On 30/07/2019 15:39, Jeff Sadowski via samba wrote:> winbindd -V > Failed to create /var/log/samba/cores for user 11490 with mode 0700 > Unable to setup corepath for winbindd: Permission denied > Version 4.10.5 > > cat /etc/samba/smb.conf > [global] > log level = 3 winbind:5 > winbind cache time = 10 > security = ads > realm = SUB.DOMAIN > workgroup = SUB > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config SUB:backend = ad > idmap config SUB:schema_mode = rfc2307 > idmap config SUB:range = 8000-9999999 > idmap config SUB:unix_nss_info = yes > idmap config SUB:unix_primary_group = yes > winbind use default domain = yes > restrict anonymous = 2 > > On Tue, Jul 30, 2019 at 8:11 AM Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> One of my colleagues at work brought to my attention that they could >> continuously attempt different passwords on a linux machine connected >> via AD via winbind. I did a test or too and it appears not to lock the >> account after numerous attempts. Is there a way to get the behavior >> like windows where too many invalid passwords puts a temporary lock on >> the account?It should work, this was implemented back at Samba 4.2.0, what does this show: samba-tool domain passwordsettings show Note: there is a 60 minute grace period with the old password. Rowland
Mandi! Rowland penny via samba In chel di` si favelave...> samba-tool domain passwordsettings show > Note: there is a 60 minute grace period with the old password.?! What mean '60 minutes grace period'? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
This is a MS AD environment with a 2008R2 server The client is linux but does not have samba-tool installed is there another command I can use as a client it wants to install samba-dc for samba-tool On Tue, Jul 30, 2019 at 9:16 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 30/07/2019 15:39, Jeff Sadowski via samba wrote: > > winbindd -V > > Failed to create /var/log/samba/cores for user 11490 with mode 0700 > > Unable to setup corepath for winbindd: Permission denied > > Version 4.10.5 > > > > cat /etc/samba/smb.conf > > [global] > > log level = 3 winbind:5 > > winbind cache time = 10 > > security = ads > > realm = SUB.DOMAIN > > workgroup = SUB > > idmap config * : backend = tdb > > idmap config * : range = 2000-7999 > > idmap config SUB:backend = ad > > idmap config SUB:schema_mode = rfc2307 > > idmap config SUB:range = 8000-9999999 > > idmap config SUB:unix_nss_info = yes > > idmap config SUB:unix_primary_group = yes > > winbind use default domain = yes > > restrict anonymous = 2 > > > > On Tue, Jul 30, 2019 at 8:11 AM Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> One of my colleagues at work brought to my attention that they could > >> continuously attempt different passwords on a linux machine connected > >> via AD via winbind. I did a test or too and it appears not to lock the > >> account after numerous attempts. Is there a way to get the behavior > >> like windows where too many invalid passwords puts a temporary lock on > >> the account? > > It should work, this was implemented back at Samba 4.2.0, what does this > show: > > samba-tool domain passwordsettings show > > Note: there is a 60 minute grace period with the old password. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
looks like samba-tool would only run on a samba ad server anyways? I
get a bunch of errors when I try running it
sudo samba-tool domain passwordsettings show
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: No such file or directory
Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
such file or directory
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': No such file or directory
File "/usr/lib64/python3.7/site-packages/samba/netcmd/__init__.py",
line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python3.7/site-packages/samba/netcmd/domain.py",
line 1299, in run
credentials=creds, lp=lp)
File "/usr/lib64/python3.7/site-packages/samba/samdb.py", line 67,
in __init__
options=options)
File "/usr/lib64/python3.7/site-packages/samba/__init__.py", line
115, in __init__
self.connect(url, flags, options)
File "/usr/lib64/python3.7/site-packages/samba/samdb.py", line 82,
in connect
options=options)
On Tue, Jul 30, 2019 at 10:36 AM Jeff Sadowski <jeff.sadowski at
gmail.com> wrote:>
> This is a MS AD environment with a 2008R2 server
> The client is linux but does not have samba-tool installed is there
> another command I can use as a client
> it wants to install samba-dc for samba-tool
>
> On Tue, Jul 30, 2019 at 9:16 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On 30/07/2019 15:39, Jeff Sadowski via samba wrote:
> > > winbindd -V
> > > Failed to create /var/log/samba/cores for user 11490 with mode
0700
> > > Unable to setup corepath for winbindd: Permission denied
> > > Version 4.10.5
> > >
> > > cat /etc/samba/smb.conf
> > > [global]
> > > log level = 3 winbind:5
> > > winbind cache time = 10
> > > security = ads
> > > realm = SUB.DOMAIN
> > > workgroup = SUB
> > > idmap config * : backend = tdb
> > > idmap config * : range = 2000-7999
> > > idmap config SUB:backend = ad
> > > idmap config SUB:schema_mode = rfc2307
> > > idmap config SUB:range = 8000-9999999
> > > idmap config SUB:unix_nss_info = yes
> > > idmap config SUB:unix_primary_group = yes
> > > winbind use default domain = yes
> > > restrict anonymous = 2
> > >
> > > On Tue, Jul 30, 2019 at 8:11 AM Jeff Sadowski <jeff.sadowski
at gmail.com> wrote:
> > >> One of my colleagues at work brought to my attention that
they could
> > >> continuously attempt different passwords on a linux machine
connected
> > >> via AD via winbind. I did a test or too and it appears not to
lock the
> > >> account after numerous attempts. Is there a way to get the
behavior
> > >> like windows where too many invalid passwords puts a
temporary lock on
> > >> the account?
> >
> > It should work, this was implemented back at Samba 4.2.0, what does
this
> > show:
> >
> > samba-tool domain passwordsettings show
> >
> > Note: there is a 60 minute grace period with the old password.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba