search for: sidhistori

We are in an environment where several AD domains are being consolidated into one larger domain using sidhistory. The samba winbind configuration is using 'allow trusted domains = no' as we do not care about what is in the other domains (as well as the problem that many of them are unreachable from other locations meaning winbind will choke completely if we don't disallow them). The

In our native Win2K3 AD domain, several AD accounts have a sIDHistory that carry SIDs from before the AD domain migration in addition to the "primary" objectSID. Samba 3.0.21c winbindd (with idmap OpenLDAP backend) on domain member servers (running SuSE 9.3 Pro) allocates multiple uids for these SIDs with the same (AD) user name: Primary SID: # getent passwd myuser

Ye ol' sidHistory edit attack in new disguise using samba4. I don't think you can consider it to be a hack but I had a lot of fun playing about with ldbedit. Samba4 is wikked, it really opens up AD, I had a lot of fun setting it up. Check my blogg for my little sidHistory priv escalation tutorial (domain admin to enterprise admin).

Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba 4.1.6), I've noticed some strange problems with our group mappings: First, each of our Active Directory users now has a corresponding group in Linux. I don't remember ever noticing this in Ubuntu 12.04 / Samba 3.6.3. Is this feature new? Is it documented anywhere? (I tried searching online and couldn't find

Samba version: 4.1.9 Using the idmap_rid backend Case: A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain" For example: (Note the different domain portions of the SID) Current SID of group G: S-1-5-21-1405700021-3363460546-1698178416-30661 Historical SID of group G:

Hi there. [I just asked this over the irc channel, but since I got no reply, I decided to cross-post here. Please forgive me if that is incorrect] I'm trying to migrate an Active Directory domain (that is being used only for authentication) to a samba3 domain. The network is small enough to rejoin the clients one by one and recreate the user accounts if necessary. However, the new user

On 21/02/15 19:26, Andrew Bartlett wrote: > On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote: >> This all leads me to my questions, why, when it comes to idmap.ldb, >> can >> a user also be a group and a group can also be a user and why was it >> setup like this in the first place ? , there must be a reason for it. > It goes like this: > > - Groups can

====================================================== "Stay positive and happy. Work hard and don't give up hope. Be open to criticism and keep learning. Surround yourself with happy, warm and genuine people." Tena Desae ====================================================== Release Announcements --------------------- This is the latest stable release

====================================================== "Stay positive and happy. Work hard and don't give up hope. Be open to criticism and keep learning. Surround yourself with happy, warm and genuine people." Tena Desae ====================================================== Release Announcements --------------------- This is the latest stable release

Are use using zarafaAccount=1 withing the search filters? I use this things like this : (&(objectClass=person)(zarafaAccount=1)(|(mail=%s)(otherMailbox=%s))) Or for groups. (&(objectclass=group)(zarafaAccount=1)(|(mail=%s)(otherMailbox=%s))) That helps a lot. ! If you switch to kopano beware to change the SCHEMA and filters zarafaAccount changed to kopanoAccount Greetz. Louis

Hello all. AIX 4.3.3 / Samba 2.0.6 / Production NT4.0 domain Security = DOMAIN encrypt passwords = yes update encrypted = yes Action: Moving from NT4.0 domain called nt40 to AD 2000 Domain called ad-domain Problem: Users that have been migrated to ad-domain cannot authenticate to AIX SAMBA shares . . . the AIX SAMBA server is still part of the nt40 domain. Explanation: I can however, map /

On 22/02/15 01:02, Andrew Bartlett wrote: > On Sat, 2015-02-21 at 21:37 +0000, Rowland Penny wrote: >> On 21/02/15 19:26, Andrew Bartlett wrote: >> >>> On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote: >>>> This all leads me to my questions, why, when it comes to idmap.ldb, >>>> can >>>> a user also be a group and a group can also

On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote: > > This all leads me to my questions, why, when it comes to idmap.ldb, > can > a user also be a group and a group can also be a user and why was it > setup like this in the first place ? , there must be a reason for it. It goes like this: - Groups can own files (there are groups like domain administrators that own files

Replying on list so others may help or benefit... Arne, It's been a while since I've done one of these migrations, but here's a couple of things to try: - Make sure the clients' primary DNS server is an Active Directory Integrated DNS (in a single-DC environment, the DNS is usually the same machine as the W2K3 domain controller) - In the clients' Advanced TCP/IP

Greetings, I've been having some issues establishing a two way interdomain trust between a samba server and an win2k8 active directory server. I've established a trust password and object and was able to create a trust relationship from the AD server to the samba server but I'm unable to from the Samba server to the AD server. The purpose of this is to enable ADMT to migrate the user

I've had samba running cleanly on an HP-UX 11.0 system for many months, with "DOMAIN" security and one-to-one account name mapping. A few days ago I started getting password prompts on connection, and messages like this in the log files... [2003/01/02 15:46:36, 0] rpc_parse/parse_prs.c:(316) prs_mem_get: reading data of size 60 would overrun buffer. [2003/01/02 15:46:36, 0]

On Sat, 2015-02-21 at 21:37 +0000, Rowland Penny wrote: > On 21/02/15 19:26, Andrew Bartlett wrote: > > > On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote: > > > This all leads me to my questions, why, when it comes to idmap.ldb, > > > can > > > a user also be a group and a group can also be a user and why was it > > > setup like this in the

Dear users, We are facing to a big latency issue regarding the LDAP Server (both encrypted & plain). We have a Zarafa mail server which makes a lot of queries and puts a samba process to 100% usage. This latency makes the mail server unusable.. The mail server was previously on OpenLDAP and there was not performance issues. A simple LDAP query can take up to 25 sec to perform !! We

Can you tell more about your setup? Is zarafa and samba on the same server for example. Which MTA are you using postfix/exim?   My top was about 150 users, and all my printers are connected also so about 200 devices do ldap searches. but my setup is split over 10+ servers ( 2 are AD DC )   So best is to tell what you can about your setup, anonimize if needed.   Greetz,   Louis  

No, you have to do that manualy, or look the the samba4 ADS script for kopano ( or zarafa ) But I mostly follow the documentation.   And when i run : time ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST .... real    0m0.230s user    0m0.184s sys     0m0.044s   so if yours take more that 20 sec there is something very wrong. I suggest check you samba AD database and