This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Directory and Authentication / Zentyal 6.2 Windows 11 24H2 GPO's not working
« on: October 22, 2024, 11:26:20 pm »
Windows 11 23H2 - Workstations Work Fine
24H2 - Authentication no issues but none of the GPO's are applied once logged in, drive mapping, ui customization etc...
From Admin Command Prompt
gpresult /r - Info: The user does not have RSoP Data.
gpupdate - ... lack of network connectivity to a domain controller.
I can ping domain controller but can not access the sysvol folder from a 24H2 machine, 23H2 no issues.
I think this is becuase NTLM authentication is disabled in 24H2.
Thoughts?
Edit: More Background. 80 computers, Windows 10 and 11 Workstations, only stations that are not working are the new ones I'm setting up for deployment. Trying to download a Windows 11 23H2 iso so I can revert these machines and start fresh but MS seems to be pushing 24H2 via windows updates. I've hit the delay Windows Updates switch on the machines to buy me some time.
Question: What version of Zentyal would I need to go to for this to work? The path from 6.2 to 7.0 didn't work so well. I'm at the point that I'd install 8.0 fresh on a server and move all workstations over so there is no need for a migration process.
24H2 - Authentication no issues but none of the GPO's are applied once logged in, drive mapping, ui customization etc...
From Admin Command Prompt
gpresult /r - Info: The user does not have RSoP Data.
gpupdate - ... lack of network connectivity to a domain controller.
I can ping domain controller but can not access the sysvol folder from a 24H2 machine, 23H2 no issues.
I think this is becuase NTLM authentication is disabled in 24H2.
Thoughts?
Edit: More Background. 80 computers, Windows 10 and 11 Workstations, only stations that are not working are the new ones I'm setting up for deployment. Trying to download a Windows 11 23H2 iso so I can revert these machines and start fresh but MS seems to be pushing 24H2 via windows updates. I've hit the delay Windows Updates switch on the machines to buy me some time.
Question: What version of Zentyal would I need to go to for this to work? The path from 6.2 to 7.0 didn't work so well. I'm at the point that I'd install 8.0 fresh on a server and move all workstations over so there is no need for a migration process.
2
Directory and Authentication / Re: Login into domain suddenly not possible anymore, but only from a single client
« on: July 19, 2023, 11:37:20 pm »
I was having a SAMBA issue with that exact MS Patch for Win 10 and I'm running Zentyal 6.1.6 - See post https://forum.zentyal.org/index.php/topic,35602.0.html
Thank you for providing a solution to my issue that presented in a very different way.
Thank you for providing a solution to my issue that presented in a very different way.
3
Directory and Authentication / [SOLVED] 0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
« on: July 19, 2023, 01:47:18 am »
Description:
Zentyal 6.1.6 - Ubuntu 18.04.6 LTS
Modules - Network, Firewall, DNS, Logs, NTP, Domain Controller and File Sharing
System is apt-get updated and apt-get upgraded
Production Level Domain Controller only. 75 user license. 73 user accounts.
Running in a VM on an Unraid server that is not part of the domain.
Windows 10 computers joined to domain.
Other Unraid servers joined to domain as file servers.
No ebox packages.
Domain Controller is rebooted weekly and has been running flawlessly for over 2 years.
Hypothesis
Domain based issues with computer to computer authentication.
Specifics:
- Mounting a Windows Share <REMOTE COMPUTER> from a Slackware Linux based (Unraid) <SERVER> no longer works.
- Has been working for close to 2 years until now.
SYSLOG from Unraid Server
<SERVER> kernel: CIFS: Attempting to mount \\<REMOTE COMPUTER>\ServerData
<SERVER> kernel: CIFS: Status code returned 0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
<SERVER> kernel: CIFS: VFS: \\<REMOTE COMPUTER> Send error in SessSetup = -5
<SERVER> kernel: CIFS: VFS: cifs_mount failed w/return code = -5
<SERVER> unassigned.devices: SMB 3.1.1 mount failed: 'mount error(5): Input/output error
The mounting script goes through SMB 3.0, 2.0 and 1.0 with the same error.
Lookup up this error:
0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
Comes up with this description.
The logon request failed because the trust relationship between this workstation and the primary domain failed.
Troubleshooting
Removing a couple of computers/servers from the domain and rejoining it doesn't fix this.
The same <REMOTE COMPUTER> (Windows 10) can connect to the Slackware Linux (Unraid) SMB share with no issues.
Two other Unraid servers with different versions of Unraid have the same issue.
Trying to manually make the connection from the command line generate the same error.
Non specific error code issues that might be related.
- Windows Remote Assistance stopped working unless initiated by end user.
- Been all through the Firewall issues.
- Remote Desktop does work.
- USB shared printer are acting like they are only capable of one way communication.
- Adding a shared USB printer works fine.
- Label printers that don't require bi-directional communication work.
- Been through all the Firewall is not the issues.
Things I've Done:
- do-release-upgrade caused a major issue. Failed to enable the MySQL service during upgrade. Failed. Revereted VM to previous state.
- Posted this in the Unraid forms as well.
- Looking for info on how to upgrade Zentyal to 6.2 or beyond and/or which order to upgrade the Ubuntu LTS Release.
- Creating a test envionment for this VM tomorrow.
Please request any info you may need to help solve this. Thank you.
Win 10 update (KB5028166) - uninstalland re-apply - Fixed all my issues
Note: uninstalling the update then rebooting the system triggered installing the update before the login screen.
FALSE This did not happen. The update was removed and stayed removed, but it looks like it will re-install on the next run of Windows Update.
This has to do with a SAMBA bug. https://forum.zentyal.org/index.php/topic,35598.0.html
Fixed the following issues I was having.
- Unraid mounting an SMB share on a Window 10 Workstation
- Remote Assistance now works when initiated remotely
- Shared bi-directional USB laser printer now works from remote workstations
The Actual Samba Bug - https://bugzilla.samba.org/show_bug.cgi?id=15418
SOLVED-ISH - There is no fix for Samba for Ubuntu 18.04.6 yet. Don't reapply KB5028166 until there is.
SOLVED Patch for 18.04 LTS Bionic - https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/
Zentyal 6.1.6 - Ubuntu 18.04.6 LTS
Modules - Network, Firewall, DNS, Logs, NTP, Domain Controller and File Sharing
System is apt-get updated and apt-get upgraded
Production Level Domain Controller only. 75 user license. 73 user accounts.
Running in a VM on an Unraid server that is not part of the domain.
Windows 10 computers joined to domain.
Other Unraid servers joined to domain as file servers.
No ebox packages.
Domain Controller is rebooted weekly and has been running flawlessly for over 2 years.
Hypothesis
Domain based issues with computer to computer authentication.
Specifics:
- Mounting a Windows Share <REMOTE COMPUTER> from a Slackware Linux based (Unraid) <SERVER> no longer works.
- Has been working for close to 2 years until now.
SYSLOG from Unraid Server
<SERVER> kernel: CIFS: Attempting to mount \\<REMOTE COMPUTER>\ServerData
<SERVER> kernel: CIFS: Status code returned 0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
<SERVER> kernel: CIFS: VFS: \\<REMOTE COMPUTER> Send error in SessSetup = -5
<SERVER> kernel: CIFS: VFS: cifs_mount failed w/return code = -5
<SERVER> unassigned.devices: SMB 3.1.1 mount failed: 'mount error(5): Input/output error
The mounting script goes through SMB 3.0, 2.0 and 1.0 with the same error.
Lookup up this error:
0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
Comes up with this description.
The logon request failed because the trust relationship between this workstation and the primary domain failed.
Troubleshooting
Removing a couple of computers/servers from the domain and rejoining it doesn't fix this.
The same <REMOTE COMPUTER> (Windows 10) can connect to the Slackware Linux (Unraid) SMB share with no issues.
Two other Unraid servers with different versions of Unraid have the same issue.
Trying to manually make the connection from the command line generate the same error.
Non specific error code issues that might be related.
- Windows Remote Assistance stopped working unless initiated by end user.
- Been all through the Firewall issues.
- Remote Desktop does work.
- USB shared printer are acting like they are only capable of one way communication.
- Adding a shared USB printer works fine.
- Label printers that don't require bi-directional communication work.
- Been through all the Firewall is not the issues.
Things I've Done:
- do-release-upgrade caused a major issue. Failed to enable the MySQL service during upgrade. Failed. Revereted VM to previous state.
- Posted this in the Unraid forms as well.
- Looking for info on how to upgrade Zentyal to 6.2 or beyond and/or which order to upgrade the Ubuntu LTS Release.
- Creating a test envionment for this VM tomorrow.
Please request any info you may need to help solve this. Thank you.
Win 10 update (KB5028166) - uninstall
FALSE This did not happen. The update was removed and stayed removed, but it looks like it will re-install on the next run of Windows Update.
This has to do with a SAMBA bug. https://forum.zentyal.org/index.php/topic,35598.0.html
Fixed the following issues I was having.
- Unraid mounting an SMB share on a Window 10 Workstation
- Remote Assistance now works when initiated remotely
- Shared bi-directional USB laser printer now works from remote workstations
The Actual Samba Bug - https://bugzilla.samba.org/show_bug.cgi?id=15418
SOLVED Patch for 18.04 LTS Bionic - https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/
4
Directory and Authentication / [SOLVED] Initial User Login to Domain takes a long time.
« on: January 19, 2021, 11:06:39 pm »
I've come up with a solution but I'm not sure what the cause is.
Problem: User logging into a domain connection computer for the first time. (no profile on the machine, roaming or non-roaming profile doesn't matter)
User is presented with the "Hi, we are setting things up for you..." animation. This animation runs for 15 minutes or until the power management turns the screen off.
Then the user can log in. All subsiquent logins are fast. Connecting for the first time via Remote Desktop Connection doesn't present the "Hi... " animation and logs in almost right away.
Solution: Use a GPO to disable the "Hi..." animation on login. First time login's directly on the machine go quickly.
Computer Configuration > Administrative Templates > System > Logon
Set the “Show First Sign-In Animation” option to “Disabled”
Zentyal Core 6.1.6 - Windows 10 Pro 2004, 1909, 1804 (tested broken and fixed)
Not sure if this is part of a bigger problem but I think it can be marked as solved.
Problem: User logging into a domain connection computer for the first time. (no profile on the machine, roaming or non-roaming profile doesn't matter)
User is presented with the "Hi, we are setting things up for you..." animation. This animation runs for 15 minutes or until the power management turns the screen off.
Then the user can log in. All subsiquent logins are fast. Connecting for the first time via Remote Desktop Connection doesn't present the "Hi... " animation and logs in almost right away.
Solution: Use a GPO to disable the "Hi..." animation on login. First time login's directly on the machine go quickly.
Computer Configuration > Administrative Templates > System > Logon
Set the “Show First Sign-In Animation” option to “Disabled”
Zentyal Core 6.1.6 - Windows 10 Pro 2004, 1909, 1804 (tested broken and fixed)
Not sure if this is part of a bigger problem but I think it can be marked as solved.
5
Directory and Authentication / Re: Dead Primary DC, Working Secondary DC - How Create Primary again?
« on: January 19, 2021, 05:34:04 pm »
My system is too far gone. I was able to export the Users and Groups and the sysvol directory.
Rebuilding a new Primary Domain Controller, imported users and groups.
Note: Exporting doesn't sets user passwords to "password". If you have end user passwords, you can change them before import.
I was able to migrate user profiles to the remade domain but login into the local workstation and using this tool:
User Profile Transfer Wizard
http://www.forensit.com/downloads.html
It also joins the new domain at the same time. Huge time saver.
I have my server running in a VM with snapshots replicating offsite. I've been able to roll back my DC as a test.
Rebuilding a new Primary Domain Controller, imported users and groups.
Note: Exporting doesn't sets user passwords to "password". If you have end user passwords, you can change them before import.
I was able to migrate user profiles to the remade domain but login into the local workstation and using this tool:
User Profile Transfer Wizard
http://www.forensit.com/downloads.html
It also joins the new domain at the same time. Huge time saver.
I have my server running in a VM with snapshots replicating offsite. I've been able to roll back my DC as a test.
6
Installation and Upgrades / Re: Zentyal locks during boot
« on: January 04, 2021, 10:37:26 pm »
Same issue for me, but it starts complaining at BIND and this fix didn't work. I know this is an old dead topic but I'm dead in the water right now.
Rolling back the server to this morning didn't work.
<UPDATE> I had to roll the server WAY back to get it working again. I'm going to have to redo my system.
Rolling back the server to this morning didn't work.
<UPDATE> I had to roll the server WAY back to get it working again. I'm going to have to redo my system.
7
Directory and Authentication / Re: Dead Primary DC, Working Secondary DC - How Create Primary again?
« on: December 24, 2020, 12:40:42 am »
I was able to transfer the roles and demote the server as described.
Creating a new Secondary Domain Controller.
This will leave me in a position that I will never have a working Domain panel for a Primary Domain Controller. Hmmm....
Thank you for your help.
Creating a new Secondary Domain Controller.
This will leave me in a position that I will never have a working Domain panel for a Primary Domain Controller. Hmmm....
Thank you for your help.
8
Directory and Authentication / Re: Dead Primary DC, Working Secondary DC - How Create Primary again?
« on: November 20, 2020, 10:19:58 pm »
Thank you for the response. Yes Backup but I need to take my own advice in that an untested backup is not a backup.
I had the PDC virtualize on a ZFS volume and my snapshots are corrupt, and so are my offsite replications.
This is very alarming with ZFS and something I'm looking into. The system my SDC is on a different machine and doesn't have this issue.
Sorry if I was unclear about what caused the main issue but it wasn't the set expiry command, it was the "samba_upgradedns --dns-backend=local" then setting it back to BIND9_DLZ. I might of been able to save it if I ran "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)" first, but there were many other issues.
Regarding the dns.keytab fix - Worked like a charm. Thank you. "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)"
Domain Controller fix:
1. Show the list of who owns the rolls by using:
samba-tool fsmo show
2. Seize all the FSMO roles to the SDC by running this command on the SDC:
samba-tool fsmo seize --role=all
3. Demote the broken domain controller - https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
4. Don't change anything in the Zentyal WebAdminconsole Domain Panel
5. Create a new SDC and join it to the domain.
Questions:
1. Is there a way to get the WebAdminconsole Domain Panel updated on the now PDC?
I will be backing up the SDC as is (via the Zentyal WebAdminconsole and a tested snapshot of the system) and will try this out over the weekend.
Will post the outcome.
Thank you, I've gone from panic to hope.
I had the PDC virtualize on a ZFS volume and my snapshots are corrupt, and so are my offsite replications.
This is very alarming with ZFS and something I'm looking into. The system my SDC is on a different machine and doesn't have this issue.
Sorry if I was unclear about what caused the main issue but it wasn't the set expiry command, it was the "samba_upgradedns --dns-backend=local" then setting it back to BIND9_DLZ. I might of been able to save it if I ran "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)" first, but there were many other issues.
Regarding the dns.keytab fix - Worked like a charm. Thank you. "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)"
Domain Controller fix:
1. Show the list of who owns the rolls by using:
samba-tool fsmo show
2. Seize all the FSMO roles to the SDC by running this command on the SDC:
samba-tool fsmo seize --role=all
3. Demote the broken domain controller - https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
4. Don't change anything in the Zentyal WebAdminconsole Domain Panel
5. Create a new SDC and join it to the domain.
Questions:
1. Is there a way to get the WebAdminconsole Domain Panel updated on the now PDC?
I will be backing up the SDC as is (via the Zentyal WebAdminconsole and a tested snapshot of the system) and will try this out over the weekend.
Will post the outcome.
Thank you, I've gone from panic to hope.
9
Directory and Authentication / Dead Primary DC, Working Secondary DC - How Create Primary again?
« on: November 20, 2020, 05:17:27 am »
Zentyal Version 6.1.6 running only as a domain controller / DNS server.
Primary and Secondary DNS Servers. NOT using roaming profiles. Have all my scripts and the workstation group policy backed up.
Problem 1: My Primary domain controller (PDC) is dead.
Secondary Domain Controller is functional (SDC), domain authentication is working. The license key is the only thing left of the PDC.
What do I need to do to create a new Primary Domain Controller for my domain so I don't loose all the user accounts, connected computers etc.?
I'm assuming turn the SDC into a PDC and create a new SDC, but documentation on that is mainly on migrating from a Windows PDC.
Problem 2: (which lead to the dead PDC)
DNS not updating automatically. Got the following error after adding the noexpiry flag to the dns-<PDC> account.
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal failed.
Error output: kinit: Password incorrect
How do I properly set the password in the dns.keytab file to get DNS updating properly again?
Explaination of Problem 2:
The password for the dns-<PDC> was manually changed via the Users and Computer Management screen. The fix I found to reset the password on the dns-<PDC> account was the start of the cause of Problem 1.
THIS IS BAD DO NOT DO - (samba_upgradedns --dns-backend=local then back to BIND9_DLZ)
This is me putting down the shovel to get out of the hole. Thank you in advance.
Primary and Secondary DNS Servers. NOT using roaming profiles. Have all my scripts and the workstation group policy backed up.
Problem 1: My Primary domain controller (PDC) is dead.
Secondary Domain Controller is functional (SDC), domain authentication is working. The license key is the only thing left of the PDC.
What do I need to do to create a new Primary Domain Controller for my domain so I don't loose all the user accounts, connected computers etc.?
I'm assuming turn the SDC into a PDC and create a new SDC, but documentation on that is mainly on migrating from a Windows PDC.
Problem 2: (which lead to the dead PDC)
DNS not updating automatically. Got the following error after adding the noexpiry flag to the dns-<PDC> account.
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal failed.
Error output: kinit: Password incorrect
How do I properly set the password in the dns.keytab file to get DNS updating properly again?
Explaination of Problem 2:
The password for the dns-<PDC> was manually changed via the Users and Computer Management screen. The fix I found to reset the password on the dns-<PDC> account was the start of the cause of Problem 1.
THIS IS BAD DO NOT DO - (samba_upgradedns --dns-backend=local then back to BIND9_DLZ)
This is me putting down the shovel to get out of the hole. Thank you in advance.
Pages: [1]