search for: gaio

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

...I would undo that, it appears to be wrong. OK, i've undo also i. > I have tested this on a Ubuntu 22.04 computer and it works, so I have > updated the wiki page: > https://wiki.samba.org/index.php/PAM_Offline_Authentication Apparently works as expected: root at dane:~# wbinfo -K gaio Enter gaio's password: plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 root at dane:~# smbcontrol winbind offline root at dane:~# wbinfo -K gaio Enter gaio's password: plaintext kerberos password...

In my DC, without setting explicitly a 'winbind default domain', i can check logins domainless: root at vdcsv1:~# id gaio uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication group),3000009(BUILTIN\users),3000000...

...a little strange thing, i think related to the fact > that in my DM i've set 'winbind use default domain = yes'. > > > Folowing the wiki, i've enabled offline logon and then done: > > ['smbcontrol winbind online' > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) credentials were put in: > FILE:/tmp/krb5cc_0 > > ['smbcontrol winbind offline'] > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio >...

Currently for my user: root at vdmsv1:/etc/exim4# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=gaio)" | grep ": gaio$" cn: gaio name: gaio sAMAccountName: gaio uid: gaio msSFU30Name: gaio what field is betetr to use for querying for user 'gaio'? 'uid' no (because RFC2307 data can be missing), so? 'sAMAccountName'? or 'cn'? Thanks. PS: cle...

...; OK, i've undo also i. > > >> I have tested this on a Ubuntu 22.04 computer and it works, so I have >> updated the wiki page: >> https://wiki.samba.org/index.php/PAM_Offline_Authentication > > Apparently works as expected: > > root at dane:~# wbinfo -K gaio > Enter gaio's password: > plaintext kerberos password authentication for [gaio] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > root at dane:~# smbcontrol winbind offline > root at dane:~# wbinfo -K gaio > Enter gaio's passw...

...d policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v gaio Unix username: gaio NT username: gaio Account Flags: [U ] User SID: S-1-5-21-1458177777-355997386-270368766-1087 Primary Group SID: S-1-5-21-1458177777-355997386-270368766-1009 Full Name: Marco Gaiarin Home Directory: \\ARMITAGE...

...ailing to create profiles for users; after fiddling a bit, i was forced to have '/srv/samba/profiles' as 775 :unixadm (a group member of 'Domain Aministrators') and profile folders get created '777': root at vdmacpn1:~# ls -la /srv/samba/profiles/ totale 16 drwxrwxr-x 7 gaio unixadm 92 28 nov 15.49 . drwxrwxr-x 5 root root 54 2 nov 19.24 .. drwxrwxrwx 2 daniela segreteria 6 4 nov 10.57 daniela.V2 drwxrwxrwx 16 daniela segreteria 281 25 nov 11.59 daniela.V6 drwxrwxrwx 15 gaio domain users 272 28 nov 15.49 gaio.V2 drwxrwxrwx 15...

On Mon, 28 Jan 2019 12:52:45 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > Strictly speaking, why winbind cache ''PAM'' data and not ''NSS'' > > > one (seems to me)? > > The problem is (for myself anyway), I do not understand the >

...if I > haven't been anywhere. This is what i supposed to work mee too. Seems not. You have also your user in /etc/passwd? O;-) > You seem to be doing something wrong ;-) Probably. But i don't understand what. Authentication works as expected: root at vdmsv2:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 root at vdmsv2:~# smbcontrol winbind offline root at vdmsv2:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's passwor...

...with clock differences. Some machine have effectively some troubles, eg have NO 'Windows Time' service defined, probably some glitches happened when moving from our old NT-like domain. Anyway, catching for that, we have found some other strangeness. Windows time service run: C:\Users\gaio>sc query w32time NOME_SERVIZIO: w32time TIPO : 20 WIN32_SHARE_PROCESS STATO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CODICE_USCITA_WIN32 : 0 (0x0) CODICE_USCITA_SERVIZIO : 0...

On 19/05/2023 12:02, Marco Gaiarin via samba wrote: > > I'm trying to enable offline auth in a Ubuntu 22.04 box, following: > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > using standard ubuntu samba package (4.15.13+dfsg-0ubuntu1.1). > I've enabled workaround 'lock directory = /var/cache/samba'. I would undo that, it appears to be

...} Interesting! I've looked at that in the past, but i was not interested in SSO so i've probably skipped. Anyway, i've tried to comment out 'winbind use default domain = yes' and add this stanza to /etc/krb5.conf but seems does not work, eg: root at vdmsv1:~# getent passwd gaio root at vdmsv1:~# getent passwd LNFFVG\\gaio LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash only the 'domainful' version of the account work. > Now, since im not sure this works ok, i dont use it on my debian servers, i use option2. > option2 is ignore the "no...

...as expected. I've only found a little strange thing, i think related to the fact that in my DM i've set 'winbind use default domain = yes'. Folowing the wiki, i've enabled offline logon and then done: ['smbcontrol winbind online' root at vdmsv1:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: plaintext kerberos password authentication for [LNFFVG\gaio] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 ['smbcontrol winbind offline'] root at vdmsv1:~# wbinfo -K LNFFVG\\gaio Enter LNFFVG\gaio's password: p...

...a little strange thing, i think related to the fact > that in my DM i've set 'winbind use default domain = yes'. > > > Folowing the wiki, i've enabled offline logon and then done: > > ['smbcontrol winbind online' > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > > ['smbcontrol winbind offline'] > root at vdmsv1:~# wbinfo -K LNFFVG\\gaio &g...

...> > Eh. «De gustibus non disputandum est». ;-) > > > > The setup for the Ad in the link below is the same but if you want > > access without auth, Have you tried to query the GC ports. ( 3268 > > or 3269 ) > > No, but now yes and does not work: > > gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" Try: ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it '(uid=gaio)' You will have to do this as root. Rowland

Doing some test i've done, as root, in one DC: root at vdcpp1:~# smbpasswd gaio New SMB password: Retype new SMB password: root at vdcpp1:~# pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-31316156...

...ou have also your user in /etc/passwd? O;-) No, you cannot have a user in /etc/passwd and AD. > > > > You seem to be doing something wrong ;-) > > Probably. But i don't understand what. Authentication works as > expected: > > root at vdmsv2:~# wbinfo -K LNFFVG\\gaio > Enter LNFFVG\gaio's password: > plaintext kerberos password authentication for [LNFFVG\gaio] > succeeded (requesting cctype: FILE) credentials were put in: > FILE:/tmp/krb5cc_0 root at vdmsv2:~# smbcontrol winbind offline > root at vdmsv2:~# wbinfo -K LNFFVG\\gaio > Ent...

Hi Marco, As far i can see here. Are all your ADDC servers set to the same source NTP ( preffered a stratum 1 or 2 ) server. ( and not pool ntp sources ) Because below i see stratum 4 and stratum 3 servers and a timeout on one server. When i look at this. > C:\Users\gaio>w32tm /query /peers > N. peer: 1 > Peer: vdcpp2.ad.fvg.lnf.it > Stato: Attivo > Tempo rimanente: 914.2880000s...

Sorry, i came back on this, but: > In another, more generic, way: how password policies are enforced? still i need an answer on this question. I've done some tests, using my account, that pdbedit say: root at vdcsv1:~# LANG=C pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 Full Name: Marco Gaiarin Home Directory: HomeDir Dri...