Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - peptoniET

Pages: [1] 2 3
1
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: December 19, 2022, 06:38:28 pm »
Hello guys,

We have written a new entry in the official documentation where we propose a workaround until Zentyal 8.0 is released or Samba fixes the bug in Ubuntu 20.04. Below you have the links:

* English: https://doc.zentyal.org/en/workaround-windows11.html
* Spanish: https://doc.zentyal.org/es/workaround-windows11.html

For more information about the status of this issue and the comments from peptoniET, please, read the following answers.

* https://github.com/zentyal/zentyal/issues/2106#issuecomment-1302325083
* https://github.com/zentyal/zentyal/issues/2106#issuecomment-1302340821

Best regards, Daniel Joven.

So the workaround involves setting up an entire extra domain controller?
That seems more then a little ham-fisted to me.  :)

Samba cannot be just updated for this on a component level?

There's talk on backporting the fix on ubuntu:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934
We need to wait for this?

What is the timeline on Zentyal 8 currently?

I'm running into this right now but am currently just electing not to update to W11 22h2. I really feel there has to be a better way.

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934

Works like a charm, ty :D



Hi,

Did you just join the domain, or have you made a comprehensive test with GPO, Shares, Permissions, domain replication, etc.?

thank you.

2
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: November 23, 2022, 07:07:35 am »
Hi,

For me, after a long research, feature and process testing, and more than 20 lab test migrations of my current systems (and after completing the first production transparent migration), my alternative is Univention (https://www.univention.com/).

Univention even has a plugin called adtakeover, that can migrate a whole domain (users, groups, passwords, etc.)
On their forums I noticed that you had some issues with the migration to Univention. You got no response there. Did you solve those issues? And if you did then how?

Hi, sorry for the delay.  I don't monitor this forum anymore...

Sure, I just made a simple script to correct the homedirectory attribute after migrating to Univention.  Just delete the attribute, save, insert attribute, save.


3
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: November 03, 2022, 04:58:23 pm »
I know very little but I was able to join my newly upgraded to Win11pro computer to my Zentyal domain and fix the user bad password domain login problem by changing the local security policy encryption.  However, I found this on youtube related to Windows 11 and Zentyal CA certificates. Has anyone tried it?

https://www.youtube.com/watch?v=pme0LcVVQMA

Yes, changing some local policies allows joining the domain, but domain policies are not sinchronized, and workstation DNS records are not updated, and maybe more things don't work.
This video is addressing a different problem.  It was posted 7 mothns ago, before Windows 11 version 22H2, so it is not addressing this problem.

The problem is that Zentyal has been left behind samba updates (samba already addressed and soved this problem at the beginning of 2022).

In Github, the developers argued that they are stuck with ubuntu 20.04 for the samba version.  But they could have done the same as other solutions, like Univention (which I am migrating to.  15 systems), which make WEEKLY updates to their system.

Not to mention the bugs that have been liying for months on github, or the pull requests people made with love, abandoned for years...  This is not proper open source.

For your information, Zentyal developers have already declared that they will not launch a new version of Zentyal until MAY 2023...  Although they claimed to prepare a patch... I really don't know how they will address this, if solution depends on a new version of Samba, which they say cannot be done on current Zentyal 7, based on Ubuntu 20.04

My advice: run away from Zentyal.  As quick as possible.  Don't waste your time on this.  I am a systems administrator.  I know what I am talking about.

Good luck to everyone.

But what is the alternative ? I really don't want to use windows server so does that mean installing samba etc from scratch.

I have been contemplating rolling out Zentyal - but communication seems spotty and I've noticed a lot of unusual little problems in my testing.

As a concept Zentyal should be a winner, even just as a AD server / File Server which is my own use case, but theres no way I can justify paying for something that is lacking support.

Looks like i'm going to have to look further.

Cheers

Hi,

For me, after a long research, feature and process testing, and more than 20 lab test migrations of my current systems (and after completing the first production transparent migration), my alternative is Univention (https://www.univention.com/).

Univention even has a plugin called adtakeover, that can migrate a whole domain (users, groups, passwords, etc.)

4
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: November 03, 2022, 01:34:28 pm »
I know very little but I was able to join my newly upgraded to Win11pro computer to my Zentyal domain and fix the user bad password domain login problem by changing the local security policy encryption.  However, I found this on youtube related to Windows 11 and Zentyal CA certificates. Has anyone tried it?

https://www.youtube.com/watch?v=pme0LcVVQMA

Yes, changing some local policies allows joining the domain, but domain policies are not sinchronized, and workstation DNS records are not updated, and maybe more things don't work.
This video is addressing a different problem.  It was posted 7 mothns ago, before Windows 11 version 22H2, so it is not addressing this problem.

The problem is that Zentyal has been left behind samba updates (samba already addressed and soved this problem at the beginning of 2022).

In Github, the developers argued that they are stuck with ubuntu 20.04 for the samba version.  But they could have done the same as other solutions, like Univention (which I am migrating to.  15 systems), which make WEEKLY updates to their system.

Not to mention the bugs that have been liying for months on github, or the pull requests people made with love, abandoned for years...  This is not proper open source.

For your information, Zentyal developers have already declared that they will not launch a new version of Zentyal until MAY 2023...  Although they claimed to prepare a patch... I really don't know how they will address this, if solution depends on a new version of Samba, which they say cannot be done on current Zentyal 7, based on Ubuntu 20.04

My advice: run away from Zentyal.  As quick as possible.  Don't waste your time on this.  I am a systems administrator.  I know what I am talking about.

Good luck to everyone.

5
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 08, 2022, 06:55:34 pm »
The problem seems to be in the Heimdal Kerberos module from samba prior to version 8.0
The problem was corrected in Heimdal version 8.0
Samba 4.16.0 apparently uses Heimdal version 8.0
Zentyal 7.0.2 still uses samba version 4.13.17...
A path to upgrade samba to, at least, 4.16 would be a possible solution.

https://old.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/iq0c2vo/

I opened a bug report on Github.

6
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 05:52:02 pm »
After joining the domain, network is not identified as "domain" but as "public".  No options to change to "domain", only to change to "private"

7
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 05:40:08 pm »
Apparently, dynamic DNS is also not working.  Client cannot update DNS register on Zentyal server (permission denied)

8
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 04:33:53 pm »
I can also confirm that GPO are not being applied.
Using gpupdate /force returns an error.

9
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 04:18:28 pm »
Hi,

The following link explains the path to the Local Security Path. I tested it and it is just a workaround, with that you can join the domain and use the share folders, however, the GPO does not work.

* https://lists.samba.org/archive/samba/2022-April/240502.html

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

I can confirm this workaround allow to join a Windows 11 22H2 to a Zentyal 7.0 domain.

10
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 04:07:27 pm »
Thank you very much.  With the correct path, I found the key.

This is bothering me a lot.  I have more than 10 Zentyal servers, some of them 6.2.

My main concern is the lack of information from the Zentyal developers, and the fact that they answer to every bug in GitHub with "We will add it to the roadmap".  A roadmap for correcting bugs...?  And last commit on GitHub was three months ago...?  They argued they were relocating to the U.S.A... Many months ago.  Very little activity since then.

Zentyal is a more or less reasonable solution.  Far from perfect, quite far...

I never seen a samba version update inside a Zentyal version.  I am afraid we will have this bug lying around for a long time...  I managed to stop my Windows 11 from updating, but only allowed for 5 weeks from now...

11
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 11:54:59 am »
Workaround 2: In local security policies, network security > allow only DES encryption:

Please, could you elaborate on this configuration...? I cannot find the key you mention.
Thanks a lot in advance.

12
Directory and Authentication / Re: AD Stop Working on Windows 11 22H2
« on: October 07, 2022, 11:32:34 am »
Same problem here.  This seems huge...

13
Directory and Authentication / Re: samba audit?
« on: April 28, 2020, 08:44:12 am »
local7.*    /var/log/audit.log
& stop

14
Other modules / Re: DNS - user problem - restart
« on: February 08, 2019, 12:41:55 pm »
OK.

So, dns-SRV01 (in other cases dns-SERVERNAME) user had dissappeared.  Why?  I will never know.  Certainly, nothing that i've done so far.

Hope this helps others.

To recreate:

Create user again
Code: [Select]
samba-tool user create dns-SERVERNAME
Add user to dns admin group
Code: [Select]
sudo samba-tool group addmembers DnsAdmins dns-SERVERNAME
Rename dns.keytab file
Code: [Select]
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
Delete dns.keytab file
Code: [Select]
sudo rm /var/lib/samba/private/dns.keytab
Re-create dns.keytab file
Code: [Select]
sudo samba-tool domain exportkeytab --principal=DNS/SERVERNAME.DOMAINNAME.LAN /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-SERVERNAME@DOMAINNAME.LAN /var/lib/samba/private/dns.keytab

Add dns user credentials
Code: [Select]
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-SERVERNAME
View result file
Code: [Select]
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
Change group and permissions of the result file
Code: [Select]
chmod 640 /var/lib/samba/private/dns.keytab
chgrp bind /var/lib/samba/private/dns.keytab

After all these, DNS restart does not give any errors.

15
Other modules / [SOLVED] DNS - user problem - restart
« on: February 08, 2019, 10:05:33 am »
This is the situation:

Installed Zentyal 6 as main domain controller SRV01
Installed Zentyal 6 on another machine as domain member SRV03
After installing domain memeber SRV03, restarting the DNS module on SRV01 from the web gui, yields error.

Error is:
Code: [Select]
2019/02/08 07:40:13 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/fP_eCW54tO failed.
2019/02/08 07:40:13 ERROR> Service.pm:969 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/fP_eCW54tO failed.
Error output: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0).

Changes to DNS are saved and visible on web gui, but not really saved to DNS server.

On SRV01 "samba-tool user list" shows "dns-srv01" dissappeared, but "dns-SRV03" exists!
On SRV03 "samba-tool user list" shows "dns-SRV03" exists.

Tried to create user "dns-srv01" on SRV01 and add it to "DnsAdmins" group with no luck, but error is different:
Code: [Select]
2019/02/08 09:24:08 ERROR> Service.pm:971 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-srv01 failed.
2019/02/08 09:24:08 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-srv01 failed.
Error output: kinit: Password incorrect

Pages: [1] 2 3