> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Piviul via samba > Verzonden: dinsdag 19 februari 2019 11:11 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] winbind offline logon > > Il 19/02/19 09:22, Rowland Penny via samba ha scritto: > > I have suggested that we deprecate the NT4-style domains, but one of > > the other Samba team members wants to keep them. I find this strange > > for several reasons, smbldap-tools is dead and no longer maintained, > > Microsoft keeps breaking them and the client code hasn't > really worked > > for some time now. The vast majority of the Samba effort is aimed > > squarely at AD domains, trying to get somebody to fix your > problem is > > going to take some time, especially as it works with AD. > > I can understand your point of view but I can understand even > the point of view of the people that administer our local network... > the last time I have tried to carry on the needing of upgrading to AD I have been > stopped by some users that need, for obscure reasons, to put the time of > their PCs in the past and AFAIK this is not permitted in a AD domain...Now, dont take this personaly.... If you stopped buy users because some obscure reasons, because of things like.. `this is not permitted in a AD domain...` Then you really should put more time into AD. Everything, you can do in NTDOM, you can in AD DOM. You will getting more problem the longer these admins wait with upgradeing to AD. You get some examples of what wont work in AD Dom setups and did in NTDOM setup.s And post these to the list, we will have a look.. Things like this will keep hitting your network more and more... for example, https://support.microsoft.com/en-us/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser The line shows enough. Guest access in smb2 disabled by default in windows 10.. Now if samba denies access, it this a samba problem, no, this is a (bad) network Administrator problem. Again, not personal, this is a more general problem i see around me. And most problem i see, are because people dont follow the mass, stay behind, scared to upgrade, which result in the end, in a hard time to upgrade and/or compatibility problems. I'm saying this with 25years of system adminisitrator experience, and i've seen a lot. And it does matter what the os is, wait to long with updateing and you get problems, more stress etc etc.> > Have a great day > > Piviul >Greetz, Louis
On Tue, 19 Feb 2019 12:02:30 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Piviul via samba > > Verzonden: dinsdag 19 februari 2019 11:11 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] winbind offline logon > > > > Il 19/02/19 09:22, Rowland Penny via samba ha scritto: > > > I have suggested that we deprecate the NT4-style domains, but one > > > of the other Samba team members wants to keep them. I find this > > > strange for several reasons, smbldap-tools is dead and no longer > > > maintained, Microsoft keeps breaking them and the client code > > > hasn't > > really worked > > > for some time now. The vast majority of the Samba effort is aimed > > > squarely at AD domains, trying to get somebody to fix your > > problem is > > > going to take some time, especially as it works with AD. > > > > I can understand your point of view but I can understand even > > the point of view of the people that administer our local > > network... the last time I have tried to carry on the needing of > > upgrading to AD I have been stopped by some users that need, for > > obscure reasons, to put the time of their PCs in the past and AFAIK > > this is not permitted in a AD domain... > > Now, dont take this personaly.... > If you stopped buy users because some obscure reasons, because of > things like.. `this is not permitted in a AD domain...` > Then you really should put more time into AD. > > Everything, you can do in NTDOM, you can in AD DOM. > > You will getting more problem the longer these admins wait with > upgradeing to AD. You get some examples of what wont work in AD Dom > setups and did in NTDOM setup.s And post these to the list, we will > have a look.. > > Things like this will keep hitting your network more and more... for > example, > https://support.microsoft.com/en-us/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser > The line shows enough. Guest access in smb2 disabled by default in > windows 10.. > > Now if samba denies access, it this a samba problem, no, this is a > (bad) network Administrator problem. Again, not personal, this is a > more general problem i see around me. And most problem i see, are > because people dont follow the mass, stay behind, scared to upgrade, > which result in the end, in a hard time to upgrade and/or > compatibility problems. > > I'm saying this with 25years of system adminisitrator experience, and > i've seen a lot. And it does matter what the os is, wait to long with > updateing and you get problems, more stress etc etc. > > > > > Have a great day > > > > Piviul > > > > Greetz, > > Louis > > >Well said Louis ;-) If you are the sysadmin, you are in charge, but you need to take your users concerns into account and if possible work around them, though there will be times when you have to say no. Rowland
Il 19/02/19 12:02, L.P.H. van Belle via samba ha scritto:> [...] > Everything, you can do in NTDOM, you can in AD DOM.you are saying me that an AD domain can be configured to allow a domain user to move the time back of one year or more (what I have seen today for example) in a member PC of a AD domain? I have read that an authentication ticket have a very strict validation time... but I don't know AD. Any way I agree with you, more time you wait to upgrade more problems you will find when you decide to upgrade... but, even if a part of these problems, helas, will fall over my shoulder I have no weapon to quicken this upgrade. Have a great day Piviul
Hai Pivial,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Piviul via samba > Verzonden: dinsdag 19 februari 2019 14:58 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] winbind offline logon > > Il 19/02/19 12:02, L.P.H. van Belle via samba ha scritto: > > [...] > > Everything, you can do in NTDOM, you can in AD DOM. > you are saying me that an AD domain can be configured to > allow a domain user to move the time back of one year or more > (what I have seen today for example) in a member PC of a AD domain?Ah, here it starts.. Why would you allow a user to set the time back a year? That is an Administrator it task, not a user in my opinion. In a normal NTDomain setup, this is also not allowed by default. Rule 1. Never ever ever ever ever ever work as Administrator or with administrator rights. Rule 2. If you the Domain admin, rule 1 applies. Rule 3. If you the Boss, rule 1 applies. Its to easy to break in a computer when your working as admin, really, its really easy. Now per example if you would do this with ad, ! NOT recommended but possible, yes. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/change-the-system-time You change the local service, so a group of users is allowed to change time. So next ;-),.> I have read that an authentication ticket have a very strict validation time... > but I don't know AD.I know a good book, but i dont know if you can read german.. If you can read german, https://www.kania-online.de/fachbuecher/samba-4/ Or start here : https://blogs.technet.microsoft.com/ashwinexchange/2012/12/18/understanding-active-directory-for-beginners-part-1/ Old be still valid. Sorry, i dont have any italian sites. Maybe one of the 2 Marco's have some good italian sites about AD for you.> > Any way I agree with you, more time you wait to upgrade more problems > you will find when you decide to upgrade... but, even if a > part of these problems, helas, will fall over my shoulder > I have no weapon to quicken this upgrade.You have "the Samba list" and it is ok to ask for help. That's hard sometimes and we all know that. Just dont start and rush in, think before you start. Make a todo list, and remember you always forget about 20%-25%..> > Have a great day > > PiviulGreetz, Louis
On Tue, 19 Feb 2019 17:20:10 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Pivial, > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Piviul via samba > > Verzonden: dinsdag 19 februari 2019 14:58 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] winbind offline logon > > > > Il 19/02/19 12:02, L.P.H. van Belle via samba ha scritto: > > > [...] > > > Everything, you can do in NTDOM, you can in AD DOM. > > you are saying me that an AD domain can be configured to > > allow a domain user to move the time back of one year or more > > (what I have seen today for example) in a member PC of a AD domain? > > Ah, here it starts.. Why would you allow a user to set the time back > a year? That is an Administrator it task, not a user in my opinion. > In a normal NTDomain setup, this is also not allowed by default.I used to work for a firm that every month end used to wind the time back a few days, they did this because they hadn't finished booking things in and out, so could not run the month end routines. This wasn't on a domain, it was on the Unix that thought it owned Linux. I suppose you could do something similar on AD, but you would have to wind back every machine in the domain. Rowland
Il 19/02/19 17:20, L.P.H. van Belle via samba ha scritto:> [...] > Ah, here it starts.. Why would you allow a user to set the time back a year?because they ask me! ;) ...I can't impose what they need and what they don't.> That is an Administrator it task, not a user in my opinion. > In a normal NTDomain setup, this is also not allowed by default.From win7 is not allowed, for xp and previous versions non admins can change the local time.> Just dont start and rush in, think before you start. > Make a todo list, and remember you always forget about 20%-25%..Thank you very much indeed Louis is very rare to find a lists so well supported. Have a great day Piviul