similar to: Is there have simplest way to make domain users which in remote desktop group can remote/local logon the workstation ?

samba 4.1.13, server role is active directory domain controller. On Sat, Dec 20, 2014 at 6:23 AM, Tim <rintimtim at gmx.net> wrote: > What version and server mode are you talking about? > > Am 19. Dezember 2014 16:53:57 MEZ, schrieb Dongsheng Song > <dongsheng.song at gmail.com>: >> >> Is there have simplest way to make domain users which in remote >>

On Sat, Dec 20, 2014 at 4:15 PM, Tim <rintimtim at gmx.net> wrote: > Then I would do it with a group policy. Have a look right here: > http://technet.microsoft.com/en-us/library/ee791928(v=WS.10).aspx > > Remind that you leave the default policies untouched. Create a new GPo and > link it to your desired OU. > After put domain users in the remote destop group in the DC,

What do you want: User should logon remote to windows workstations or do you want a remote login to your server? For remote logon on windows workstations you need a group policy linked to the ou of your workstations. As far as I remember - I don't have a AD at home - you will have to create a new group e.g. GGX-Remotedesktop (abbreviation for Group Global Execute). This group will become

On Sun, Dec 21, 2014 at 7:08 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote: > Am 21.12.2014 um 04:14 schrieb Dongsheng Song: >> After put domain users in the remote destop group in the DC, these >> users still can't logon workstation via remote desktop, it's a very >> strange design. Maybe we can make samba-tool fix it by certain >> parameter ? >

At the moment numbers start at 3000000 and counting. In my eyes it would make sense, that these number be stored in the AD when provisioned with rfc2307. Or it should be replicated by drs. https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Configuring_RFC2307_and_NIS_Extensions_in_a_Samba_AD says the following: No need for manual ID counting when using the default Microsoft tools. E. g.

I will try this tomorrow. Possibly this is my fix. When a domain is provisioned with rfc2307 it would make sense that Unix attributes especially uid/gid would automatically be set. A member also needs this to be set for unique fs acls right? Am 10. Dezember 2014 18:07:02 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: >On 10/12/14 16:33, Tim wrote: >> I think I will

Thanks for your answer and time you offer for me. That makes it a bit clearer. I searched the web and found that rsat needs to have the nis tools installed. Does it create Unix uid/gid automatically then? Without rfc2307 information it makes no sense to me to have a *nix machine for file services and another one for backup purposes, when uid and gid are not same (due to preserve acls). And for

Am 10. Dezember 2014 22:26:52 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: >On 10/12/14 21:05, Tim wrote: >> Thanks for your answer and time you offer for me. That makes it a bit > >> clearer. >> >> I searched the web and found that rsat needs to have the nis tools >> installed. > >Good luck with trying to install 'Service for

Why only Domain Users and Domain Admins? I can't follow. But a good idea you've had. So a script can possibly be run on every DC the same. I will check and verify. What about built-in objects like system? These are not available in ADUC if my memory doesn't fail now. Will there be a problem when other built-in objects get a rfc gid/uid. E.g. for now wbinfo resolves uid 0 for

I found this. But I didn't find it related to DC idmapping replication. I have two pieces of hardware. My goal is realize an active directory for the windows clients and a file server. The AD should have redundancy (this is why I provisioned two DCs). The file should integrate snapshots like a NetApp system (snapshots are done by rsnapshot). The snapshot functionality works so far by mounting

But will this idmap.ldb change work for upcoming new users or groups so that uid/gid will not be different? The wiki tells us about built-in groups. Those have the right ids. Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: >On 09/12/14 21:07, Tim wrote: >> Hello all, >> >> I have a fresh install of two CentOS 7 machines. On

I think I will only need uid and gid due to fs stuff. There are only Windows clients in that domain. So when the IDs are the same on both DCs, all will be fine I think. In RSAT there are no Unix attributes set. As an example: user1 has uid 3000021 on DC1 (first provisioned one). DRS seems fine. On DC2 user1 gets uid 3000017. If I set ID in RSAT Unix attributes after choosing domain, the IDs

The reason why is that simple: the other admin only knows the windows world and that's why it's gonna be risky regarding file services when he creates new users or groups and forgets about the Unix tab. My personal hope is that samba will one day set rfc ids automatically so that these windows guys won't have to care. E.g. it could be an option when provisioning a new domain. It would

What's the content of your /etc/nsswitch.conf? Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb <rwebb at zylatech.com>: >Matt, > >Thanks for the reply. I'm not trying to add the "users" group. I'm >trying to add the "Domain Users" group. That is the reason for the \ >in >front of the space. It's translated as a literal. I think

Thanks for your advice regarding modifying the ldb. Before I do that I have to tell that uids and gids are automatically assigned in ADUC Unix tab. All have to do is to choose the NIS domain. After changing this field all other Unix attributes are automatially filled in. So this works. I tried something different for testing: I added a user with samba-tool using a script and assigned a random

My idea is similar. Today I didn't had the time to go on. But this my concept and it works with a short script (example for groups): DC1 (schema master) for loop on wbinfo -g will check if rfc2307 info is null for these groups in AD (ldbsearch) when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then exit else update rfc2307 info by importing created ldif file (ldbmodify) To get

I understood what have explained. All is fine so far. For my environment I need these ids to be stored to the directory (except for built-in groups) due to file services and today I found a way to write the ids to the directory. I only have Windows client so that other rfc2307 information's like shell etc will not really matter. But ids are important for setting right acls in the filesystem.

Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve <steve at steve-ss.com>: >On 11/12/14 23:15, Tim wrote: >> Thanks Steve, >> >> I will have a look at it. I think it's important to sync the >idmap.ldb >> limits > >It isn't important. The limits are the same on all DCs, even if you >have >not copied the idmap database anywhere else. All you

The main reason is that I don't want to provide backup user with unnecessary write permissions within maildirs and mail user within backup logs dir. I was talking about mail_user:mail_group 0750 on dirs and 0640 on files. (Or, possibly, mail_user:backup_group 2750 and 2640.) 26.12.2014, 11:19, "Tobi" <tobster at brain-force.ch>: > Whats the reason you do not want to use

Hi, When I run 'samba-tool domain exportkeytab', I found the exported keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that modify /etc/krb5.conf no help. My DC running with samba 4.1.13, and the server role is active directory domain controller. Thanks, Dongsheng