search for: rpidc1

On Wed, 12 Jun 2024 09:00:47 +0200 Christian Naumer via samba <samba at lists.samba.org> wrote: > Am 11.06.24 um 19:37 schrieb Luis Peromarta via samba: > > Correct, and I have done so and explained extensively at the > > beginning to this thread. > > > > Question is: > > > > Should we stop telling people to provision with idmap_ldb:use > >

...haracter" issue. I have it on good authority from the "father" of > Slackware himself that I should be able to upgrade this package w/o too much > difficulty. > > --Mark > If I find the GUID for a DC, then use it in searches, I get results like these: adminuser at rpidc1:~ $ host -t CNAME fb453823-737c-4a8b-93e1-dc197e236d50 fb453823-737c-4a8b-93e1-dc197e236d50 has no CNAME record Doing an 'A' record search using the GUIDs FQDN, gets me this: adminuser at rpidc1:~ $ host -t A fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com. fb453823-737c-4...

...A 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local > > > host: idnkit idn_encodename to idn failed: prohibited character found > > > > That is strange, if I obtain the GUID's on my DCs and run a similar > > command, I get this: > > > > adminuser at rpidc1:~ $ host -t A > > fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com > > fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an > > alias for rpidc1.samdom.example.com. > > rpidc1.samdom.example.com has address 192.168.1.2 > > > > Rowl...

...y from the "father" of > > Slackware himself that I should be able to upgrade this package w/o too much > > difficulty. > > > > --Mark > > > > If I find the GUID for a DC, then use it in searches, I get results like > these: > > adminuser at rpidc1:~ $ host -t CNAME fb453823-737c-4a8b-93e1-dc197e236d50 > fb453823-737c-4a8b-93e1-dc197e236d50 has no CNAME record > > Doing an 'A' record search using the GUIDs FQDN, gets me this: > > adminuser at rpidc1:~ $ host -t A > fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom....

...is no need and I would advise against even attempting it. Samba knows who the user is, here is a quick test to show this: On a DC create a share (yes, I know this isn't really recommended, but this just a quick test). Then ensure the share is owned by a user, in this case, me. adminuser at rpidc1:~ $ sudo ls -lad /srv/test drwxrwx--- 2 SAMDOM\rowland root 4096 Dec 4 14:23 /srv/test This DC does not have 'idmap_ldb:use rfc2307 = yes' set (not that it matters, I do not have any rfc2307 attributes in AD). adminuser at rpidc1:~ $ sudo ls -land /srv/test drwxrwx--- 2 3000020 0 4096 D...

On 12/1/24 09:42, Rowland Penny via samba wrote: > On Sun, 1 Dec 2024 09:15:27 -0500 > "John R. Graham via samba" <samba at lists.samba.org> wrote: > >> I also like the idea of the ad back end and nss_winbind because it's >> a better "single source of truth"--and I don't like the templated >> /etc/passwd fields. Was that your goal with

Am 16. Januar 2025 17:50:08 MEZ schrieb Rowland Penny via samba <samba at lists.samba.org>: >There is no way to give users logging into a DC different shells or >home directory paths, not even if you use the rfc2307 attributes. A DC >only reads uidNumber & gidNumber attributes from AD. > That ist not true for me. On our DCs home and shell are red from AD. Regards

...t_Pwnam_internals cause this problem. > > HY Wu. You only need local Unix users (the ones that are in /etc/passwd) on a Samba AD DC for local administration and as I said earlier, any local Unix users are unknown to AD. If I run getent on one of my DCs, I get thing like this: adminuser at rpidc1:~ $ getent passwd rowland SAMDOM\rowland:*:3000020:100:Rowland Penny:/home/SAMDOM/rowland:/bin/bash To all intents and purposes, 'rowland' is a local Unix user and can log into the DC, but 'rowland' isn't in /etc/passwd: adminuser at rpidc1:~ $ cat /etc/passwd | grep 'rowl...

...; > > HY Wu. > > You only need local Unix users (the ones that are in /etc/passwd) on a > Samba AD DC for local administration and as I said earlier, any local > Unix users are unknown to AD. > > If I run getent on one of my DCs, I get thing like this: > > adminuser at rpidc1:~ $ getent passwd rowland > SAMDOM\rowland:*:3000020:100:Rowland Penny:/home/SAMDOM/rowland:/bin/bash > > To all intents and purposes, 'rowland' is a local Unix user and can log > into the DC, but 'rowland' isn't in /etc/passwd: > > adminuser at rpidc1:~ $ cat...

Rowland Penny via samba <samba at lists.samba.org> ? 2024?1?25? ?? ??6:42??? > On Thu, 25 Jan 2024 18:27:48 +0800 > hhyy ww via samba <samba at lists.samba.org> wrote: > > > Hi list, > > > > My case : > > Local UNIX user : ZTEST > > domain : uuq.ork > > domain user : UUQ\ztest > > smb.conf for standalone samba : /home/hywu/smb.conf

Hi, I demoted an outdated and offline DC following to: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC Everthing appears to work well but there is still one, perhaps minor, question regarding to the dns SOA-record: The zone _msdcs.samdom.example.com still lists the demoted server in the SOA record. Is it ok to manually change it to fsmo holder dc or an other dc? Thanks in advance

...0ADEL:* sAMAccountName > does anyone know a solution to search for deleted Objects with > ldapsearch? Not only to search for but also find all deleted objects > ;-) > > Stefan > > Its an OID ;-) root at devstation:~# ldapsearch -v -Y GSSAPI -R SAMDOM.EXAMPLE.COM -H ldap://rpidc1.samdom.example.com -b 'CN=Deleted Objects,DC=samdom,DC=example,DC=com' -E '!1.2.840.113556.1.4.417' -s sub '(objectClass=*)' distinguishedName Rowland

...ant to be member of local-groups like: libvirt, kvm, > docker, vboxusers > > You can do this with: usermod -a -G <group> <domain-user>, this > mechanism works much better than pam_group (which does not work for > this purpose). It worked for myself: SAMDOM\rowland at rpidc1:~ $ groups domain users dialout cdrom floppy audio video plugdev scanner BUILTIN\administrators BUILTIN\users domain admins denied rodc password replication group rowland testgroup It just didn't help with the problem > > I do this when a domain-user logs in and the reverse when (s)he l...

...rt, > > kvm, docker, vboxusers > > > > You can do this with: usermod -a -G <group> <domain-user>, this > > mechanism works much better than pam_group (which does not work for > > this purpose). > > It worked for myself: > > SAMDOM\rowland at rpidc1:~ $ groups > domain users dialout cdrom floppy audio video plugdev scanner > BUILTIN\administrators BUILTIN\users domain admins denied rodc > password replication group rowland testgroup > > It just didn't help with the problem > > > > I do this when a domain-user l...

...on for [gaio] succeeded (requesting cctype: FILE) > user_flgs: NETLOGON_CACHED_ACCOUNT > > BUT a simple: > > getent passwd gaio I have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works for myself. If I disconnect the network and try to ping a DC, I get: ping: rpidc1: Temporary failure in name resolution So the DC cannot be found But, if I run 'getent passwd rowland' I instantly get this: rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash I can log out from 'rowland' and then log in again, though I do appear to get a message from l...

...use. Here is the proof of concept: Log into the DC that you wish to transfer an FSMO role to and show the FSMO owners at present (this list is shortened to just one, the one I will transfer): adminuser at rpidc2:~ $ sudo samba-tool fsmo show DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=RPIDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Kinit as Administrator (note I am using sudo, but it would be the same if done by root) adminuser at rpidc2:~ $ sudo kinit Administrator Password for Administrator at SAMDOM.EXAMPLE.COM: The Administrato...

...nd like that FSMO role, there can only be one, the DC that holds the role, you should delete the two incorrect ones. I have two DC's and this is the output from my domain: host -t SRV _ldap._tcp.pdc._msdcs.samdom.example.com _ldap._tcp.pdc._msdcs.samdom.example.com has SRV record 0 100 389 rpidc1.samdom.example.com. Rowland

Ah I understand the 512 + 2 thing. But the userAccountControl is still 512 after I run `samba-tool user disable` Rowland Penny via samba <samba at lists.samba.org> ?2023?8?24??? 21:38??? > > On Thu, 24 Aug 2023 21:12:38 +0800 > Reese Wang via samba <samba at lists.samba.org> wrote: > > > I used `samba-tool user disable testuser` to disable a user and > >

...s this and on what OS ? Where are you running the command ? On Debian bullseye with Samba from backports (4.17.10), if I check a user, I get this: dn: CN=usertest3,CN=Users,DC=samdom,DC=example,DC=com .............. userAccountControl: 512 If I then, on a DC, disable the user with: adminuser at rpidc1:~ $ sudo samba-tool user disable usertest3 I get no output and when I check again, I find this: dn: CN=usertest3,CN=Users,DC=samdom,DC=example,DC=com .......... userAccountControl: 514 The user is now disabled. Rowland

Hi Quick question about something I find surprising: In tdb mode : net cache list -s /etc/samba/smb.conf |grep '\-513' Key: IDMAP/GID2SID/100?? ? Timeout: Tue Apr? 9 14:34:48 2024 Value: S-1-5-21-1040823229-2152490729-3717368692-513 id of group "domain users" is?100 But id 100 use by "users" system group: getent group|grep users users:x:100: Is this something