Displaying 20 results from an estimated 27 matches for "sidhistory".
2009 Nov 14
1
'allow trusted domains = no' and sidhistory = bad
We are in an environment where several AD domains are being
consolidated into one larger domain using sidhistory. The samba
winbind configuration is using 'allow trusted domains = no' as we do
not care about what is in the other domains (as well as the problem
that many of them are unreachable from other locations meaning winbind
will choke completely if we don't disallow them).
The symptom I am...
2006 Mar 02
0
winbind, sIDHistory and getpwuid problems
In our native Win2K3 AD domain, several AD accounts have a sIDHistory
that carry SIDs from before the AD domain migration in addition to the
"primary" objectSID.
Samba 3.0.21c winbindd (with idmap OpenLDAP backend) on domain member
servers (running SuSE 9.3 Pro) allocates multiple uids for these SIDs
with the same (AD) user name:
Primary SID:
# geten...
2010 Sep 03
0
Using samba4 to escalate privs.
Ye ol' sidHistory edit attack in new disguise using samba4. I don't think
you can consider it to be a hack but I had a lot of fun playing about with
ldbedit. Samba4 is wikked, it really opens up AD, I had a lot of fun setting
it up. Check my blogg for my little sidHistory priv escalation tutorial
(domain admin t...
2014 Jul 28
1
Winbind rid + SID History creating duplicate per-user groups
...RID in AD), and so a jkelley
group with gid 14504 is also created, but the jkelley user is actually
a member of a second jkelley group with a different gid.
By poking around with wbinfo, I determined that the duplicate groups
are being created by SID history; one gid corresponds to the SID in
the sIDHistory attribute, while the other corresponds to the current
SID in the Active Directory domain. Is there a way to fix this
without simply deleting the sIDHistory attributes from Active
Directory?
Winbind config from smb.conf:
idmap backend = rid
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind...
2014 Sep 11
2
Conflicts between RIDs from historical domain SIDs
Samba version: 4.1.9
Using the idmap_rid backend
Case:
A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain"
For example: (Note the different domain portions of the SID)
Current SID of group G: S-1-5-21-1405700021-3363460546-1698178416-30661
Historical SID of group G: S-1-5-21-2389300033-4596500334-340320342...
2008 Mar 09
1
Migration to Samba.
...unts don't have access to
their old folders. I've tried giving the new domain the same SID as
the old domain, but in that case, the windows clients refuse to join
the domain (they report a 'rpc error').
Is there anything I can do?
I think the ideal solution would be to emulate the sidHistory field
from the AD, but a message from 2005 (i think) on this list said it
was not possible with Samba3. Has that situation changed?
I've also tried to use the moveuser.exe command, to no avail. It
either claims that cannot find the account, or that the account
already exists, and fails in both...
2015 Feb 21
3
Samba4, idmap.ldb & ID_TYPE_BOTH
...he group and the third is the start of the ACEs. So the owner (O) is LA
which is 'Local Administrator' and the group (G) is DA which is 'Domain
Administrators' , as I read it, Domain Administrators doesn't own the
files, or am I missing something?
> - We don't (eg in sidHistory, or when files are migrated, preserving
> permissions, from a workstation or from a domain that is not trusted)
> always know if an incoming SID is a user or group.
does windows know from the SID what the object is? and if not, what does
windows do?
> - Working out if an arbitrary SID...
2017 Jun 06
1
[Announce] Samba 4.6.5 Available for Download
...n Ambach <ambi at samba.org>
* BUG 12765: s3:smbcacls add prompt for password.
o Ralph Boehme <slow at samba.org>
* BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if
ignore_system_acls is set.
* BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory.
* BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool.
* BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area.
* BUG 12798: s3/smbd: Fix exclusive lease optimisation.
o Alexander Bokovoy <ab at samba.org>
* BUG 12751: Allow passing trusted dom...
2017 Jun 06
1
[Announce] Samba 4.6.5 Available for Download
...n Ambach <ambi at samba.org>
* BUG 12765: s3:smbcacls add prompt for password.
o Ralph Boehme <slow at samba.org>
* BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if
ignore_system_acls is set.
* BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory.
* BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool.
* BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area.
* BUG 12798: s3/smbd: Fix exclusive lease optimisation.
o Alexander Bokovoy <ab at samba.org>
* BUG 12751: Allow passing trusted dom...
2017 Mar 23
4
[Samba 4.5] Very slow LDAP Queries (almost unusable), performance tunning ?
...roxyAddresses
> @IDXATTR: msPKI-Cert-Template-OID
> @IDXATTR: uNCName
> @IDXATTR: mS-SQL-Name
> @IDXATTR: fSMORoleOwner
> @IDXATTR: msSFU30NisDomain
> @IDXATTR: otherMailbox
> @IDXATTR: location
> @IDXATTR: msSFU30NetgroupHostAtDomain
> @IDXATTR: uSNChanged
> @IDXATTR: sIDHistory
> @IDXATTR: birthLocation
> @IDXATTR: msDS-SecondaryKrbTgtNumber
> @IDXATTR: msTSProperty01
> @IDXATTR: msTSManagingLS4
> @IDXATTR: msSFU30OrderNumber
> @IDXATTR: msDS-HABSeniorityIndex
> @IDXATTR: primaryGroupID
> @IDXATTR: mSMQQueueType
> @IDXATTR: msDFSR-ReplicationGro...
2001 Apr 11
6
Changing Domains from NT4 / AD 2000
Hello all.
AIX 4.3.3 / Samba 2.0.6 / Production NT4.0 domain
Security = DOMAIN
encrypt passwords = yes
update encrypted = yes
Action: Moving from NT4.0 domain called nt40 to AD 2000 Domain called ad-domain
Problem: Users that have been migrated to ad-domain cannot authenticate to AIX SAMBA shares . . . the AIX SAMBA server is still part of the nt40 domain.
Explanation: I can however, map /
2015 Feb 23
1
Samba4, idmap.ldb & ID_TYPE_BOTH
...Es. So the owner (O) is
>> LA which is 'Local Administrator' and the group (G) is DA which is
>> 'Domain Administrators' , as I read it, Domain Administrators doesn't
>> own the files, or am I missing something?
>>
>>> - We don't (eg in sidHistory, or when files are migrated, preserving
>>> permissions, from a workstation or from a domain that is not trusted)
>>> always know if an incoming SID is a user or group.
>> does windows know from the SID what the object is? and if not, what
>> does windows do?
> In W...
2015 Feb 21
0
Samba4, idmap.ldb & ID_TYPE_BOTH
...> can
> a user also be a group and a group can also be a user and why was it
> setup like this in the first place ? , there must be a reason for it.
It goes like this:
- Groups can own files (there are groups like domain administrators
that own files in sysvol)
- We don't (eg in sidHistory, or when files are migrated, preserving
permissions, from a workstation or from a domain that is not trusted)
always know if an incoming SID is a user or group.
- Working out if an arbitrary SID is a user or group takes time and
network operations, which may fail. ID_TYPE_BOTH is both fast and...
2005 Oct 20
0
Re: Please help me with migration to MS Windows 2003
...rights to
all domain and local resources with that login.
- Turn on auditing in the destination domain. This can be done with the
domain group policy editor.
- Read the Microsoft Knowledge Base Article 322970 --
http://support.microsoft.com/kb/322970 -- "How to Troubleshoot
Inter-Forest sIDHistory Migration with ADMTv2"
Hope this helps.
--Jon Johnson
jon@sutinen.com
www.sutinen.com
Arne Roolfs wrote:
> Hello Jon,
>
> you posted a description how to migrate from a Samba 3 domain to a MS
> Windows 2003 Server domain at the samba mailing list.
>
> I try to do, but wh...
2009 Oct 10
0
Samba interdomain trust with Win2008 AD
...erver to the AD server. The purpose of this is to enable ADMT to
migrate the user accounts over to AD. While I have been able to query the
ldap backend via ldifde and import the users it is only a last resort
measure to do that. My aim is to bring the users over with the SID value
stored in the AD SIDHistory attribute.
(irrelevant details changed)
net rpc trustdom list -S sambasvr -Usuper
Password:
Trusted domains list:
none
Trusting domains list:
WIN2k8 S-1-5-21-954781686-2318084328-821430687
The issue is, to establish a trust from the samba server to the win2k8
server I end up with:
net rpc t...
2003 Jan 02
1
samba 2.0.6 on HP-UX 11.0
I've had samba running cleanly on an HP-UX 11.0 system for many months, with
"DOMAIN" security and one-to-one account name mapping. A few days ago I
started getting password prompts on connection, and messages like this in
the log files...
[2003/01/02 15:46:36, 0] rpc_parse/parse_prs.c:(316)
prs_mem_get: reading data of size 60 would overrun buffer.
[2003/01/02 15:46:36, 0]
2015 Feb 22
0
Samba4, idmap.ldb & ID_TYPE_BOTH
...s the start of the ACEs. So the owner (O) is
> LA which is 'Local Administrator' and the group (G) is DA which is
> 'Domain Administrators' , as I read it, Domain Administrators doesn't
> own the files, or am I missing something?
>
> > - We don't (eg in sidHistory, or when files are migrated, preserving
> > permissions, from a workstation or from a domain that is not trusted)
> > always know if an incoming SID is a user or group.
>
> does windows know from the SID what the object is? and if not, what
> does windows do?
In Windows, a SI...
2017 Mar 23
1
[Samba 4.5] Very slow LDAP Queries (almost unusable), performance tunning ?
...@IDXATTR: mS-DS-CreatorSID
@IDXATTR: proxyAddresses
@IDXATTR: msPKI-Cert-Template-OID
@IDXATTR: uNCName
@IDXATTR: mS-SQL-Name
@IDXATTR: fSMORoleOwner
@IDXATTR: msSFU30NisDomain
@IDXATTR: otherMailbox
@IDXATTR: location
@IDXATTR: msSFU30NetgroupHostAtDomain
@IDXATTR: uSNChanged
@IDXATTR: sIDHistory
@IDXATTR: birthLocation
@IDXATTR: msDS-SecondaryKrbTgtNumber
@IDXATTR: msTSProperty01
@IDXATTR: msTSManagingLS4
@IDXATTR: msSFU30OrderNumber
@IDXATTR: msDS-HABSeniorityIndex
@IDXATTR: primaryGroupID
@IDXATTR: mSMQQueueType
@IDXATTR: msDFSR-ReplicationGroupGuid
@IDXATTR: msDS-PhoneticDepar...
2017 Mar 27
4
[Samba 4.5] Very slow LDAP Queries (almost unusable), performance tunning ?
...roxyAddresses
> @IDXATTR: msPKI-Cert-Template-OID
> @IDXATTR: uNCName
> @IDXATTR: mS-SQL-Name
> @IDXATTR: fSMORoleOwner
> @IDXATTR: msSFU30NisDomain
> @IDXATTR: otherMailbox
> @IDXATTR: location
> @IDXATTR: msSFU30NetgroupHostAtDomain
> @IDXATTR: uSNChanged
> @IDXATTR: sIDHistory
> @IDXATTR: birthLocation
> @IDXATTR: msDS-SecondaryKrbTgtNumber
> @IDXATTR: msTSProperty01
> @IDXATTR: msTSManagingLS4
> @IDXATTR: msSFU30OrderNumber
> @IDXATTR: msDS-HABSeniorityIndex
> @IDXATTR: primaryGroupID
> @IDXATTR: mSMQQueueType
> @IDXATTR: msDFSR-ReplicationGro...
2017 Mar 27
0
[Samba 4.5] Very slow LDAP Queries (almost unusable), performance tunning ?
...roxyAddresses
> @IDXATTR: msPKI-Cert-Template-OID
> @IDXATTR: uNCName
> @IDXATTR: mS-SQL-Name
> @IDXATTR: fSMORoleOwner
> @IDXATTR: msSFU30NisDomain
> @IDXATTR: otherMailbox
> @IDXATTR: location
> @IDXATTR: msSFU30NetgroupHostAtDomain
> @IDXATTR: uSNChanged
> @IDXATTR: sIDHistory
> @IDXATTR: birthLocation
> @IDXATTR: msDS-SecondaryKrbTgtNumber
> @IDXATTR: msTSProperty01
> @IDXATTR: msTSManagingLS4
> @IDXATTR: msSFU30OrderNumber
> @IDXATTR: msDS-HABSeniorityIndex
> @IDXATTR: primaryGroupID
> @IDXATTR: mSMQQueueType
> @IDXATTR: msDFSR-ReplicationGro...