search for: vdmsv1

With Samba in NT mode, i was able to enable wireless access using machine account, and worked decently. Now i want to try again in AD mode, but i've not found info, and i've just hit a trouble: Oct 1 14:31:55 vdmsv1 radiusd[13555]: rlm_ldap (ldap): Opening additional connection (25), 1 of 31 pending slots used Oct 1 14:31:55 vdmsv1 radiusd[13555]: (187) Login incorrect: [host/RUFUS.ad.fvg.lnf.it] (from client unifi-sv port 0 cli B8-EE-65-B1-73-D3 via TLS tunnel) Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188...

...seems i need to add in smb.conf: netbios aliases = FILESV but also add a 'SPN'; trying to look around for an examples, lead me to ''nothing'', or to examples that seems to me unrelated. Supposing the domain is 'ad.fvg.lnf.it' and the FQDN of the real host is 'vdmsv1.ad.fvg.lnf.it', i need to do: > samba-tool spn add host/vdmsv1.ad.fvg.lnf.it filesv.ad.fvg.lnf.it Right?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bo...

...t vdcsv1:~# samba-tool -V 4.5.16-Debian root at vdcsv1:~# samba-tool testparm --section sysvol [sysvol] path = /var/lib/samba/sysvol read only = No root at vdcsv1:~# samba-tool testparm --section-name=sysvol [sysvol] path = /var/lib/samba/sysvol read only = No in DM no: root at vdmsv1:~# samba-tool -V 4.8.12-Debian root at vdmsv1:~# samba-tool testparm --section users ERROR(<type 'exceptions.TypeError'>): uncaught exception - File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs)...

....2020 14:46, skrev Marco Gaiarin via samba: > With Samba in NT mode, i was able to enable wireless access using > machine account, and worked decently. > > Now i want to try again in AD mode, but i've not found info, and i've > just hit a trouble: > > Oct 1 14:31:55 vdmsv1 radiusd[13555]: rlm_ldap (ldap): Opening additional connection (25), 1 of 31 pending slots used > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (187) Login incorrect: [host/RUFUS.ad.fvg.lnf.it] (from client unifi-sv port 0 cli B8-EE-65-B1-73-D3 via TLS tunnel) > Oct 1 14:31:55 vdmsv1 radiusd[13...

Mandi! Klaus Ade Johnstad via samba In chel di` si favelave... > I can't offer any hints, but, this has been on my list of things to do > for some time, could you share with us exactly what you have done so > far, so other can follow and setup the same, maybe we either encounter > the same problems as you, or not. Oh, 'pretty nothing'. All work pretty automagically

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

On 23/09/2019 13:42, Trenta sis via samba wrote: > Thanks, ntlm auth is temporary until we have solved some issues > getent is needed by filesystem acl > If you think you need the 'winbind enum' lines so that 'getent' works, then think again ;-) If you do not have the 'winbind enum 'lines 'getent passwd username' will still work. 'getent passwd'

> Ahem no one reply me. Still no feedback. I've done some test by myself. a) i've added in smb.conf: netbios aliases = CUPSSV FILESV b) i've registered the alias as SPNs, now i've: root at vdcsv1:~# samba-tool spn list vdmsv1$ vdmsv1$ User CN=VDMSV1,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it has the following servicePrincipalName: HOST/VDMSV1 HOST/vdmsv1.ad.fvg.lnf.it HOST/filesv.ad.fvg.lnf.it HOST/FILESV HOST/CUPSSV HOST/cupssv.ad.fvg.lnf.it (for google, the correct commandline seems...

...,11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) in my DM, no, i've to explicitly set the domain: root at vdmsv1:~# id gaio id: gaio: no such user root at vdmsv1:~# id LNFFVG\\gaio uid=10000(gaio) gid=10513(domain users) gruppi=10513(domain users),11001(sir),10999(unixadm),5001(BUILTIN\users),5000(BUILTIN\administrators) but if i set 'winbind use default domain = yes': root at vdmsv1:~# id gaio...

...n your AD, > > > you cannot use "memberserver" as an alias on another machine) > > > > And you should register any such alias as a servicePrincpalName. > > Ahem, looking at the wiki ad google does not help me. > > > Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to > create an alias 'file', i need to add 'file' to 'netbios aliases' and > also do something like: > > samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it > > > This lead me to another question: in this wa...

...> > Ahem no one reply me. > > Still no feedback. I've done some test by myself. > > a) i've added in smb.conf: > > netbios aliases = CUPSSV FILESV > > b) i've registered the alias as SPNs, now i've: > > root at vdcsv1:~# samba-tool spn list vdmsv1$ > vdmsv1$ > User > CN=VDMSV1,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,D > C=it has the following servicePrincipalName: > HOST/VDMSV1 > HOST/vdmsv1.ad.fvg.lnf.it > HOST/filesv.ad.fvg.lnf.it > HOST/FILESV > HOST/CUPSSV > HOST/cupssv.ad.fv...

...search paths on the clients and then fully > > qualfied aliases as the client will ask for a ticket for exactly the > > name stated, not the FQDN as this avoids in-secure DNS being an attack > > point. > > Mmmhhh... i try to do an example. > > Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it' > in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in > LAN 2. > > If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2 > 'pp.lnf.it', i cannot alias 'file'...

...> You can't even use DNS search paths on the clients and then fully > qualfied aliases as the client will ask for a ticket for exactly the > name stated, not the FQDN as this avoids in-secure DNS being an attack > point. Mmmhhh... i try to do an example. Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it' in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in LAN 2. If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2 'pp.lnf.it', i cannot alias 'file' on both because the tick...

...it:prefix = %S|%d|%I|%M|%u recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$* recycle:versions = yes recycle:keeptree = yes recycle:repository = .cestino/%U but i've misclick on user name, and found that i can read ALL deleted files of ALL users. ;-( Looking at file permissions: root at vdmsv1:~# ls -la /srv/work/.cestino/ totale 12 drwxrwxrwt 107 root domain users 4096 ott 16 14:53 . drwxr-xr-x 95 root root 4096 apr 5 2019 .. drwxr-xr-x 4 abarro domain users 61 set 30 11:51 abarro drwxr-xr-x 3 agnese domain us...

Currently for my user: root at vdmsv1:/etc/exim4# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=gaio)" | grep ": gaio$" cn: gaio name: gaio sAMAccountName: gaio uid: gaio msSFU30Name: gaio what field is betetr to use for querying for user 'gaio'? 'uid' no (because RFC2307 dat...

On Tue, 2017-12-05 at 16:14 +0100, mj via samba wrote: > We haved used it on a domain member server, yes. > > Only one thing: when you have a compteraccount memberserver$ in your AD, > you cannot use "memberserver" as an alias on another machine) And you should register any such alias as a servicePrincpalName. Andrew Bartlett -- Andrew Bartlett

...LE:[1:SAMDOM\$1] > } Interesting! I've looked at that in the past, but i was not interested in SSO so i've probably skipped. Anyway, i've tried to comment out 'winbind use default domain = yes' and add this stanza to /etc/krb5.conf but seems does not work, eg: root at vdmsv1:~# getent passwd gaio root at vdmsv1:~# getent passwd LNFFVG\\gaio LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash only the 'domainful' version of the account work. > Now, since im not sure this works ok, i dont use it on my debian servers, i use option2. > option2...

As was used to (in Samba NT/LDAP), i've enabled quota on /homes, and homes are exported (as homedrive) for users. Editing quotas (with edquota) works as expected, and in windows explorer users get quota correctly reported, but a simple: repquota -a return nothing: root at vdmsv1:~# repquota -a *** Report for user quotas on device /dev/sdb1 Block grace time: 28days; Inode grace time: 28days Block limits File limits User used soft hard grace used soft hard grace ----------------------------------------------...

...sed 'Eeveryone' to 'no access'). I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users" 700, but profiles still get not saved. (supposing was a 'folder creation' trouble...) If i set 'profile path' in user data, eg: root at vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath: profilePath: \\vdmsv1\profiles\gaio roaming profile works as expected. Boh... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La No...

...n the new domain following the wiki (https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles, 'using windows ACL') and for new profiles works like a charm. But i've tried to move/copy old profile to the new domain, and seems work, with no glitch. I've done simply: root at vdmsv1:/srv/samba/profiles# rsync -av --progress --xattrs --rsh=ssh <oldntserver>:/srv/samba/profiles/gaio.V2 . chown -R :"domain users" gaio.V2 <run a script that fix group permission, prevent settings ACL mask incorrectly> Clearly domains have different SID, and looking (some s...