search for: idamp

Rowland, I found something related that you were doing. "[PATCH] samba-tool: Easily edit a users object in AD" Did you finish the script? On Fri, Dec 1, 2017 at 3:24 PM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Fri, 1 Dec 2017 15:00:39 -0200 > Elias Pereira <empbilly at gmail.com> wrote: > > > Thanks Rowland for the quick answer!! :)

Can you share with me? :) On Fri, Dec 1, 2017 at 4:43 PM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Fri, 1 Dec 2017 16:27:11 -0200 > Elias Pereira <empbilly at gmail.com> wrote: > > > Rowland, > > > > I found something related that you were doing. > > > > "[PATCH] samba-tool: Easily edit a users object in AD" >

Correcting! :) #!/bin/bash # GROUP=ADM GUID=10000 # Domain Users UID=10000 # get the next ID ? for USER in $(samba-tool group listmembers $GROUP) do samba-tool user edit $USER --nis-domain=samdom \ --unix-home=/home/$USER \ --uid-number=${NEXTID} \ --login-shell=/sbin/nologin \ --gid-number=$GUID done Of course that script is very simple, but is a beginning. :)

> > Sorry, but that isn't going to work with 'samba-tool user edit' > You would need to write an 'editor' script to do what you would need to > do. Ok. Bit busy, just now, give me some time, I have a script somewhere that > should do what you want. Of course Rowland. Work on what you're working on. I do not want to disturb you. :) I'll give a

Hello friends, My doubts are as follows. In an environment where we have, for example, 1000 users, I believe that rid would be the best choice in a fileserver environment, because we don't need to manually configure via RSAT a unix attribute for each user. Is that more or less the thought, or am I wrong? -- Elias Pereira

Found it! :) I thought in make a script more or less that way. #!/bin/bash # GROUP=ADM GUID=10000 # Domain Users UID=10000 # get the next ID ? for USER in $(samba-tool group listmembers $GROUP) do samba-tool user edit $USER -H ldap://samdom.example.com \ -U administrato --nis-domain=samdom \ --unix-home=/home/$USER \ --uid-number=${NEXTID} \

Thanks Rowland for the quick answer!! :) If you are going to use more > than one Unix domain member as a fileserver, then you will probably be > better off using the winbind ad backend, this way you can ensure your > users and groups have the same ID everywhere. Maybe in the near future I'll set up a new fileserver. That way, I believe that ad as a backend is the best choice. I

On Sat, 2 Dec 2017 12:13:08 -0200 Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > Sorry, but that isn't going to work with 'samba-tool user edit' > > You would need to write an 'editor' script to do what you would > > need to do. > > > Ok. > > Bit busy, just now, give me some time, I have a script somewhere that

On Sat, 2 Dec 2017 10:21:07 -0200 Elias Pereira <empbilly at gmail.com> wrote: > Correcting! :) > > #!/bin/bash > # > GROUP=ADM > GUID=10000 # Domain Users > UID=10000 # get the next ID ? > > for USER in $(samba-tool group listmembers $GROUP) > do > samba-tool user edit $USER --nis-domain=samdom \ > --unix-home=/home/$USER \ >

...conf matter at all? > > _Rob > > Hi Rob, You can try to use tdbtool to delete the offending key with uid 2020. https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html I'd stop samba make an backup of winbind_idmap.tdb and give it a try. In my case deleting the mappings from idamp.tdb fixed the issue of changing uid's. achim~

...= srvfile reset on zero vc = yes server string = encrypt passwords = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes idmap config *:backend = tdb idmap config *:range = 10000-20000 idmap config DOMAIN:backend = ad idamp config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 0-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = false vfs objects = acl...

...Hi Rob, >> >> You can try to use tdbtool to delete the offending key with uid 2020. >> https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html >> I'd stop samba make an backup of winbind_idmap.tdb and give it a try. >> In my case deleting the mappings from idamp.tdb fixed the issue of changing >> uid's. >> >> achim~ >> >> > Did the uid change from 2018 to 2020 or is this an different user or member > server? If it changed editing winbindd_idmap.tdb might not fix your problem. It didn't change, it was my cop...

...to 'root'. > > If I run mmc.dsc on the win7 PC and connect to the share, everything > works for me. I actually have the same problem. The Security tab works as expected. Only "Sessions" and "Open Files" do not work. On an DM but work on a DC. This is with the idamp AD backend not rid and Administrator does not have an uid assigned. In the logs I see this: Successful AuthZ: [srvsvc,ncacn_np] user [BRAIN-02]\[Administrator] [S-1-22-1-0] at [Mi, 06 Dez 2017 10:00:22.032080 CET] Remote host [ipv4:x.x.x.x:35170] local host [NULL] Dec 6 10:00:22 lx-sv-03 smbd_a...

...erver string = > encrypt passwords = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > idmap config *:backend = tdb > idmap config *:range = 10000-20000 > idmap config DOMAIN:backend = ad > idamp config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 0-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind offline logo...

...t;> >> > Hi Rob, > > You can try to use tdbtool to delete the offending key with uid 2020. > https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html > I'd stop samba make an backup of winbind_idmap.tdb and give it a try. > In my case deleting the mappings from idamp.tdb fixed the issue of > changing uid's. > > achim~ > > Did the uid change from 2018 to 2020 or is this an different user or member server? If it changed editing winbindd_idmap.tdb might not fix your problem.

...n the ldap database. But when I do "su <some ads user>" on the secondary the uid of <some ads user> is stored in the ldap database of the secondary when the uid hasn't been seen before on the primary. When I do "su - <another ads user>" on the primary the idamp is stored in the ldap database of the primary and replicated to the secondary correctly. There are no log messages the indicate a problem or a hint for a solution. I have seen a message on this list concerning the same problem but no answer, so I thought I give you a little more information on th...

IDAMP cache somehow ends up with an unmapped SID2UID entry (i.e value = -1) and the SID2GID entry expires. At this stage winbindd returns unmapped for a SID-to-UNIX-IDs request. This results in smbd giving incorrect group memberships and incorrect resource access, until the SID2UID entry expires. This...

...= yes >> >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> idmap config *:backend = tdb >> idmap config *:range = 10000-20000 >> idmap config DOMAIN:backend = ad >> idamp config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 0-40000 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes...

Hello,     Looking up a users group membership I'm showing different results on each DC. UID and GID mapping appears consistent but not all group membership is displayed. I've verified idmap.ldb is backup up and copied over to the other DC's. I do notice when taking a hot backup of idmap.ldb, the file size is dramatically smaller than the original. Using Microsoft RSAT to view

...line logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = ADDOM fruit:nfs_aces = no idmap config * : range = 1-999 idmap config addom : unix_primary_group = yes idmap config addom : unix_nss_info = yes idamp config addom : schema_mode = rfc2307 idmap config addom : backend = ad idmap config addom : range = 1000-999999999 idmap config * : backend = tdb acl group control = Yes create mask = 0664 directory mask = 0775 dos filemode = Yes force...