Web lists-archives.com

Re: [Samba] Samba Active Directory Domain Controller

On 5/4/2017 3:37 AM, Anantha Raghava wrote:

Hello James,

Thanks for your quick response.

Find attached smb.conf file from DC1 and DC2. Also attached the screen shot of the event viewer from the workstation.

At the moment, we have brought down the DC3 and DC4 in another location and observed that DC2 is unable to replicate get the information from DC1 or send the information to DC1. It appears replication is working in background but it is taking a long time. When try to use samba-tool drs command, it throws errors.

Also, randomly, users are not allowed to change their password. It throws error like "either your password does not meet complexity, length or history requirement". "Workstation relationship with Domain is not trusted" is another error message that occasionally throws up.

Another observation is even though PDC emulator and all FSMO roles are with DC1, users are logged into DC2. Any change made to user credential, above error is thrown. Output of FSMO role display from DC1 is attached for your information.

In our group policy, we have disabled complexity requirements, length is set to 7 characters.

There is no clear pattern to its behavior, making it difficult to analyse the issue and fix them.

Look forward for your assistance in figuring out what is happening and fixing it.

7000 People from nearly 700 location use these domain controllers. This is turning out be very critical issue.


Thanks & Regards,

Anantha Raghava

eXzaTech Consulting And Services Pvt. Ltd.


This e-mail communication and any attachments may be privileged and confidential to eXza Technology Consulting & Services, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:

I have implemented Samba as Active Directory Domain Controller with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 & 4 are in a different location. DNS is SAMBA INTERNAL. All 4 servers are properly synchronizing and even GPO updates are working properly with rsync process.

However, off late we have been noticing that on some Windows XP with Service Pack 3 and Windows 7 with Service Pack 1, after joining domain, when user is logging in for the first time, as per policy, the DC will force the user to change their password. When user changes password, PC reports, cannot reach domain or your relationship with DC is not trusted and it happens randomly for some users.
We are unable to figure out what's happenning.

Can some one guide us in figuring out and fixing this issue?

Thanks in advance.

Can you provide your smb.conf on one of your DC's? Are you able to look through event viewer on the workstation exhibiting the issue and see anything relevant?

Real quick before I get around to looking at your attachments. I will advise you that password complexity requirements are handled by samba-tool and not GPO's. Issue the following command on your DC's to view them. They are also changed here as well.

'samba-tool domain passwordsettinsg show'


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba