similar to: Using AD machine account for ldap queries

Hi Samba Team and users, My question could seem very simple and possibly answer is also simple (if it's the case i'm sorry by advance), but i've found almost no doc about this topic in the wiki. I'm currently running Samba 4 AD in a test environment, preparing for production. Everything is working quite fine, but i'm struggling about some configuration; How (and where)

I can browse our Windows account information with ldapsearch as below. Can I configure ldapsam passdb backend to use account information from this LDAP directory? $ ldapsearch -b dc=example,dc=com -h 192.168.1.23 -U jack -Y DIGEST-MD5 '(sAMAccountName=jack)' SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: jack SASL SSF: 128 SASL data security layer

Hello, Ldbsearch returns the correct result. However this particular query is performed by an external system (that does not have access to the LDB files), to check whether a certain user belongs to a specific OU or not. The query is performed over LDAP against Samba, so it is not a ldapsearch-only problem. I only used ldapsearch to verify the behavior. Regardless of if the query is wrong or

Thank you Kees. On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba <samba at lists.samba.org> wrote: > I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did > not experience any issues with nested group lookups, which many of the > filters rely on. Interestingly, I've now found that (on my current DCs, running 4.18.5), ldbsearch *does* seem to return the

Hi I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search the database and view it with phpldapadmin. I can't login from a linux console: ldapsearch -LLL "(cn=steve4)" SASL/GSSAPI authentication started SASL username: steve4 at HH3.SITE SASL SSF: 56 SASL data security layer installed. dn: CN=steve4,CN=Users,DC=hh3,DC=site cn: steve4 instanceType: 4

Hello, Is it not Samba that is listening to the LDAP ports and is serving me the answer to my query? This problem does not only happen when the LDAP database is searched using ldapsearch, it happens also using other tools that connect to the LDAP ports. I still don't fully grasp what this has to do with the uniqueness of the sAMAccountNames - they are unique throughout my directory and I

On Thu, Nov 5, 2015 at 11:41 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote: > On 05/11/15 16:38, pisymbol . wrote: >> >> On Thu, Nov 5, 2015 at 10:06 AM, Rowland Penny >> <rowlandpenny241155 at gmail.com> wrote: >>> >>> On 05/11/15 14:59, pisymbol . wrote: >>>> >>>> On Wed, Nov 4, 2015 at 4:44 PM, Rowland Penny

Hi all, I've got on AD DC using Samba 4.4.3 on Centos7 which accept Kerberos connections (kinit is working), which accept ldapsearch with credentials but which refuse ldapsearch with GSSAPI. The issue does not seem to be coming from the client as I discovered this issue writing a script to test all 22 DC, and all 21 others DC are working well from that client. The error: SASL/GSSAPI

Guys needing some help with LDAP queries against samba4 this command works against MS AD's LDAP (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) but with samba4 I get C:\Users\Administrator>dsquery * --filter (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) I get the

Something strange here. User created using: root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 --home-directory=/home/user7 --login-shell=/bin/bash User 'user7' created successfully I can see the homeDirectory attribute in the entry. But the home directory that winbind returns is just the template one: root at adclient:~# getent passwd user7

Hi, I've got ldapsearch mostly working: root at morannon:/usr/local/samba/private/tls# ldapsearch '(sAMAccountName=dumaresq)' SASL/GSSAPI authentication started SASL username: administrator at XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # results in

Hello, I'm writing in regards to this issue I opened on GitHub: https://github.com/python-ldap/python-ldap/issues/275 I am able to successfully use ldapsearch to query my Samba 4.9.4-Debian DC: ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName" However, when I try to use python-ldap I

Hello All, This might come across as a rather strange and interesting question related to using machine account credentials to issue standalone ldap queries against an Active Directory server. We are using Samba and use 'ads' mode to join the machine onto the Active Directory (net ads join).? Once the machine is joined to the domain,?we do not have access to the username and password

Hi all, Samba 4.1 as AD/DC local postfix & dovecot hooked to AD via ldap queries (special user created in AD for that purpose). Everything works as expected, but : I'd like inactive users in AD not to be able to read/send emails (understandable I think). User status seems (sorry I'm AD newbie) to be controlled by the 'userAccountControl' field in AD. Created 2 test users

I have come across a few accounts (out of 300+) that seem to be locked that will not unlock. These accounts were migrated from S3. Can someone advise - what am I missing here? I've reset the password several times via RSAT, checking the "Unlock Account" checkbox, which has not helped. Resetting the user's password via smbpasswd gives me: pdb_try_account_unlock: Account dmscott

Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > Thank you Kees. > > On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba > <samba at lists.samba.org> wrote: >> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did >> not experience any issues with nested group lookups, which many of the >> filters rely on. > Interestingly, I've now

Hai Marco, What i did mean. You can have 255 chars in total with these limitation's Windows NT 4.0, Windows 95, Windows 98, and LAN Manager : 20 = sAMAccountName Windows 2000 and up : 256 chars = sAMAccountName at alias.domain.tld ( full distinguished name ) The SAM-Account-Name attribute (also known as the pre?Windows 2000 user logon name) is limited to 256 characters in the Active

Thanks for the example, Rowland. Does ldb work against remote servers as well? I thought it was only for local, file-based access. In general, I just wanted to use my Samba AD as an environment to learn more about writing software against using LDAP. There are a few applications I'm planning to develop, and I'd like to use actual LDAP so they could be applicable to Samba or Microsoft AD

Hi all, Is there a way to extract the whole attributes of objects, even hidden attributes, using ldbsearch or any samba tool? Hidden attributes have to be hidden from ldapsearch which can be used through network and so, remotely. ldbsearch can be used only locally by root, which [should] limit who is using it, so perhaps I thought it was possible : )

Op 05-11-2023 om 23:25 schreef Jonathan Hunter via samba: > I'm quite confused by this one, as I can't see how this would happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have