[Samba] Invalid zone operation IsSigned ERROR

Rowland Penny rpenny at samba.org
Tue May 22 16:21:56 UTC 2018 

On Tue, 22 May 2018 11:00:05 -0500
rschiefer at suturehealth.com wrote:

> The xxxx.com is just sanitization of our logs/data.

You posted a samba-tool command, the '<http://xxxx.com>' shouldn't be
part of the command.

> 
> Here you go:
> 
> --------------------------------------------------
> # Global parameters
> [global]
>         workgroup = xxxx
>         realm = xxxx.com
>         netbios name = DC-1
>         server role = active directory domain controller
>         server services = dns, dnsupdate, drepl, kcc, kdc, ldap,
> cldap, nbt, drepl, wrepl, rpc, s3fs, winbindd

Where did 'ntp_signd' go to ?
Just remove the line and it will come back ;-)

>         allow dns updates = nonsecure
>         dns forwarder = 8.8.4.4
>         idmap_ldb:use rfc2307 = yes
> 
>         kerberos method = secrets and keytab
>         ldap server require strong auth = no
>         client ldap sasl wrapping = plain
> 
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
>         logging = syslog at 1
>         log level = 1
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/xxxx.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> --------------------------------------------------
> # Global parameters
> [global]
>         workgroup = xxxx
>         realm = xxxx.com
>         netbios name = IDENTITY-C01
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idman_ldb:use rfc2307 = yes

That should be 'idmap_ldb'

> 
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
>         ldap server require strong auth = no
> 
>         log level = 1
>         syslog = 1
>         syslog only = yes
> 
>         idmap config *:backend = rid
>         idmap config *:range = 5000-100000
>         #idmap config xxxx:backend = rid
>         #idmap config xxxx:range = 2000-999999
>         #idmap backend = idmap_rid:xxxx=2000-999999
>         #idmap uid = 2000-999900
>         #idmap gid = 2000-999999

Remove all the 'idmap config' lines, they have no place on a DC

>         winbind use default domain = yes

The above doesn't work on a DC

>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind nested groups = yes
>         winbind expand groups = 10
>         #winbind refresh tickets = yes
>         template homedir = /home/%U
>         template shell = /bin/bash
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/xxxx.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 

Rowland

More information about the samba mailing list