Because of other issues using ADUC, I tried to remove a domain member using:> samba-tool group removemembers "Domain Computers" MARKA\$Removed members from group Domain Computers As shown, it say it "Removed members", but ...> samba-tool group listmembers "Domain Computers": LABRAT$ : OHPRSSTORAGE$ MARKA$ : COMMON$ : listmembers still shows the computer as a member of "Domain Computers". What's up with this? Samba Version 4.8.2 THX --Mark
Hi Mark,> Because of other issues using ADUC, I tried to remove a domain member using: > >> samba-tool group removemembers "Domain Computers" MARKA\$ > Removed members from group Domain Computers > > As shown, it say it "Removed members", but ... > >> samba-tool group listmembers "Domain Computers" > : > LABRAT$ > : > OHPRSSTORAGE$ > MARKA$ > : > COMMON$ > : > > listmembers still shows the computer as a member of "Domain Computers". What's up with this?"Domain Computers" is the primaryGroupID of AD joined computer (515). The computer object is a member not because it is listed in the group membership, but because of its primaryGroupID attribute. If you want to get it out of "domain computers", you have to change that attribute to something else. You can test with a different group than "Domain computers" or "Domain computers", it will work as intended. I admit that the message is misleading though. By the way, why do you want to remove that computer from "Domain Computers" group? Cheers, Denis> > Samba Version 4.8.2 > > THX --Mark >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint Sébastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
L.P.H. van Belle
2019-May-28 09:38 UTC
[Samba] samba-tool group removemembers, not working
Hai, Can you post the output of : ldbsearch --show-binary -H ldap://YOURDCNAME_HERE "(&(objectClass=computer)(sAMAccountName=MARKA$))" -k yes | grep -v '#' | grep -v 'ref:' (https://bugzilla.samba.org/show_bug.cgi?id=11482) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Denis Cardon via samba > Verzonden: dinsdag 28 mei 2019 11:04 > Aan: Mark Foley; samba at lists.samba.org > Onderwerp: Re: [Samba] samba-tool group removemembers, not working > > Hi Mark, > > > Because of other issues using ADUC, I tried to remove a > domain member using: > > > >> samba-tool group removemembers "Domain Computers" MARKA\$ > > Removed members from group Domain Computers > > > > As shown, it say it "Removed members", but ... > > > >> samba-tool group listmembers "Domain Computers" > > : > > LABRAT$ > > : > > OHPRSSTORAGE$ > > MARKA$ > > : > > COMMON$ > > : > > > > listmembers still shows the computer as a member of "Domain > Computers". What's up with this? > > "Domain Computers" is the primaryGroupID of AD joined computer (515). > The computer object is a member not because it is listed in the group > membership, but because of its primaryGroupID attribute. If > you want to > get it out of "domain computers", you have to change that > attribute to > something else. > > You can test with a different group than "Domain computers" > or "Domain > computers", it will work as intended. > > I admit that the message is misleading though. By the way, why do you > want to remove that computer from "Domain Computers" group? > > Cheers, > > Denis > > > > > Samba Version 4.8.2 > > > > THX --Mark > > > > -- > Denis Cardon > Tranquil IT > 12 avenue Jules Verne (Bat. A) > 44230 Saint Sébastien sur Loire (FRANCE) > tel : +33 (0) 240 975 755 > http://www.tranquil.it > > Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ > Samba install wiki for Frenchies : https://dev.tranquil.it > WAPT, software deployment made easy : https://wapt.fr > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Tue, 28 May 2019 11:04:01 +0200 Denis Cardon <dcardon at tranquil.it> wrote:> Hi Mark, > > > Because of other issues using ADUC, I tried to remove a domain member using: > > > >> samba-tool group removemembers "Domain Computers" MARKA\$ > > Removed members from group Domain Computers > > > > As shown, it say it "Removed members", but ... > > > >> samba-tool group listmembers "Domain Computers" > > : > > LABRAT$ > > : > > OHPRSSTORAGE$ > > MARKA$ > > : > > COMMON$ > > : > > > > listmembers still shows the computer as a member of "Domain Computers". What's up with this? > > "Domain Computers" is the primaryGroupID of AD joined computer (515). > The computer object is a member not because it is listed in the group > membership, but because of its primaryGroupID attribute. If you want to > get it out of "domain computers", you have to change that attribute to > something else. > > You can test with a different group than "Domain computers" or "Domain > computers", it will work as intended. > > I admit that the message is misleading though. By the way, why do you > want to remove that computer from "Domain Computers" group? > > Cheers, > > Denis > > > > > Samba Version 4.8.2 > > > > THX --Mark > > >Denis if all you say is true, "misleading" is wildly understated. You say I can test with different groups other than "Domain Computer". I'm not sure where I would even begin since, well, this *is* a Domain Computer. I've included my list of groups (samba-tool group list) below. Do you have a suggestion where a domain member computer might really be? I've done a listmembers of each of these groups and the only one in which I find MARKA is "Domain Computers". Incoming Forest Trust Builders Network Configuration Operators Domain Guests Domain Controllers Domain Computers Group Policy Creator Owners Replicator Cert Publishers Account Operators Event Log Readers Enterprise Admins Cryptographic Operators Schema Admins Performance Log Users Backup Operators Domain Admins Allowed RODC Password Replication Group Print Operators Server Operators DnsAdmins Certificate Service DCOM Access Users IIS_IUSRS Denied RODC Password Replication Group Performance Monitor Users Remote Desktop Users DnsUpdateProxy Pre-Windows 2000 Compatible Access HPRS Remote Desktop Users Windows Authorization Access Group Enterprise Read-Only Domain Controllers Guests Read-Only Domain Controllers Terminal Server License Servers Distributed COM Users HPRS Redirected Folders Administrators RAS and IAS Servers Domain Users> -- > Denis Cardon > Tranquil IT > 12 avenue Jules Verne (Bat. A) > 44230 Saint Sébastien sur Loire (FRANCE) > tel : +33 (0) 240 975 755 > http://www.tranquil.it > > Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ > Samba install wiki for Frenchies : https://dev.tranquil.it > WAPT, software deployment made easy : https://wapt.fr > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I hate to be a complete moron on this, but I'm apparently not setting YOURDCNAME_HERE correctly. I get the errors: Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://mail' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to ldap://mail - LDAP client internal error: NT_STATUS_INVALID_PARAMETER plus lots more. In addition to 'mail' I've tried 'mail.hprs.local' and 'hprs.local'. None of those guesses work. Suggestion? --Mark On Tue, 28 May 2019 11:38:45 +0200 "L.P.H. van Belle" <belle at bazuin.nl> wrote:> > Hai, > > Can you post the output of : > ldbsearch --show-binary -H ldap://YOURDCNAME_HERE "(&(objectClass=computer)(sAMAccountName=MARKA$))" -k yes | grep -v '#' | grep -v 'ref:' > (https://bugzilla.samba.org/show_bug.cgi?id=11482) > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Denis Cardon via samba > > Verzonden: dinsdag 28 mei 2019 11:04 > > Aan: Mark Foley; samba at lists.samba.org > > Onderwerp: Re: [Samba] samba-tool group removemembers, not working > > > > Hi Mark, > > > > > Because of other issues using ADUC, I tried to remove a > > domain member using: > > > > > >> samba-tool group removemembers "Domain Computers" MARKA\$ > > > Removed members from group Domain Computers > > > > > > As shown, it say it "Removed members", but ... > > > > > >> samba-tool group listmembers "Domain Computers" > > > : > > > LABRAT$ > > > : > > > OHPRSSTORAGE$ > > > MARKA$ > > > : > > > COMMON$ > > > : > > > > > > listmembers still shows the computer as a member of "Domain > > Computers". What's up with this? > > > > "Domain Computers" is the primaryGroupID of AD joined computer (515). > > The computer object is a member not because it is listed in the group > > membership, but because of its primaryGroupID attribute. If > > you want to > > get it out of "domain computers", you have to change that > > attribute to > > something else. > > > > You can test with a different group than "Domain computers" > > or "Domain > > computers", it will work as intended. > > > > I admit that the message is misleading though. By the way, why do you > > want to remove that computer from "Domain Computers" group? > > > > Cheers, > > > > Denis > > > > > > > > Samba Version 4.8.2 > > > > > > THX --Mark > > > > > > > -- > > Denis Cardon > > Tranquil IT > > 12 avenue Jules Verne (Bat. A) > > 44230 Saint Sébastien sur Loire (FRANCE) > > tel : +33 (0) 240 975 755 > > http://www.tranquil.it > > > > Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ > > Samba install wiki for Frenchies : https://dev.tranquil.it > > WAPT, software deployment made easy : https://wapt.fr > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba