2008

defaultNo Comments
2
May 08

Samba 2.2, Domain 2003 and big problems

This week for a some reason almost all of our Samba 2.2.7 AIX servers stopped working. We have domain with 2003R2 domain controllers and for some reason all our attempts to join these Samba servers to the domain gave us:

server:/> smbpasswd -j SCC_NT -U Administrator
Passowrd:
Error connecting to DC - NT_STATUS_ACCESS_DENIED
Unable to join domain DOMAIN

After couple of fights with our System Engineering department and intensive googling I’ve found a solution. Original post could be found here:

http://lists.samba.org/archive/samba/2003-May/066356.html

I just changed registry value on one of our domain controllers and specify it the smbpasswd command:

server:/> smbpasswd -j SCC_NT -U Administrator -r DC2
Password:
Joined domain DOMAIN.

Hooray! Our engineers promised me to upgrade Samba to 3.0 there soon (this is another solution for this problem), but on AIX 5.1 for some reason Samba 3.0 doesn’t work properly.

Here is the mirror of this great knowledge from the link above :)

> So, W2K doesn’t need SMB-packets signatures and we have no problems, but we
> want it to work with Windows 2003. What’s the difference between Windows 2000
> and Windows 2003 when it comes to security signatures of SMB-packets?

By default, a Windows Server 2003 requires signature of SMB packets (at least, a Windows Server 2003 DC).

> Can we disable signatures in Windows 2003 Server or do we have to make
> some changes in Red Hat/Samba? Is ther another way to get around this
> problem?

Yes, you can look for the following security option

Microsoft network server: Digitally sign commnunications (always) :

and set it to Disabled, instead of Enabled.

This security option modifies the following registry value:

Key: HKLM\SYSTEM\CCS\Service\lanmanserver\parameters\
Value: RequireSecuritySignature
Content: 0 to disable, 1 to enable

If you don’t want to reboot after that change, you can stop the srv.sys driver and services that depend on it using the following command:

C:\>net stop srv

Then, you can restart it, as well as the services that depend on it (in particular, netlogon)

C:\>net start srv

Jean-Baptiste Marchand

UPDATE: It is important to remove old record about host from AD.

defaultNo Comments
18
Apr 08

How to remove 1000 inactive computer records from Active Directory?

Today I got request from our MIS staff to remove about 1000 computer records from AD. Of course some script needed. Here is 5-minutes solution (use with caution!):

Add-PSSnapin Quest.ActiveRoles.ADManagement
  • Run this:
gc C:\scripts\targets.txt| % { Get-QADComputer -name $_ } | % { Remove-QADObject -force $_.DN }

And one more time – use with extreme caution. Be sure you are removing exactly what you need.

defaultNo Comments
28
Feb 08

Discovery channel from my window

This is one from my old videos (filmed circa 2004-2005) filmed on my old camcorder. It was made through the window with screen and heavily encoded so it kinda sucks. But it is rare – I never saw something like this before.