-05-15 at 10:09 +0300, Giedrius wrote:
2013.05.14 18:48, Denis Cardon rašė:
Hi Giedrius,
i've got initial setup on DC1 (4.0.1)... all working good and
flawless
Added additional geographically distributed controllers (DC2, DC3,
DC4,DC5) with 4.0.5 - no problem.
All PC's can connect to their own site/DC
Transferred all FSMO's to DC2 - transferred successfully (with
seize error bug)
DC1 crashed badly during maintenance, SAMBA was updated to
4.0.5, data restored from backup.
Now, the problem is:
1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5]
sees DC2 as owner of FSMO's
3) DC1 is missing some users (created between backup and crash),
wbinfo for these users return E_DOMAIN_NOT_FOUND
4) Got decrypt integrity check failed errors, fixed with
chtdcpass, witch not results to Failed to find HOST$#DOMAIN(kvno)
(client reboot seems to fix this)
4) any attempt to replicate missing information from DC2/DC3 to
DC1 (samba-tool drs replicate) results in errors after it (cannot find
own NTDS)
5) impossible to demote / unjoin server and provision from
scratch - some DRS errors
Question is:
how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and
then:
a) replicate missing users (and computer trust accounts)
to DC1
b) force removing DC1 from domain for good ( reinstall from
scratch )
Domain as a whole recreation from scratch is sadly *not* an
option :(
On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is
clearly stated that you shouldn't restore a DC from backup in a multi DC
environment.
Ok, my bad.
Others DC have evolved since you backed up your data, and you cannot
have synchronisation with the other DCs. It is not a Samba problem, but
it is by design because the multi master replication between DCs.
You should just re-install samba4 4.0.5 on your DC1 server, and then
join it to the domain as a DC, it will synchronise and all will be back
to normal.
But how do i force remove the old server from domain ? (Windows tools
and samba's net unjoin failed)
Just re-join it with the same name, that does as much as we can do. It
isn't perfectly ideal, but it should be good enough.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba fsmo/demote/unjoin trouble after crash
Hi Andrew, 2013.05.21 00:46, Andrew Bartlett rašė: On Wed, 2013-05-15 at 10:09 +0300, Giedrius wrote: 2013.05.14 18:48, Denis Cardon rašė: Hi Giedrius, i've got initial setup on DC1 (4.0.1)... all working good and flawless Added additional geographically distributed controllers (DC2, DC3, DC4,DC5) with 4.0.5 - no problem. All PC's can connect to their own site/DC Transferred all FSMO's to DC2 - transferred successfully (with seize error bug) DC1 crashed badly during maintenance, SAMBA was updated to 4.0.5, data restored from backup. Now, the problem is: 1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5] sees DC2 as owner of FSMO's 3) DC1 is missing some users (created between backup and crash), wbinfo for these users return E_DOMAIN_NOT_FOUND 4) Got decrypt integrity check failed errors, fixed with chtdcpass, witch not results to Failed to find HOST$#DOMAIN(kvno) (client reboot seems to fix this) 4) any attempt to replicate missing information from DC2/DC3 to DC1 (samba-tool drs replicate) results in errors after it (cannot find own NTDS) 5) impossible to demote / unjoin server and provision from scratch - some DRS errors Question is: how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and then: a) replicate missing users (and computer trust accounts) to DC1 b) force removing DC1 from domain for good ( reinstall from scratch ) Domain as a whole recreation from scratch is sadly *not* an option :( On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is clearly stated that you shouldn't restore a DC from backup in a multi DC environment. Ok, my bad. Others DC have evolved since you backed up your data, and you cannot have synchronisation with the other DCs. It is not a Samba problem, but it is by design because the multi master replication between DCs. You should just re-install samba4 4.0.5 on your DC1 server, and then join it to the domain as a DC, it will synchronise and all will be back to normal. But how do i force remove the old server from domain ? (Windows tools and samba's net unjoin failed) Just re-join it with the same name, that does as much as we can do. It isn't perfectly ideal, but it should be good enough. Ok, but something is still wrong: drs kcc gives this: Wrong username or password: kinit for DC_NAME$@REALM failed (Preauthentication failed) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Consistency check on hostname successful. Some computers lost trust relationship - rejoin was necessary. To be exact, somehow I have 2 DC's on the same site, but there never were 2 of them. Some workstations try to use the other DC as a logon server, although it is clearly offline and not announced on the lan. Helps, if i set netbios aliases in smb.conf What should be done next? Launch another samba instance and join with the other name ? Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba fsmo/demote/unjoin trouble after crash
2013.05.14 18:48, Denis Cardon rašė: Hi Giedrius, i've got initial setup on DC1 (4.0.1)... all working good and flawless Added additional geographically distributed controllers (DC2, DC3, DC4,DC5) with 4.0.5 - no problem. All PC's can connect to their own site/DC Transferred all FSMO's to DC2 - transferred successfully (with seize error bug) DC1 crashed badly during maintenance, SAMBA was updated to 4.0.5, data restored from backup. Now, the problem is: 1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5] sees DC2 as owner of FSMO's 3) DC1 is missing some users (created between backup and crash), wbinfo for these users return E_DOMAIN_NOT_FOUND 4) Got decrypt integrity check failed errors, fixed with chtdcpass, witch not results to Failed to find HOST$#DOMAIN(kvno) (client reboot seems to fix this) 4) any attempt to replicate missing information from DC2/DC3 to DC1 (samba-tool drs replicate) results in errors after it (cannot find own NTDS) 5) impossible to demote / unjoin server and provision from scratch - some DRS errors Question is: how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and then: a) replicate missing users (and computer trust accounts) to DC1 b) force removing DC1 from domain for good ( reinstall from scratch ) Domain as a whole recreation from scratch is sadly *not* an option :( On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is clearly stated that you shouldn't restore a DC from backup in a multi DC environment. Ok, my bad. Others DC have evolved since you backed up your data, and you cannot have synchronisation with the other DCs. It is not a Samba problem, but it is by design because the multi master replication between DCs. You should just re-install samba4 4.0.5 on your DC1 server, and then join it to the domain as a DC, it will synchronise and all will be back to normal. But how do i force remove the old server from domain ? (Windows tools and samba's net unjoin failed) Cheers, Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba fsmo/demote/unjoin trouble after crash
Hi all, i've got initial setup on DC1 (4.0.1)... all working good and flawless Added additional geographically distributed controllers (DC2, DC3, DC4,DC5) with 4.0.5 - no problem. All PC's can connect to their own site/DC Transferred all FSMO's to DC2 - transferred successfully (with seize error bug) DC1 crashed badly during maintenance, SAMBA was updated to 4.0.5, data restored from backup. Now, the problem is: 1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5] sees DC2 as owner of FSMO's 3) DC1 is missing some users (created between backup and crash), wbinfo for these users return E_DOMAIN_NOT_FOUND 4) Got decrypt integrity check failed errors, fixed with chtdcpass, witch not results to Failed to find HOST$#DOMAIN(kvno) (client reboot seems to fix this) 4) any attempt to replicate missing information from DC2/DC3 to DC1 (samba-tool drs replicate) results in errors after it (cannot find own NTDS) 5) impossible to demote / unjoin server and provision from scratch - some DRS errors Question is: how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and then: a) replicate missing users (and computer trust accounts) to DC1 b) force removing DC1 from domain for good ( reinstall from scratch ) Domain as a whole recreation from scratch is sadly *not* an option :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
