[Samba] Samba Active Directory Domain Controller

[lingpanda101]

On 5/4/2017 3:37 AM, Anantha Raghava wrote:
>
> Hello James,
>
> Thanks for your quick response.
>
> Find attached smb.conf file from DC1 and DC2. Also attached the screen 
> shot of the event viewer from the workstation.
>
> At the moment, we have brought down the DC3 and DC4 in another 
> location and observed that DC2 is unable to replicate get the 
> information from DC1 or send the information to DC1. It appears 
> replication is working in background but it is taking a long time. 
> When try to use samba-tool drs command, it throws errors.
>
> Also, randomly, users are not allowed to change their password. It 
> throws error like "either your password does not meet complexity, 
> length or history requirement". "Workstation relationship with Domain 
> is not trusted" is another error message that occasionally throws up.
>
> Another observation is even though PDC emulator and all FSMO roles are 
> with DC1, users are logged into DC2. Any change made to user 
> credential, above error is thrown. Output of FSMO role display from 
> DC1 is attached for your information.
>
> In our group policy, we have disabled complexity requirements, length 
> is set to 7 characters.
>
> There is no clear pattern to its behavior, making it difficult to 
> analyse the issue and fix them.
>
> Look forward for your assistance in figuring out what is happening and 
> fixing it.
>
> 7000 People from nearly 700 location use these domain controllers. 
> This is turning out be very critical issue.
>
> -- 
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
> eXzaTech Consulting And Services Pvt. Ltd.
>
> DISCLAIMER:
>
> This e-mail communication and any attachments may be privileged and 
> confidential to eXza Technology Consulting & Services, and are 
> intended only for the use of the recipients named above If you are not 
> the addressee you may not copy, forward, disclose or use any part of 
> it. If you have received this message in error, please delete it and 
> all copies from your system and notify the sender immediately by 
> return e-mail. Internet communications cannot be guaranteed to be 
> timely, secure, error or virus-free. The sender does not accept 
> liability for any errors or omissions.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>>> Hello,
>>>
>>> I have implemented Samba as Active Directory Domain Controller with 
>>> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers 
>>> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 
>>> & 4 are in a different location. DNS is SAMBA INTERNAL. All 4 
>>> servers are properly synchronizing and even GPO updates are working 
>>> properly with rsync process.
>>>
>>> However, off late we have been noticing that on some Windows XP with 
>>> Service Pack 3 and Windows 7 with Service Pack 1, after joining 
>>> domain, when user is logging in for the first time, as per policy, 
>>> the DC will force the user to change their password. When user 
>>> changes password, PC reports, cannot reach domain or your 
>>> relationship with DC is not trusted and it happens randomly for some 
>>> users.
>>> We are unable to figure out what's happenning.
>>>
>>> Can some one guide us in figuring out and fixing this issue?
>>>
>>> Thanks in advance.
>>
>> Can you provide your smb.conf on one of your DC's? Are you able to 
>> look through event viewer on the workstation exhibiting the issue and 
>> see anything relevant?
>>
>
Real quick before I get around to looking at your attachments. I will 
advise you that password complexity requirements are handled by 
samba-tool and not GPO's. Issue the following command on your DC's to 
view them. They are also changed here as well.

'samba-tool domain passwordsettinsg show'

-- 
--
James