search for: ellwood

...nt here: https://www.redmine.org/projects/redmine/wiki/RedmineLDAP The section "Dynamic Bind" in the aforementioned document described how you can force Redmine to assume thatt supplied login credentials are a valid AD account, and to verify these credentials via LDAPS. Thanks Stephen Ellwood

...people provide guidance about security best practices with such service "AD" accounts not intended for actual human use? Ideally I want to prevent users actually logging in as LDAPReader, and I obviously want it to have the absolute bare minimum of permissions required. Thanks Stephen Ellwood

...that perform background tasks. Whilst --random-password sets a random password, the chosen password is deliberately and on purpose not revealed to the end user. So it cannot be used to create user accounts for human beings as the example in the documentation currently suggests. Thanks Stephen Ellwood

...might bamboozle ordinary website users. Dynamic bind does remove the need to create an extra special omnipotent account with a never-expiring password though. So on that basis I am saying it is more secure (but not absolutely secure since there are no absolutes in life heh ;) ) Cheers Stephen Ellwood

...quot; --unix-home="$UNIXHOMEFOLDERPATH" --home-drive="H" --home-directory="$WINDOWSHOMEFOLDERPATH" --login-shell="/usr/bin/git-shell" --uid-number="$UIDNUMBER" --gid-number=10000 -U "administrator%$SAMBA_ADMIN_PASSWORD" User 'stephenellwood' created successfully After entering this, you see I get a confirmation prompt indicating my user was created. When I hop onto my domain fileserver, I can see the new user, and this gives me additional confidence this has actually been created: pi at fs1:~ $ wbinfo -u stephenellwood admini...

...th Samba in this way? Obviously doing what I have just described will erase all the default configuration settings shipped in the installation. Are any of the shipped default configuration parameters essential to have from a security perspective? Am I doing something stupid here? Thanks Stephen Ellwood

...winbind, smbd, and nmbd on the domain member using systemctl but to no avail. Manual testing on Windows suggests that the drives on this machine are still serving files, but I just find the lack of output from wbinfo surprising. Does anyone have any troubleshooting suggestions? Thanks Stephen Ellwood

...the ad backend unless they have already  added a RFC2307 gidNumber value to group "Domain Admins". Perhaps we/you should update the docs to describe how to set the gidNumber in an earlier step to avoid this issue? Would appreciate hearing your thoughts on this. Kind Regards Stephen Ellwood

...tificate *.pem files - the private key file. Is this definitely correct? Should we not set root owner on the additional cert.pem and ca.pem too? I ask because I wanted to flag this. It seems like a contradiction and I am concerned this might lead to insecure by default setups... Thanks Stephen Ellwood

...n later restoring these archives to their original locations. Obviously my way is crude and unofficial! Is there an officially supported and/or recommended method and tools to achieve my aims here? Or should I just carry on using my tar files manually as I have described? Kind Regards Stephen Ellwood-- Stephen Ellwood, Embedded System Engineer, Ogden Safety Systems Ltd, Unit 6, Cliffe Park Way, Bruntcliffe Road, Morley, Leeds, LS27 0RY, UK. Tel: +44 (0)1937 835395 Email: stephen at ogdenradar.com URL: www.ogdenradar.com

...his drift reaches  approximately 5 minutes. How can I make sure my ad2 clock remains in step with ad1 and re-synchronises repeatedly? Is a regular cron job and ntpdate the answer here, or do people usually use a different approach in their own networks? Please enlighten me! Kind Regards Stephen Ellwood The ntp.conf file used on my ad1 server is posted below: pi at ad1:~ $ cat /etc/ntp.conf # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift ntpsigndsocket /var/lib/samba/ntp_signd/ # Enable this if you want statistics to be logged. #statsdir /var/...

...ar/lib/samba/etc in order to have a viable AD DC backup set (as per the current Samba docs)? If not I am just tempted to solve the problem by editing the aforementioned DIRS statement in order to to skip the backup on the etc folder since it doesn't exist on my machine. Kind Regards Stephen Ellwood

...sible with AD. 3) What will happen in 700 days time when the self-certified certificate initially created by Samba on its first execution expires? Will everything just suddenly stop working suddenly and authentication in Redmine come grinding to a halt? How should I remedy this? Thanks Stephen Ellwood

...pi at ad1:~ $ host -t SRV _ldap._tcp.samdom.example.com _ldap._tcp.samdom.example.com has SRV record 0 100 389 ad1.samdom.example.com. _ldap._tcp.samdom.example.com has SRV record 0 100 389 ad2.samdom.example.com. Thanks once again for your help its very much appreciated! Kind Regards Stephen Ellwood

..., thanks for your suggestions. I have read and re-read the Samba docs to try and understand where I went wrong here. I added the uidNumber and gidNumber exactly as per your comments and that seems to improve the situation markedly. I can now at least see that the share exists from SAMDOM\stephenellwood which wasn't possible before. File access is now possible from SAMDOM/stephenellwood when I configure NTFS security permissions to allow read and write access for group Everyone. I am still seeing issues with fileshare access from custom AD groups though. For example, I removed the NTFS se...

...ed relate to pretty basic stuff that wouldn't arise were the official docs clearer IMHO. I know you are all volunteers, time is precious, but I think a little bit more up front work on the docs would payoff in the long run and help reduce mailing list traffic significantly. Thanks Stephen Ellwood

...curity best practices with > such service "AD" accounts not intended for actual human use? Ideally > I want to prevent users actually logging in as LDAPReader, and I > obviously want it to have the absolute bare minimum of permissions > required. > > Thanks > Stephen Ellwood > > Create the user with a random password and then set it to never expire, for info on how to this, try reading this page: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates That should you give an idea Rowland

...rs. > > Dynamic bind does remove the need to create an extra special > omnipotent account with a never-expiring password though. So on that > basis I am saying it is more secure (but not absolutely secure since > there are no absolutes in life heh ;) ) > > Cheers > Stephen Ellwood > > I think I have already said this, but kerberos is much more secure than ldaps, the password never leaves the computer. As for SSH, you can use kerberos for this, no ssh keys or passwords. There is is nothing wrong with a service user with a never expiring password, just as long as you...

On Tue, 16 Apr 2019 14:39:49 +0100 Stephen via samba <samba at lists.samba.org> wrote: > Further to my previous post, I have listed the contents of the tar > file created during the backup. > The bash script you are using is only meant to be used with a self compiled version of Samba, where everything is meant to be in /usr/local/samba You will find a better script here:

...hilst > --random-password sets a random password, the chosen password is > deliberately and on purpose not revealed to the end user. So it > cannot be used to create user accounts for human beings as the > example in the documentation currently suggests. > > Thanks > Stephen Ellwood > I have updated the wiki page as requested. Rowland