search for: vdcsv1

In syslog of my DC (2:4.5.12+dfsg-2+deb9u2~bpo8+1) i found sometime rows like: Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.826081, 0] ../source3/param/loadparm.c:3244(process_usershare_file) Mar 21 09:53:40 vdcsv1 smbd[22686]: process_usershare_file: stat of /var/lib/samba/usershares/sysvo failed. Permesso negato Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.831949, 0]...

...: 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF But in the new 'AD' domain i'm setting up, seems that things does not work like this. If i set the same policy: samba-tool domain passwordsettings set --max-pwd-age=90 and i chage the password, i get: root at vdcsv1:~# pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 Full Name: Marco Gaiarin Home Directory:...

On Wed, 21 Mar 2018 11:02:02 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > In syslog of my DC (2:4.5.12+dfsg-2+deb9u2~bpo8+1) i found sometime > rows like: > > Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.826081, > 0] ../source3/param/loadparm.c:3244(process_usershare_file) Mar 21 > 09:53:40 vdcsv1 smbd[22686]: process_usershare_file: stat > of /var/lib/samba/usershares/sysvo failed. Permesso negato Mar 21 > 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:...

Sorry, i came back on this, but: > In another, more generic, way: how password policies are enforced? still i need an answer on this question. I've done some tests, using my account, that pdbedit say: root at vdcsv1:~# LANG=C pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 Full Name: Marco Gaiarin Home Dire...

...In chel di` si favelave... > This is a known problem, you cannot 'reload' Bind9 on a Samba DC, you > have to restart it. Ah. 'known' not to me... ;-) > Check the Bind conf files (including logrotate) for 'reload' and replace > with 'restart' root at vdcsv1:~# find /etc -name bind9 | grep reload root at vdcsv1:~# And there's no logrotate conf snippet for bind. In various files/scripts: root at vdcsv1:~# find /etc -name bind9 /etc/init.d/bind9 /etc/ppp/ip-up.d/bind9 /etc/ppp/ip-down.d/bind9 /etc/default/bind9 /etc/network/if-down.d/bind9...

...Im pretty sure this is a bug in the DC part. > > Ahem, sorry, but i'm lost in following this therad. I've hust setup my > test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package, > lous) on a debian jessie. > > Very minimal configuration: > > root at vdcsv1:~# samba-tool testparm > Press enter to see a dump of your service definitions > > # Global parameters > [global] > netbios name = VDCSV1 > realm = AD.FVG.LNF.IT > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupd...

I've coded some scripts that extract some info from a smb.conf section. In DC works: root at vdcsv1:~# samba-tool -V 4.5.16-Debian root at vdcsv1:~# samba-tool testparm --section sysvol [sysvol] path = /var/lib/samba/sysvol read only = No root at vdcsv1:~# samba-tool testparm --section-name=sysvol [sysvol] path = /var/lib/samba/sysvol read only = No in DM no: root at vdmsv1:~...

...t the domain get more complex, i want to limit server lookups to the DC in the same site. Googling around lead me to: https://patternbuffer.wordpress.com/2007/12/13/finding-your-active-directory-site-and-domain-controllers/ and seems to work. With the local network i can get the site: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Subnets,CN=Sites,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=10.5.0.0/16)" siteObject # record 1 dn: CN=10.5.0.0/16,CN=Subnets,CN=Sites,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it siteObject: CN=SanVito,CN=Sites,CN=Con...

...to the one you placed in the gidNumber attribute in Domain Users. I can confirm that. Using ADUC i've noted that 'Domain Users' have no GID assigned, so seems that some samba ''internal'' logic assign GID 100 'by default'. After assigning GID 10513: root at vdcsv1:~# net cache flush root at vdcsv1:~# getent group "Domain Users" LNFFVG\domain users:x:10513: root at vdcsv1:~# wbinfo -G 10513 S-1-5-21-160080369-3601385002-3131615632-513 -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''...

...ndum est». ;-) > > > > The setup for the Ad in the link below is the same but if you want > > access without auth, Have you tried to query the GC ports. ( 3268 > > or 3269 ) > > No, but now yes and does not work: > > gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" Try: ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it '(uid=gaio)' You will have to do this as root. Rowland

Hai Rowland, Im pretty sure this is a bug in the DC part. I'll show. On the DC. dc1:~# getent passwd winadmin NTDOM\winadmin:*:10000:100::/home/users/winadmin:/bin/bash wbinfo --group-info="Domain Users" NTDOM\domain users:x:100: id winadmin uid=10000(NTDOM\winadmin) gid=100(users) groups=100(users),3000004(BAZRTD\group policy creator owners),3000008(NTDOM\domain admins)

...samba.org> wrote: > > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C pdbedit -v gaio > Unix username: gaio > NT username: > Account Flags: [U ] > User SID: S-1-5-21-160080369-3601385002-3131615632-1105 > Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 > Full Name:...

Happy new year to all! Samba 4.9.17 on stretch, Louis package. On 22/12, at midnight, office closed, i suffered a network outgage that 'broke in two' my domain. On 23/12, at 14.00, network come back. After that, some scripts written around ldbsearch i run on DM (against vdcsv1 that is the DC with FSMO roles) start to complain: Failed to bind - LDAP client internal error: NT_STATUS_CONNECTION_DISCONNECTED Failed to connect to 'ldap://vdcsv1.ad.fvg.lnf.it' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_DISCONNECTED Failed to conne...

Hi Marco, > Following: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > > i've demoted and removed a DC. Seems all went as expected: > > root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio > Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion > Password for [LNFFVG\gaio]: > Deactivating inbound replication > Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize from us > Changing userControl and container > Removing Sysvol...

Mandi! Andrew Bartlett via samba In chel di` si favelave... > It is an operational attribute. simply add  > msDS-UserPasswordExpiryTimeComputed > to the list of attributes requested when searching for the user. root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base "" maxPwdAge # record 1 dn: DC=ad,DC=fvg,DC=lnf,DC=it maxPwdAge: -77760000000000 # returned 1 records # 1 entries # 0 referrals root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sa...

...amba In chel di` si favelave... > Im pretty sure this is a bug in the DC part. Ahem, sorry, but i'm lost in following this therad. I've hust setup my test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package, lous) on a debian jessie. Very minimal configuration: root at vdcsv1:~# samba-tool testparm Press enter to see a dump of your service definitions # Global parameters [global] netbios name = VDCSV1 realm = AD.FVG.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG server role =...

Following: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC i've demoted and removed a DC. Seems all went as expected: root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion Password for [LNFFVG\gaio]: Deactivating inbound replication Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize from us Changing userControl and container Removing Sysvol reference: CN=VDCUD1,CN=Enterp...

I've hitted the error in subject trying a backup of my sysvol. Mar 21 11:13:31 vdcsv1 winbindd[3494]: [2018/03/21 11:13:31.234373, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent) Mar 21 11:13:31 vdcsv1 winbindd[3494]: Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains! Looking on internet/list archive leadme to recent post (november 2017)...

Mandi! Rowland penny via samba In chel di` si favelave... > You cannot create an ldap filter using the above, you would have to filter > the result of the ldap search. I can confirm: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed # record 1 dn: CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it msDS-User-Account-Control-Computed: 16 [...] # ret...

...#39; OU, a 'Restricted' group (i'm short in fantasy, today ;) and i've created an 'mta' user, both user and group in 'Restricted' OU, of course. And i've added 'mta' to 'Restricted' group. Clearly, in an DC, a xID get assigned to group: root at vdcsv1:~# getent group Restricted LNFFVG\restricted:x:3000026: but by the same way 'mta' user get by default the 'Domain Users' group (and others, seems): root at vdcsv1:~# getent passwd mta LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash root at vdcsv1:~# id mta uid=3...