Quantcast

Samba Active Directory Domain Controller

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba Active Directory Domain Controller

Samba - General mailing list
Hello,

I have implemented Samba as Active Directory Domain Controller with
Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers named
as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 & 4 are in
a different location. DNS is SAMBA INTERNAL. All 4 servers are properly
synchronizing and even GPO updates are working properly with rsync process.

However, off late we have been noticing that on some Windows XP with
Service Pack 3 and Windows 7 with Service Pack 1, after joining domain,
when user is logging in for the first time, as per policy, the DC will
force the user to change their password. When user changes password, PC
reports, cannot reach domain or your relationship with DC is not trusted
and it happens randomly for some users.
We are unable to figure out what's happenning.

Can some one guide us in figuring out and fixing this issue?

Thanks in advance.
--

Thanks & Regards,


Anantha Raghava


DISCLAIMER:

This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:

> Hello,
>
> I have implemented Samba as Active Directory Domain Controller with
> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers
> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 &
> 4 are in a different location. DNS is SAMBA INTERNAL. All 4 servers
> are properly synchronizing and even GPO updates are working properly
> with rsync process.
>
> However, off late we have been noticing that on some Windows XP with
> Service Pack 3 and Windows 7 with Service Pack 1, after joining
> domain, when user is logging in for the first time, as per policy, the
> DC will force the user to change their password. When user changes
> password, PC reports, cannot reach domain or your relationship with DC
> is not trusted and it happens randomly for some users.
> We are unable to figure out what's happenning.
>
> Can some one guide us in figuring out and fixing this issue?
>
> Thanks in advance.

Can you provide your smb.conf on one of your DC's? Are you able to look
through event viewer on the workstation exhibiting the issue and see
anything relevant?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
Hello James,

Thanks for your quick response.

Find attached smb.conf file from DC1 and DC2. Also attached the screen
shot of the event viewer from the workstation.

At the moment, we have brought down the DC3 and DC4 in another location
and observed that DC2 is unable to replicate get the information from
DC1 or send the information to DC1. It appears replication is working in
background but it is taking a long time. When try to use samba-tool drs
command, it throws errors.

Also, randomly, users are not allowed to change their password. It
throws error like "either your password does not meet complexity, length
or history requirement". "Workstation relationship with Domain is not
trusted" is another error message that occasionally throws up.

Another observation is even though PDC emulator and all FSMO roles are
with DC1, users are logged into DC2. Any change made to user credential,
above error is thrown. Output of FSMO role display from DC1 is attached
for your information.

In our group policy, we have disabled complexity requirements, length is
set to 7 characters.

There is no clear pattern to its behavior, making it difficult to
analyse the issue and fix them.

Look forward for your assistance in figuring out what is happening and
fixing it.

7000 People from nearly 700 location use these domain controllers. This
is turning out be very critical issue.

--

Thanks & Regards,


Anantha Raghava

eXzaTech Consulting And Services Pvt. Ltd.

DISCLAIMER:

This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:

> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>> Hello,
>>
>> I have implemented Samba as Active Directory Domain Controller with
>> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers
>> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 &
>> 4 are in a different location. DNS is SAMBA INTERNAL. All 4 servers
>> are properly synchronizing and even GPO updates are working properly
>> with rsync process.
>>
>> However, off late we have been noticing that on some Windows XP with
>> Service Pack 3 and Windows 7 with Service Pack 1, after joining
>> domain, when user is logging in for the first time, as per policy,
>> the DC will force the user to change their password. When user
>> changes password, PC reports, cannot reach domain or your
>> relationship with DC is not trusted and it happens randomly for some
>> users.
>> We are unable to figure out what's happenning.
>>
>> Can some one guide us in figuring out and fixing this issue?
>>
>> Thanks in advance.
>
> Can you provide your smb.conf on one of your DC's? Are you able to
> look through event viewer on the workstation exhibiting the issue and
> see anything relevant?
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

fsmo_show_from_dc2.txt (1K) Download Attachment
fsmo_show_from_dc1.txt (1K) Download Attachment
dc2.smb.conf (422 bytes) Download Attachment
dc1.smb.conf (678 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 5/4/2017 3:37 AM, Anantha Raghava wrote:

>
> Hello James,
>
> Thanks for your quick response.
>
> Find attached smb.conf file from DC1 and DC2. Also attached the screen
> shot of the event viewer from the workstation.
>
> At the moment, we have brought down the DC3 and DC4 in another
> location and observed that DC2 is unable to replicate get the
> information from DC1 or send the information to DC1. It appears
> replication is working in background but it is taking a long time.
> When try to use samba-tool drs command, it throws errors.
>
> Also, randomly, users are not allowed to change their password. It
> throws error like "either your password does not meet complexity,
> length or history requirement". "Workstation relationship with Domain
> is not trusted" is another error message that occasionally throws up.
>
> Another observation is even though PDC emulator and all FSMO roles are
> with DC1, users are logged into DC2. Any change made to user
> credential, above error is thrown. Output of FSMO role display from
> DC1 is attached for your information.
>
> In our group policy, we have disabled complexity requirements, length
> is set to 7 characters.
>
> There is no clear pattern to its behavior, making it difficult to
> analyse the issue and fix them.
>
> Look forward for your assistance in figuring out what is happening and
> fixing it.
>
> 7000 People from nearly 700 location use these domain controllers.
> This is turning out be very critical issue.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
> eXzaTech Consulting And Services Pvt. Ltd.
>
> DISCLAIMER:
>
> This e-mail communication and any attachments may be privileged and
> confidential to eXza Technology Consulting & Services, and are
> intended only for the use of the recipients named above If you are not
> the addressee you may not copy, forward, disclose or use any part of
> it. If you have received this message in error, please delete it and
> all copies from your system and notify the sender immediately by
> return e-mail. Internet communications cannot be guaranteed to be
> timely, secure, error or virus-free. The sender does not accept
> liability for any errors or omissions.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>>> Hello,
>>>
>>> I have implemented Samba as Active Directory Domain Controller with
>>> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers
>>> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3
>>> & 4 are in a different location. DNS is SAMBA INTERNAL. All 4
>>> servers are properly synchronizing and even GPO updates are working
>>> properly with rsync process.
>>>
>>> However, off late we have been noticing that on some Windows XP with
>>> Service Pack 3 and Windows 7 with Service Pack 1, after joining
>>> domain, when user is logging in for the first time, as per policy,
>>> the DC will force the user to change their password. When user
>>> changes password, PC reports, cannot reach domain or your
>>> relationship with DC is not trusted and it happens randomly for some
>>> users.
>>> We are unable to figure out what's happenning.
>>>
>>> Can some one guide us in figuring out and fixing this issue?
>>>
>>> Thanks in advance.
>>
>> Can you provide your smb.conf on one of your DC's? Are you able to
>> look through event viewer on the workstation exhibiting the issue and
>> see anything relevant?
>>
>
Real quick before I get around to looking at your attachments. I will
advise you that password complexity requirements are handled by
samba-tool and not GPO's. Issue the following command on your DC's to
view them. They are also changed here as well.

'samba-tool domain passwordsettinsg show'

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
Hi,

Let me just check this and revert back.

--

Thanks & Regards,


Anantha Raghava


DISCLAIMER:

This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote:

> On 5/4/2017 3:37 AM, Anantha Raghava wrote:
>>
>> Hello James,
>>
>> Thanks for your quick response.
>>
>> Find attached smb.conf file from DC1 and DC2. Also attached the
>> screen shot of the event viewer from the workstation.
>>
>> At the moment, we have brought down the DC3 and DC4 in another
>> location and observed that DC2 is unable to replicate get the
>> information from DC1 or send the information to DC1. It appears
>> replication is working in background but it is taking a long time.
>> When try to use samba-tool drs command, it throws errors.
>>
>> Also, randomly, users are not allowed to change their password. It
>> throws error like "either your password does not meet complexity,
>> length or history requirement". "Workstation relationship with Domain
>> is not trusted" is another error message that occasionally throws up.
>>
>> Another observation is even though PDC emulator and all FSMO roles
>> are with DC1, users are logged into DC2. Any change made to user
>> credential, above error is thrown. Output of FSMO role display from
>> DC1 is attached for your information.
>>
>> In our group policy, we have disabled complexity requirements, length
>> is set to 7 characters.
>>
>> There is no clear pattern to its behavior, making it difficult to
>> analyse the issue and fix them.
>>
>> Look forward for your assistance in figuring out what is happening
>> and fixing it.
>>
>> 7000 People from nearly 700 location use these domain controllers.
>> This is turning out be very critical issue.
>>
>> --
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>> eXzaTech Consulting And Services Pvt. Ltd.
>>
>> DISCLAIMER:
>>
>> This e-mail communication and any attachments may be privileged and
>> confidential to eXza Technology Consulting & Services, and are
>> intended only for the use of the recipients named above If you are
>> not the addressee you may not copy, forward, disclose or use any part
>> of it. If you have received this message in error, please delete it
>> and all copies from your system and notify the sender immediately by
>> return e-mail. Internet communications cannot be guaranteed to be
>> timely, secure, error or virus-free. The sender does not accept
>> liability for any errors or omissions.
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>>>> Hello,
>>>>
>>>> I have implemented Samba as Active Directory Domain Controller with
>>>> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers
>>>> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3
>>>> & 4 are in a different location. DNS is SAMBA INTERNAL. All 4
>>>> servers are properly synchronizing and even GPO updates are working
>>>> properly with rsync process.
>>>>
>>>> However, off late we have been noticing that on some Windows XP
>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after
>>>> joining domain, when user is logging in for the first time, as per
>>>> policy, the DC will force the user to change their password. When
>>>> user changes password, PC reports, cannot reach domain or your
>>>> relationship with DC is not trusted and it happens randomly for
>>>> some users.
>>>> We are unable to figure out what's happenning.
>>>>
>>>> Can some one guide us in figuring out and fixing this issue?
>>>>
>>>> Thanks in advance.
>>>
>>> Can you provide your smb.conf on one of your DC's? Are you able to
>>> look through event viewer on the workstation exhibiting the issue
>>> and see anything relevant?
>>>
>>
> Real quick before I get around to looking at your attachments. I will
> advise you that password complexity requirements are handled by
> samba-tool and not GPO's. Issue the following command on your DC's to
> view them. They are also changed here as well.
>
> 'samba-tool domain passwordsettinsg show'
>
> --
> --
> James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 5/4/2017 8:33 AM, Anantha Raghava wrote:

>
> Hi,
>
> Let me just check this and revert back.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
> DISCLAIMER:
>
> This e-mail communication and any attachments may be privileged and
> confidential to eXza Technology Consulting & Services, and are
> intended only for the use of the recipients named above If you are not
> the addressee you may not copy, forward, disclose or use any part of
> it. If you have received this message in error, please delete it and
> all copies from your system and notify the sender immediately by
> return e-mail. Internet communications cannot be guaranteed to be
> timely, secure, error or virus-free. The sender does not accept
> liability for any errors or omissions.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote:
>> On 5/4/2017 3:37 AM, Anantha Raghava wrote:
>>>
>>> Hello James,
>>>
>>> Thanks for your quick response.
>>>
>>> Find attached smb.conf file from DC1 and DC2. Also attached the
>>> screen shot of the event viewer from the workstation.
>>>
>>> At the moment, we have brought down the DC3 and DC4 in another
>>> location and observed that DC2 is unable to replicate get the
>>> information from DC1 or send the information to DC1. It appears
>>> replication is working in background but it is taking a long time.
>>> When try to use samba-tool drs command, it throws errors.
>>>
>>> Also, randomly, users are not allowed to change their password. It
>>> throws error like "either your password does not meet complexity,
>>> length or history requirement". "Workstation relationship with
>>> Domain is not trusted" is another error message that occasionally
>>> throws up.
>>>
>>> Another observation is even though PDC emulator and all FSMO roles
>>> are with DC1, users are logged into DC2. Any change made to user
>>> credential, above error is thrown. Output of FSMO role display from
>>> DC1 is attached for your information.
>>>
>>> In our group policy, we have disabled complexity requirements,
>>> length is set to 7 characters.
>>>
>>> There is no clear pattern to its behavior, making it difficult to
>>> analyse the issue and fix them.
>>>
>>> Look forward for your assistance in figuring out what is happening
>>> and fixing it.
>>>
>>> 7000 People from nearly 700 location use these domain controllers.
>>> This is turning out be very critical issue.
>>>
>>> --
>>>
>>> Thanks & Regards,
>>>
>>>
>>> Anantha Raghava
>>>
>>> eXzaTech Consulting And Services Pvt. Ltd.
>>>
>>> DISCLAIMER:
>>>
>>> This e-mail communication and any attachments may be privileged and
>>> confidential to eXza Technology Consulting & Services, and are
>>> intended only for the use of the recipients named above If you are
>>> not the addressee you may not copy, forward, disclose or use any
>>> part of it. If you have received this message in error, please
>>> delete it and all copies from your system and notify the sender
>>> immediately by return e-mail. Internet communications cannot be
>>> guaranteed to be timely, secure, error or virus-free. The sender
>>> does not accept liability for any errors or omissions.
>>>
>>>
>>> Do not print this e-mail unless required. Save Paper & trees.
>>>
>>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
>>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>>>>> Hello,
>>>>>
>>>>> I have implemented Samba as Active Directory Domain Controller
>>>>> with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain
>>>>> controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one
>>>>> location and DC3 & 4 are in a different location. DNS is SAMBA
>>>>> INTERNAL. All 4 servers are properly synchronizing and even GPO
>>>>> updates are working properly with rsync process.
>>>>>
>>>>> However, off late we have been noticing that on some Windows XP
>>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after
>>>>> joining domain, when user is logging in for the first time, as per
>>>>> policy, the DC will force the user to change their password. When
>>>>> user changes password, PC reports, cannot reach domain or your
>>>>> relationship with DC is not trusted and it happens randomly for
>>>>> some users.
>>>>> We are unable to figure out what's happenning.
>>>>>
>>>>> Can some one guide us in figuring out and fixing this issue?
>>>>>
>>>>> Thanks in advance.
>>>>
>>>> Can you provide your smb.conf on one of your DC's? Are you able to
>>>> look through event viewer on the workstation exhibiting the issue
>>>> and see anything relevant?
>>>>
>>>
>> Real quick before I get around to looking at your attachments. I will
>> advise you that password complexity requirements are handled by
>> samba-tool and not GPO's. Issue the following command on your DC's to
>> view them. They are also changed here as well.
>>
>> 'samba-tool domain passwordsettinsg show'
>>
>> --
>> --
>> James
>
All DC's smb.conf should include

'idmap_ldb:use rfc 2307 = yes'

if you provisioned the first with it. See
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

It also looks as if you are not using sites separate sites.  Are all
these users and computers in the same location? If not you should look
at setting up sites and services. See

https://wiki.samba.org/index.php/Active_Directory_Sites

It also appears the issue is with Windows XP clients only? Address the
first two issues above and report back.

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
Thanks James. I will revert back.

--

Thanks & Regards,

Anantha Raghava


DISCLAIMER:

This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:

> On 5/4/2017 8:33 AM, Anantha Raghava wrote:
>>
>> Hi,
>>
>> Let me just check this and revert back.
>>
>> --
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>>
>> DISCLAIMER:
>>
>> This e-mail communication and any attachments may be privileged and
>> confidential to eXza Technology Consulting & Services, and are
>> intended only for the use of the recipients named above If you are
>> not the addressee you may not copy, forward, disclose or use any part
>> of it. If you have received this message in error, please delete it
>> and all copies from your system and notify the sender immediately by
>> return e-mail. Internet communications cannot be guaranteed to be
>> timely, secure, error or virus-free. The sender does not accept
>> liability for any errors or omissions.
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
>> On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote:
>>> On 5/4/2017 3:37 AM, Anantha Raghava wrote:
>>>>
>>>> Hello James,
>>>>
>>>> Thanks for your quick response.
>>>>
>>>> Find attached smb.conf file from DC1 and DC2. Also attached the
>>>> screen shot of the event viewer from the workstation.
>>>>
>>>> At the moment, we have brought down the DC3 and DC4 in another
>>>> location and observed that DC2 is unable to replicate get the
>>>> information from DC1 or send the information to DC1. It appears
>>>> replication is working in background but it is taking a long time.
>>>> When try to use samba-tool drs command, it throws errors.
>>>>
>>>> Also, randomly, users are not allowed to change their password. It
>>>> throws error like "either your password does not meet complexity,
>>>> length or history requirement". "Workstation relationship with
>>>> Domain is not trusted" is another error message that occasionally
>>>> throws up.
>>>>
>>>> Another observation is even though PDC emulator and all FSMO roles
>>>> are with DC1, users are logged into DC2. Any change made to user
>>>> credential, above error is thrown. Output of FSMO role display from
>>>> DC1 is attached for your information.
>>>>
>>>> In our group policy, we have disabled complexity requirements,
>>>> length is set to 7 characters.
>>>>
>>>> There is no clear pattern to its behavior, making it difficult to
>>>> analyse the issue and fix them.
>>>>
>>>> Look forward for your assistance in figuring out what is happening
>>>> and fixing it.
>>>>
>>>> 7000 People from nearly 700 location use these domain controllers.
>>>> This is turning out be very critical issue.
>>>>
>>>> --
>>>>
>>>> Thanks & Regards,
>>>>
>>>>
>>>> Anantha Raghava
>>>>
>>>> eXzaTech Consulting And Services Pvt. Ltd.
>>>>
>>>> DISCLAIMER:
>>>>
>>>> This e-mail communication and any attachments may be privileged and
>>>> confidential to eXza Technology Consulting & Services, and are
>>>> intended only for the use of the recipients named above If you are
>>>> not the addressee you may not copy, forward, disclose or use any
>>>> part of it. If you have received this message in error, please
>>>> delete it and all copies from your system and notify the sender
>>>> immediately by return e-mail. Internet communications cannot be
>>>> guaranteed to be timely, secure, error or virus-free. The sender
>>>> does not accept liability for any errors or omissions.
>>>>
>>>>
>>>> Do not print this e-mail unless required. Save Paper & trees.
>>>>
>>>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
>>>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have implemented Samba as Active Directory Domain Controller
>>>>>> with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain
>>>>>> controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one
>>>>>> location and DC3 & 4 are in a different location. DNS is SAMBA
>>>>>> INTERNAL. All 4 servers are properly synchronizing and even GPO
>>>>>> updates are working properly with rsync process.
>>>>>>
>>>>>> However, off late we have been noticing that on some Windows XP
>>>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after
>>>>>> joining domain, when user is logging in for the first time, as
>>>>>> per policy, the DC will force the user to change their password.
>>>>>> When user changes password, PC reports, cannot reach domain or
>>>>>> your relationship with DC is not trusted and it happens randomly
>>>>>> for some users.
>>>>>> We are unable to figure out what's happenning.
>>>>>>
>>>>>> Can some one guide us in figuring out and fixing this issue?
>>>>>>
>>>>>> Thanks in advance.
>>>>>
>>>>> Can you provide your smb.conf on one of your DC's? Are you able to
>>>>> look through event viewer on the workstation exhibiting the issue
>>>>> and see anything relevant?
>>>>>
>>>>
>>> Real quick before I get around to looking at your attachments. I
>>> will advise you that password complexity requirements are handled by
>>> samba-tool and not GPO's. Issue the following command on your DC's
>>> to view them. They are also changed here as well.
>>>
>>> 'samba-tool domain passwordsettinsg show'
>>>
>>> --
>>> --
>>> James
>>
> All DC's smb.conf should include
>
> 'idmap_ldb:use rfc 2307 = yes'
>
> if you provisioned the first with it. See
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> It also looks as if you are not using sites separate sites. Are all
> these users and computers in the same location? If not you should look
> at setting up sites and services. See
>
> https://wiki.samba.org/index.php/Active_Directory_Sites
>
> It also appears the issue is with Windows XP clients only? Address the
> first two issues above and report back.
>
> --
> --
> James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello James,

To your question "It also appears the issue is with Windows XP clients
only?" the answer is no. It happens even on Windows 7 Workstations.
Never tried to check this on Windows 8 or 8.1 or Windows 10 Workstations.

However we will check and revert back on the suggestions you have given.

--

Thanks & Regards,


Anantha Raghava


DISCLAIMER:

This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:

> On 5/4/2017 8:33 AM, Anantha Raghava wrote:
>>
>> Hi,
>>
>> Let me just check this and revert back.
>>
>> --
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>>
>> DISCLAIMER:
>>
>> This e-mail communication and any attachments may be privileged and
>> confidential to eXza Technology Consulting & Services, and are
>> intended only for the use of the recipients named above If you are
>> not the addressee you may not copy, forward, disclose or use any part
>> of it. If you have received this message in error, please delete it
>> and all copies from your system and notify the sender immediately by
>> return e-mail. Internet communications cannot be guaranteed to be
>> timely, secure, error or virus-free. The sender does not accept
>> liability for any errors or omissions.
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
>> On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote:
>>> On 5/4/2017 3:37 AM, Anantha Raghava wrote:
>>>>
>>>> Hello James,
>>>>
>>>> Thanks for your quick response.
>>>>
>>>> Find attached smb.conf file from DC1 and DC2. Also attached the
>>>> screen shot of the event viewer from the workstation.
>>>>
>>>> At the moment, we have brought down the DC3 and DC4 in another
>>>> location and observed that DC2 is unable to replicate get the
>>>> information from DC1 or send the information to DC1. It appears
>>>> replication is working in background but it is taking a long time.
>>>> When try to use samba-tool drs command, it throws errors.
>>>>
>>>> Also, randomly, users are not allowed to change their password. It
>>>> throws error like "either your password does not meet complexity,
>>>> length or history requirement". "Workstation relationship with
>>>> Domain is not trusted" is another error message that occasionally
>>>> throws up.
>>>>
>>>> Another observation is even though PDC emulator and all FSMO roles
>>>> are with DC1, users are logged into DC2. Any change made to user
>>>> credential, above error is thrown. Output of FSMO role display from
>>>> DC1 is attached for your information.
>>>>
>>>> In our group policy, we have disabled complexity requirements,
>>>> length is set to 7 characters.
>>>>
>>>> There is no clear pattern to its behavior, making it difficult to
>>>> analyse the issue and fix them.
>>>>
>>>> Look forward for your assistance in figuring out what is happening
>>>> and fixing it.
>>>>
>>>> 7000 People from nearly 700 location use these domain controllers.
>>>> This is turning out be very critical issue.
>>>>
>>>> --
>>>>
>>>> Thanks & Regards,
>>>>
>>>>
>>>> Anantha Raghava
>>>>
>>>> eXzaTech Consulting And Services Pvt. Ltd.
>>>>
>>>> DISCLAIMER:
>>>>
>>>> This e-mail communication and any attachments may be privileged and
>>>> confidential to eXza Technology Consulting & Services, and are
>>>> intended only for the use of the recipients named above If you are
>>>> not the addressee you may not copy, forward, disclose or use any
>>>> part of it. If you have received this message in error, please
>>>> delete it and all copies from your system and notify the sender
>>>> immediately by return e-mail. Internet communications cannot be
>>>> guaranteed to be timely, secure, error or virus-free. The sender
>>>> does not accept liability for any errors or omissions.
>>>>
>>>>
>>>> Do not print this e-mail unless required. Save Paper & trees.
>>>>
>>>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
>>>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have implemented Samba as Active Directory Domain Controller
>>>>>> with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain
>>>>>> controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one
>>>>>> location and DC3 & 4 are in a different location. DNS is SAMBA
>>>>>> INTERNAL. All 4 servers are properly synchronizing and even GPO
>>>>>> updates are working properly with rsync process.
>>>>>>
>>>>>> However, off late we have been noticing that on some Windows XP
>>>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after
>>>>>> joining domain, when user is logging in for the first time, as
>>>>>> per policy, the DC will force the user to change their password.
>>>>>> When user changes password, PC reports, cannot reach domain or
>>>>>> your relationship with DC is not trusted and it happens randomly
>>>>>> for some users.
>>>>>> We are unable to figure out what's happenning.
>>>>>>
>>>>>> Can some one guide us in figuring out and fixing this issue?
>>>>>>
>>>>>> Thanks in advance.
>>>>>
>>>>> Can you provide your smb.conf on one of your DC's? Are you able to
>>>>> look through event viewer on the workstation exhibiting the issue
>>>>> and see anything relevant?
>>>>>
>>>>
>>> Real quick before I get around to looking at your attachments. I
>>> will advise you that password complexity requirements are handled by
>>> samba-tool and not GPO's. Issue the following command on your DC's
>>> to view them. They are also changed here as well.
>>>
>>> 'samba-tool domain passwordsettinsg show'
>>>
>>> --
>>> --
>>> James
>>
> All DC's smb.conf should include
>
> 'idmap_ldb:use rfc 2307 = yes'
>
> if you provisioned the first with it. See
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> It also looks as if you are not using sites separate sites. Are all
> these users and computers in the same location? If not you should look
> at setting up sites and services. See
>
> https://wiki.samba.org/index.php/Active_Directory_Sites
>
> It also appears the issue is with Windows XP clients only? Address the
> first two issues above and report back.
>
> --
> --
> James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello James,

Even after setting the rfc2307 in smb.conf replication error continues
and password change error continues. Error thrown while forcing
replication is shown below.

-------------------------------------------------------------------
Even after setting RFC, DC2 is not getting synced from DC1. Connection
time out error comes.

#samba-tool drs replicate DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM>
DC1.KTKBANKLTD.COM <http://DC1.KTKBANKLTD.COM>
DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM
<http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31]
NT_STATUS_IO_TIMEOUT
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed - drsException:
DRS connection to DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed:
(-1073741643, '{Device Timeout} The specified I/O operation on %hs was
not completed before the time-out period expired.')
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
line 41, in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 54, in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))
----------------------------------------------------------------------

Also, as you had suggested, we have run the command 'samba-tool domain
passwordsettinsg show'
----------------------------------------------------------------------
Before modification:

Password informations for domain 'DC=ktkbankltd,DC=com'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
----------------------------------------------------------------------------------
Passowrd information for domain after modification using samba-tool:

Password informations for domain 'DC=ktkbankltd,DC=com'

Password complexity: off
Store plaintext passwords: off
Password history length: 3
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 60
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
---------------------------------------------------------------------------------

When we reset the password policy using samba-tool, after about 10
minutes, the policy comes to DC2 from DC1 and users are allowed to
change their password. Now we have disabled the GPO for Password settings.

Probably I feel, due to this replication issue, the DB is becoming
inconsistent and errors are being thrown. Also, DNS errors appear to
exist in the Domain Controllers. We are using INTERNAL DNS which is
adding to problem.

Request you to help us in solving this issue.

--

Thanks & Regards,


Anantha Raghava


DISCLAIMER:
This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:
>
> Thanks & Regards,
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 5/5/2017 11:08 AM, Anantha Raghava wrote:

>
> Hello James,
>
> Even after setting the rfc2307 in smb.conf replication error continues
> and password change error continues. Error thrown while forcing
> replication is shown below.
>
> -------------------------------------------------------------------
> Even after setting RFC, DC2 is not getting synced from DC1. Connection
> time out error comes.
>
> #samba-tool drs replicate DC2.KTKBANKLTD.COM
> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM
>
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM
> <http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31]
> NT_STATUS_IO_TIMEOUT
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed - drsException:
> DRS connection to DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM>
> failed: (-1073741643, '{Device Timeout} The specified I/O operation on
> %hs was not completed before the time-out period expired.')
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
> line 41, in drsuapi_connect
>     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> line 54, in drsuapi_connect
>     raise drsException("DRS connection to %s failed: %s" % (server, e))
> ----------------------------------------------------------------------
>
> Also, as you had suggested, we have run the command 'samba-tool domain
> passwordsettinsg show'
> ----------------------------------------------------------------------
> Before modification:
>
> Password informations for domain 'DC=ktkbankltd,DC=com'
>
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 24
> Minimum password length: 7
> Minimum password age (days): 1
> Maximum password age (days): 42
> Account lockout duration (mins): 30
> Account lockout threshold (attempts): 0
> Reset account lockout after (mins): 30
> ----------------------------------------------------------------------------------
> Passowrd information for domain after modification using samba-tool:
>
> Password informations for domain 'DC=ktkbankltd,DC=com'
>
> Password complexity: off
> Store plaintext passwords: off
> Password history length: 3
> Minimum password length: 7
> Minimum password age (days): 0
> Maximum password age (days): 60
> Account lockout duration (mins): 30
> Account lockout threshold (attempts): 0
> Reset account lockout after (mins): 30
> ---------------------------------------------------------------------------------
>
> When we reset the password policy using samba-tool, after about 10
> minutes, the policy comes to DC2 from DC1 and users are allowed to
> change their password. Now we have disabled the GPO for Password
> settings.
>
> Probably I feel, due to this replication issue, the DB is becoming
> inconsistent and errors are being thrown. Also, DNS errors appear to
> exist in the Domain Controllers. We are using INTERNAL DNS which is
> adding to problem.
>
> Request you to help us in solving this issue.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
> DISCLAIMER:
> This e-mail communication and any attachments may be privileged and
> confidential to eXza Technology Consulting & Services, and are
> intended only for the use of the recipients named above If you are not
> the addressee you may not copy, forward, disclose or use any part of
> it. If you have received this message in error, please delete it and
> all copies from your system and notify the sender immediately by
> return e-mail. Internet communications cannot be guaranteed to be
> timely, secure, error or virus-free. The sender does not accept
> liability for any errors or omissions.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:
>>
>> Thanks & Regards,
>>
>
The error on replication is

failed: (-1073741643, '{Device Timeout} The specified I/O operation on
%hs was not completed before the time-out period expired

Are DC1 and DC2 in the same geographical location? Can you post the
results of

'samba-tool drs showrepl' from DC1 and DC2?

It also appears you are missing

'dns forwarder ='

in DC2 smb.conf

I see you commented this out of DC1

#interfaces = 127.0.0.1 172.20.107.30

I would verify you have correctly assigned the proper hostname and
static IP's on each DC. Can you run this command again and append -d 4?
This will provide additional debug info.


'samba-tool drs replicate DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM>
DC1.KTKBANKLTD.COM <http://DC1.KTKBANKLTD.COM>
DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM -d 4'

I'm also unclear from your message if you are still having password
issues or not.




--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
Hello James,

To your questions:

*"Are DC1 and DC2 in the same geographical location?"*

     Yes, they are in same location, & they are in the same subnet as well.

*"I'm also unclear from your message if you are still having password
issues or not."*

**It appears to have been resolved. When we randomly checked, users were
able to change their passwords. However logging in with new passwords
were taking sometime.

*"It also appears you are missing 'dns forwarder =' in DC2 smb.conf"*

**As we understand, the dns forwarder is only used for resolving the
names that are not in Internal DNS A Records right? Now the forwarder
DNS will not have DC1 or DC2 records. Should it not resolve internally?
We even changed the nameserver in resolv.conf, put the IP of DC1 and DC2
both there, same error appears.

     Even on DC1, when we use nslookup to check the dns forwarding, it
returns an error confirming that it is not forwarding.

I will share the output of the command you mentioned and also the output
of nslookup from both DC1 and DC2.

--

Thanks & Regards,


Anantha Raghava


DISCLAIMER:
This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Friday 05 May 2017 09:03 PM, lingpanda101 wrote:

> On 5/5/2017 11:08 AM, Anantha Raghava wrote:
>>
>> Hello James,
>>
>> Even after setting the rfc2307 in smb.conf replication error
>> continues and password change error continues. Error thrown while
>> forcing replication is shown below.
>>
>> -------------------------------------------------------------------
>> Even after setting RFC, DC2 is not getting synced from DC1.
>> Connection time out error comes.
>>
>> #samba-tool drs replicate DC2.KTKBANKLTD.COM
>> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
>> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM
>>
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM
>> <http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31]
>> NT_STATUS_IO_TIMEOUT
>> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
>> DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed - drsException:
>> DRS connection to DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM>
>> failed: (-1073741643, '{Device Timeout} The specified I/O operation
>> on %hs was not completed before the time-out period expired.')
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
>> line 41, in drsuapi_connect
>>     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
>> = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
>> line 54, in drsuapi_connect
>>     raise drsException("DRS connection to %s failed: %s" % (server, e))
>> ----------------------------------------------------------------------
>>
>> Also, as you had suggested, we have run the command 'samba-tool
>> domain passwordsettinsg show'
>> ----------------------------------------------------------------------
>> Before modification:
>>
>> Password informations for domain 'DC=ktkbankltd,DC=com'
>>
>> Password complexity: on
>> Store plaintext passwords: off
>> Password history length: 24
>> Minimum password length: 7
>> Minimum password age (days): 1
>> Maximum password age (days): 42
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>> ----------------------------------------------------------------------------------
>> Passowrd information for domain after modification using samba-tool:
>>
>> Password informations for domain 'DC=ktkbankltd,DC=com'
>>
>> Password complexity: off
>> Store plaintext passwords: off
>> Password history length: 3
>> Minimum password length: 7
>> Minimum password age (days): 0
>> Maximum password age (days): 60
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>> ---------------------------------------------------------------------------------
>>
>> When we reset the password policy using samba-tool, after about 10
>> minutes, the policy comes to DC2 from DC1 and users are allowed to
>> change their password. Now we have disabled the GPO for Password
>> settings.
>>
>> Probably I feel, due to this replication issue, the DB is becoming
>> inconsistent and errors are being thrown. Also, DNS errors appear to
>> exist in the Domain Controllers. We are using INTERNAL DNS which is
>> adding to problem.
>>
>> Request you to help us in solving this issue.
>>
>> --
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>>
>> DISCLAIMER:
>> This e-mail communication and any attachments may be privileged and
>> confidential to eXza Technology Consulting & Services, and are
>> intended only for the use of the recipients named above If you are
>> not the addressee you may not copy, forward, disclose or use any part
>> of it. If you have received this message in error, please delete it
>> and all copies from your system and notify the sender immediately by
>> return e-mail. Internet communications cannot be guaranteed to be
>> timely, secure, error or virus-free. The sender does not accept
>> liability for any errors or omissions.
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
>> On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:
>>>
>>> Thanks & Regards,
>>>
>>
> The error on replication is
>
> failed: (-1073741643, '{Device Timeout} The specified I/O operation on
> %hs was not completed before the time-out period expired
>
> Are DC1 and DC2 in the same geographical location? Can you post the
> results of
>
> 'samba-tool drs showrepl' from DC1 and DC2?
>
> It also appears you are missing
>
> 'dns forwarder ='
>
> in DC2 smb.conf
>
> I see you commented this out of DC1
>
> #interfaces = 127.0.0.1 172.20.107.30
>
> I would verify you have correctly assigned the proper hostname and
> static IP's on each DC. Can you run this command again and append -d
> 4? This will provide additional debug info.
>
>
> 'samba-tool drs replicate DC2.KTKBANKLTD.COM
> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM -d 4'
>
> I'm also unclear from your message if you are still having password
> issues or not.
>
>
>
>
> --
> --
> James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 5/5/2017 10:56 PM, Anantha Raghava wrote:

>
> Hello James,
>
> To your questions:
>
> *"Are DC1 and DC2 in the same geographical location?"*
>
>     Yes, they are in same location, & they are in the same subnet as well.
>
> *"I'm also unclear from your message if you are still having password
> issues or not."*
>
> **It appears to have been resolved. When we randomly checked, users
> were able to change their passwords. However logging in with new
> passwords were taking sometime.
>
> *"It also appears you are missing 'dns forwarder =' in DC2 smb.conf"*
>
> **As we understand, the dns forwarder is only used for resolving the
> names that are not in Internal DNS A Records right? Now the forwarder
> DNS will not have DC1 or DC2 records. Should it not resolve
> internally? We even changed the nameserver in resolv.conf, put the IP
> of DC1 and DC2 both there, same error appears.
>
>     Even on DC1, when we use nslookup to check the dns forwarding, it
> returns an error confirming that it is not forwarding.
>
> I will share the output of the command you mentioned and also the
> output of nslookup from both DC1 and DC2.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
> DISCLAIMER:
> This e-mail communication and any attachments may be privileged and
> confidential to eXza Technology Consulting & Services, and are
> intended only for the use of the recipients named above If you are not
> the addressee you may not copy, forward, disclose or use any part of
> it. If you have received this message in error, please delete it and
> all copies from your system and notify the sender immediately by
> return e-mail. Internet communications cannot be guaranteed to be
> timely, secure, error or virus-free. The sender does not accept
> liability for any errors or omissions.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> On Friday 05 May 2017 09:03 PM, lingpanda101 wrote:
>> On 5/5/2017 11:08 AM, Anantha Raghava wrote:
>>>
>>> Hello James,
>>>
>>> Even after setting the rfc2307 in smb.conf replication error
>>> continues and password change error continues. Error thrown while
>>> forcing replication is shown below.
>>>
>>> -------------------------------------------------------------------
>>> Even after setting RFC, DC2 is not getting synced from DC1.
>>> Connection time out error comes.
>>>
>>> #samba-tool drs replicate DC2.KTKBANKLTD.COM
>>> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
>>> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM
>>>
>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>> ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM
>>> <http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31]
>>> NT_STATUS_IO_TIMEOUT
>>> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
>>> DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed -
>>> drsException: DRS connection to DC2.KTKBANKLTD.COM
>>> <http://DC2.KTKBANKLTD.COM> failed: (-1073741643, '{Device Timeout}
>>> The specified I/O operation on %hs was not completed before the
>>> time-out period expired.')
>>>   File
>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
>>> line 41, in drsuapi_connect
>>>     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
>>> = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>>>   File
>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
>>> line 54, in drsuapi_connect
>>>     raise drsException("DRS connection to %s failed: %s" % (server, e))
>>> ----------------------------------------------------------------------
>>>
>>> Also, as you had suggested, we have run the command 'samba-tool
>>> domain passwordsettinsg show'
>>> ----------------------------------------------------------------------
>>> Before modification:
>>>
>>> Password informations for domain 'DC=ktkbankltd,DC=com'
>>>
>>> Password complexity: on
>>> Store plaintext passwords: off
>>> Password history length: 24
>>> Minimum password length: 7
>>> Minimum password age (days): 1
>>> Maximum password age (days): 42
>>> Account lockout duration (mins): 30
>>> Account lockout threshold (attempts): 0
>>> Reset account lockout after (mins): 30
>>> ----------------------------------------------------------------------------------
>>> Passowrd information for domain after modification using samba-tool:
>>>
>>> Password informations for domain 'DC=ktkbankltd,DC=com'
>>>
>>> Password complexity: off
>>> Store plaintext passwords: off
>>> Password history length: 3
>>> Minimum password length: 7
>>> Minimum password age (days): 0
>>> Maximum password age (days): 60
>>> Account lockout duration (mins): 30
>>> Account lockout threshold (attempts): 0
>>> Reset account lockout after (mins): 30
>>> ---------------------------------------------------------------------------------
>>>
>>> When we reset the password policy using samba-tool, after about 10
>>> minutes, the policy comes to DC2 from DC1 and users are allowed to
>>> change their password. Now we have disabled the GPO for Password
>>> settings.
>>>
>>> Probably I feel, due to this replication issue, the DB is becoming
>>> inconsistent and errors are being thrown. Also, DNS errors appear to
>>> exist in the Domain Controllers. We are using INTERNAL DNS which is
>>> adding to problem.
>>>
>>> Request you to help us in solving this issue.
>>>
>>> --
>>>
>>> Thanks & Regards,
>>>
>>>
>>> Anantha Raghava
>>>
>>>
>>> DISCLAIMER:
>>> This e-mail communication and any attachments may be privileged and
>>> confidential to eXza Technology Consulting & Services, and are
>>> intended only for the use of the recipients named above If you are
>>> not the addressee you may not copy, forward, disclose or use any
>>> part of it. If you have received this message in error, please
>>> delete it and all copies from your system and notify the sender
>>> immediately by return e-mail. Internet communications cannot be
>>> guaranteed to be timely, secure, error or virus-free. The sender
>>> does not accept liability for any errors or omissions.
>>>
>>>
>>> Do not print this e-mail unless required. Save Paper & trees.
>>>
>>> On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:
>>>>
>>>> Thanks & Regards,
>>>>
>>>
>> The error on replication is
>>
>> failed: (-1073741643, '{Device Timeout} The specified I/O operation
>> on %hs was not completed before the time-out period expired
>>
>> Are DC1 and DC2 in the same geographical location? Can you post the
>> results of
>>
>> 'samba-tool drs showrepl' from DC1 and DC2?
>>
>> It also appears you are missing
>>
>> 'dns forwarder ='
>>
>> in DC2 smb.conf
>>
>> I see you commented this out of DC1
>>
>> #interfaces = 127.0.0.1 172.20.107.30
>>
>> I would verify you have correctly assigned the proper hostname and
>> static IP's on each DC. Can you run this command again and append -d
>> 4? This will provide additional debug info.
>>
>>
>> 'samba-tool drs replicate DC2.KTKBANKLTD.COM
>> <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM
>> <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM -d 4'
>>
>> I'm also unclear from your message if you are still having password
>> issues or not.
>>
>>
>>
>>
>> --
>> --
>> James
>

*
*

*"It also appears you are missing 'dns forwarder =' in DC2 smb.conf"*

**_/As we understand, the dns forwarder is only used for resolving the
names that are not in Internal DNS A Records right? Now the forwarder
DNS will not have DC1 or DC2 records. Should it not resolve internally?
We even changed the nameserver in resolv.conf, put the IP of DC1 and DC2
both there, same error appears./_

_//_

_/    Even on DC1, when we use nslookup to check the dns forwarding, it
returns an error confirming that it is not forwarding.
/_

_/
/_

To your answer above*;*

Correct among other internal records**such as AAA,CNAME etc. However if
DC1 goes down, clients connecting to DC2 will not be able to resolve
queries needing to be forwarded.

Resolv.conf should contain the IP's of DC1 and DC2. Some debate on which
should go first. Just make sure they both exists.

Using the internal DNS should be fine. It's recommended to use bind for
complex dns requirements.

*
On DC2, it appears to look for lmhosts file, which does not exist.
Should one create a lmhost file?*

To your question above;

You do not need to create a lmhost file. However you can create one to
simply make the error go away.


*DNS forwarder is not working at all.*

To your statement above;

Add the dns forwarder line in DC2 as I suggested. Configure it to point
to google dns(8.8.8.8) or another IP that does public DNS resolution.

I would verify you host file is setup correctly. From the Wiki

/Verify that the /etc/hosts file on the DC correctly resolves the
fully-qualified domain name (FQDN) and short host name to the LAN IP
address of the DC. For example:/

/127.0.0.1     localhost localhost.localdomain
10.99.0.1     DC1.samdom.example.com     DC1/

/The host name and FQDN must not resolve to the 127.0.0.1 IP address or
any other IP address than the one used on the LAN interface of the DC./

*
*

Verify resolv.conf is confiigured correctly. From the Wiki again.

/Disable tools, such as resolvconf, that automatically update your
/etc/resolv.conf DNS resolver configuration file. Active Directory (AD)
DCs and domain members must use an DNS server that is able to resolve
the AD DNS zones./

I can't recall where to configure the resov.conf on CentOS. Maybe
someone else can chime in. I'm using Ubuntu Server.



--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On Mon, 8 May 2017 09:42:34 -0400
lingpanda101 via samba <[hidden email]> wrote:

>
> Verify resolv.conf is confiigured correctly. From the Wiki again.
>
> /Disable tools, such as resolvconf, that automatically update your
> /etc/resolv.conf DNS resolver configuration file. Active Directory
> (AD) DCs and domain members must use an DNS server that is able to
> resolve the AD DNS zones./
>
> I can't recall where to configure the resov.conf on CentOS. Maybe
> someone else can chime in. I'm using Ubuntu Server.
>

I recently setup a Samba server with a fixed IP and had problems with
resolv.conf being overwritten. I removed resolvconf and that is where
my problems really started.

It seems that you cannot create a new /etc/resolv.conf (well, I
couldn't). I ended up recursively coping everything in /etc to /etc1
I then created /etc1/resolv.conf and then copied /etc1 over /etc. This
worked and survived a reboot. I am sure that there must be a better
way to do this, but I couldn't easily find one and I was just testing
something. YMMV

Rowland


 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
>It seems that you cannot create a new /etc/resolv.conf ..

Did you remove resolvconf with apt-get remove --purge resolvconf?
That should have restored the static resolv.conf back.

Or just make use of resolvconf,
Debian/ubuntu : just correctly configure interfaces.

/etc/network/interfaces

        auto eth0
        allow-hotplug eth0
        iface eth0 inet static
        address 10.0.0.11
        netmask 255.255.255.0
        gateway 10.0.0.254
        dns-search your.domain.tld
      dns-nameservers 10.0.0.1 10.0.0.2


And your done.

Ps. Do not add gateway of dns to an alias interface..


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: maandag 8 mei 2017 16:35
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Samba Active Directory Domain Controller
>
> On Mon, 8 May 2017 09:42:34 -0400
> lingpanda101 via samba <[hidden email]> wrote:
>
> >
> > Verify resolv.conf is confiigured correctly. From the Wiki again.
> >
> > /Disable tools, such as resolvconf, that automatically update your
> > /etc/resolv.conf DNS resolver configuration file. Active Directory
> > (AD) DCs and domain members must use an DNS server that is able to
> > resolve the AD DNS zones./
> >
> > I can't recall where to configure the resov.conf on CentOS. Maybe
> > someone else can chime in. I'm using Ubuntu Server.
> >
>
> I recently setup a Samba server with a fixed IP and had
> problems with resolv.conf being overwritten. I removed
> resolvconf and that is where my problems really started.
>
> It seems that you cannot create a new /etc/resolv.conf (well,
> I couldn't). I ended up recursively coping everything in /etc
> to /etc1 I then created /etc1/resolv.conf and then copied
> /etc1 over /etc. This worked and survived a reboot. I am sure
> that there must be a better way to do this, but I couldn't
> easily find one and I was just testing something. YMMV
>
> Rowland
>
>
>  
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On Mon, 8 May 2017 16:50:55 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> >It seems that you cannot create a new /etc/resolv.conf ..
>
> Did you remove resolvconf with apt-get remove --purge resolvconf?
> That should have restored the static resolv.conf back.

Well no, I didn't, but then again this was on Centos 7.3, it wasn't
anything to do with resolvconf, I couldn't create any new file in /etc.

I just wanted to test something so, more out of desperation than
anything, I tried the 'mkdir /etc1' trick and it worked.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 2017-05-08 10:39, Rowland Penny via samba wrote:

> On Mon, 8 May 2017 16:50:55 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> It seems that you cannot create a new /etc/resolv.conf ..
> Did you remove resolvconf with apt-get remove --purge resolvconf?
> That should have restored the static resolv.conf back.

Well no, I didn't, but then again this was on Centos 7.3, it wasn't
anything to do with resolvconf, I couldn't create any new file in /etc.

I just wanted to test something so, more out of desperation than
anything, I tried the 'mkdir /etc1' trick and it worked.

Rowland

You aamy or may not remember that I use Ubuntu server for my Samba DC's.


Not much time but, I remember that users need to add "dns-nameservers"
and "dns-search" (for local domain) parameters to the
/etc/network/interfaces file and that populates the /etc/resolv.conf
file properly. Tricky but documented somewhere on Ubuntu.

(Yes, I know, not the Debian way but rather the Ubuntu way of doing
this.)

--
_______________________________

Bob Wooden of Donelson Trophy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On Mon, 08 May 2017 11:36:17 -0500
Bob of Donelson Trophy via samba <[hidden email]> wrote:

> On 2017-05-08 10:39, Rowland Penny via samba wrote:
>
> > On Mon, 8 May 2017 16:50:55 +0200
> > "L.P.H. van Belle via samba" <[hidden email]> wrote:
> >
> > It seems that you cannot create a new /etc/resolv.conf ..
> > Did you remove resolvconf with apt-get remove --purge resolvconf?
> > That should have restored the static resolv.conf back.
>
> Well no, I didn't, but then again this was on Centos 7.3, it wasn't
> anything to do with resolvconf, I couldn't create any new file
> in /etc.
>
> I just wanted to test something so, more out of desperation than
> anything, I tried the 'mkdir /etc1' trick and it worked.
>
> Rowland
>
> You aamy or may not remember that I use Ubuntu server for my Samba
> DC's.
>
>
> Not much time but, I remember that users need to add "dns-nameservers"
> and "dns-search" (for local domain) parameters to the
> /etc/network/interfaces file and that populates the /etc/resolv.conf
> file properly. Tricky but documented somewhere on Ubuntu.
>
> (Yes, I know, not the Debian way but rather the Ubuntu way of doing
> this.)
>

Yes, but you should be able to at least add something
to /etc/resolv.conf, even if it will be overwritten at a later point. I
couldn't even do this on Centos 7.3. I spent more time getting
resolv.conf to work the way I wanted it to, than doing what I wanted
to test ;-)

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 2017-05-08 11:47, Rowland Penny via samba wrote:

> On Mon, 08 May 2017 11:36:17 -0500
> Bob of Donelson Trophy via samba <[hidden email]> wrote:
>
> On 2017-05-08 10:39, Rowland Penny via samba wrote:
>
> On Mon, 8 May 2017 16:50:55 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> It seems that you cannot create a new /etc/resolv.conf ..
> Did you remove resolvconf with apt-get remove --purge resolvconf?
> That should have restored the static resolv.conf back.
> Well no, I didn't, but then again this was on Centos 7.3, it wasn't
> anything to do with resolvconf, I couldn't create any new file
> in /etc.
>
> I just wanted to test something so, more out of desperation than
> anything, I tried the 'mkdir /etc1' trick and it worked.
>
> Rowland
>
> You aamy or may not remember that I use Ubuntu server for my Samba
> DC's.
>
> Not much time but, I remember that users need to add "dns-nameservers"
> and "dns-search" (for local domain) parameters to the
> /etc/network/interfaces file and that populates the /etc/resolv.conf
> file properly. Tricky but documented somewhere on Ubuntu.
>
> (Yes, I know, not the Debian way but rather the Ubuntu way of doing
> this.)

Yes, but you should be able to at least add something
to /etc/resolv.conf, even if it will be overwritten at a later point. I
couldn't even do this on Centos 7.3. I spent more time getting
resolv.conf to work the way I wanted it to, than doing what I wanted
to test ;-)

Rowland

Yes, add it to the /etc/network/interfaces and Ubuntu does the rest.

Once I discovered this worked, it went much easier and worked like a
charm, as they say . . however, they are.

--
_______________________________

Bob Wooden of Donelson Trophy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On 5/8/2017 12:57 PM, Bob of Donelson Trophy via samba wrote:

> On 2017-05-08 11:47, Rowland Penny via samba wrote:
>
>> On Mon, 08 May 2017 11:36:17 -0500
>> Bob of Donelson Trophy via samba <[hidden email]> wrote:
>>
>> On 2017-05-08 10:39, Rowland Penny via samba wrote:
>>
>> On Mon, 8 May 2017 16:50:55 +0200
>> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>>
>> It seems that you cannot create a new /etc/resolv.conf ..
>> Did you remove resolvconf with apt-get remove --purge resolvconf?
>> That should have restored the static resolv.conf back.
>> Well no, I didn't, but then again this was on Centos 7.3, it wasn't
>> anything to do with resolvconf, I couldn't create any new file
>> in /etc.
>>
>> I just wanted to test something so, more out of desperation than
>> anything, I tried the 'mkdir /etc1' trick and it worked.
>>
>> Rowland
>>
>> You aamy or may not remember that I use Ubuntu server for my Samba
>> DC's.
>>
>> Not much time but, I remember that users need to add "dns-nameservers"
>> and "dns-search" (for local domain) parameters to the
>> /etc/network/interfaces file and that populates the /etc/resolv.conf
>> file properly. Tricky but documented somewhere on Ubuntu.
>>
>> (Yes, I know, not the Debian way but rather the Ubuntu way of doing
>> this.)
> Yes, but you should be able to at least add something
> to /etc/resolv.conf, even if it will be overwritten at a later point. I
> couldn't even do this on Centos 7.3. I spent more time getting
> resolv.conf to work the way I wanted it to, than doing what I wanted
> to test ;-)
>
> Rowland
>
> Yes, add it to the /etc/network/interfaces and Ubuntu does the rest.
>
> Once I discovered this worked, it went much easier and worked like a
> charm, as they say . . however, they are.
>
I believe Rowland is speaking specifically to CentOS 7.3 and not Ubuntu.
CentOS requires network config changes in

/etc/sysconfig/network-scripts/ifcfg-"Your Interface"

I can't recall where in CentOS to make changes to resolv.conf.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba Active Directory Domain Controller

Samba - General mailing list
On Mon, 8 May 2017 13:29:02 -0400
lingpanda101 via samba <[hidden email]> wrote:

> >
> I believe Rowland is speaking specifically to CentOS 7.3 and not
> Ubuntu. CentOS requires network config changes in
>
> /etc/sysconfig/network-scripts/ifcfg-"Your Interface"
>
> I can't recall where in CentOS to make changes to resolv.conf.
>

What I was trying to point out was that I couldn't change anything
in /etc on Centos 7.3, I wasn't allowed to. I couldn't change something
on my own computer because somebody, somewhere has decided I shouldn't.
I can guess what it is, but without in depth investigation, I cannot
point the finger at anything.

All I wanted to do was change the nameserver, but, as I said, I wasn't
allowed to.

I would also like to point out I know where to put the settings, if I
am changing them permanently, even on a raspberry pi ;-)

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...