samba - Oct 2017 - Script to reset group memberships...

I was used, for users that leave my network, to disable the account but
also ''sanitize'' the memberships, eg reset group membership to
a
default values (normally, 'domain users').

Clearly, using smbldap-tools in a NT domain was easy.


How can achieve the same result in a samba AD domain? Seems that
avaliable commands/tools (pdbedit, wbinfo, samba-tool) does not have
this feature.


I'v think about enumerating the user's group, eg:

	id gaio | cut -d '=' -f 4 | tr -s ',' '\n' | cut -d
'(' -f 2 | tr -d ')' | grep ^LNFFVG | cut -d '\' -f 2

and then remove 'all but the default group', but i'm seeking
feedback.


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 4 Oct 2017 15:45:07 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> I was used, for users that leave my network, to disable the account
> but also ''sanitize'' the memberships, eg reset group
membership to a
> default values (normally, 'domain users').
> 
> Clearly, using smbldap-tools in a NT domain was easy.
> 
> 
> How can achieve the same result in a samba AD domain? Seems that
> avaliable commands/tools (pdbedit, wbinfo, samba-tool) does not have
> this feature.
> 
> 
> I'v think about enumerating the user's group, eg:
> 
> 	id gaio | cut -d '=' -f 4 | tr -s ',' '\n' | cut
-d '(' -f 2
> | tr -d ')' | grep ^LNFFVG | cut -d '\' -f 2
> 
> and then remove 'all but the default group', but i'm seeking
feedback.
> 
> 
> Thanks.
> 
No need to do that, just use 'samba-tool user disable'

See 'samba-tool user disable --help' for more info

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> No need to do that, just use 'samba-tool user disable'
Ahem, Rowland, *I* *NEED* that.

For internal policies, users that leave my organization have to be
'sanitized', and on detail, memberships have to be reset.


So, apart some complex scripting, there's some way to do that? If
comlex scripting have to be used, what will be the best 'path' to
achieve the result?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)