similar to: Proof of samba 4 ad storing passwords in a secure manner

On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote: > On 25/08/15 19:42, Krutskikh Ivan wrote: > > Hi everyone, > > > > We are installing a big system which uses samba 4 ad dc. Our > > customer asked > > if we can prove that passwords are stored securely in dc. How can > > we do in > > in a most interactive way? > > > > Thanks in

Thanks, that helped me a lot =) But it doesn't seem that sam.ldb holds any password data. I found something similar in file (my domain is NOVO.MTT) /usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb 2015-08-26 5:30 GMT+03:00 Andrew Bartlett <abartlet at samba.org>: > On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote: > > On 25/08/15 19:42, Krutskikh Ivan wrote: >

On Wed, 2015-08-26 at 13:15 +0300, Krutskikh Ivan wrote: > Thanks, that helped me a lot =) But it doesn't seem that sam.ldb > holds any password data. I found something similar in file (my domain > is NOVO.MTT) > > /usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb Correct, the sam.ldb is a wrapper that loads modules which in turn loads the other files, which actually

I would like to bump my question 2015-05-27 10:21 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>: > Hmm, looks like it's not. I've just set the password for something that > cracklib-check would argue using both ad management tools and at windows > login. Should it work that way or I'm missing something? > > My dc's smb.conf: > > [global] >

Hi everyone, A quick question: Is check password script option working for ad dc setup? I believe, ad on it's own cannot provide password protection against dictionaries.

Hi everyone, I think, I've done something stupid here. At first I've created 2 lxc containers and provisioned one as dc.office.mtt and joined second one to the first ad bdc.tsnr.mtt. Then I've cloned those containers several times and changed ip adresses and dns names of new containers to different subnets. The name of domain stayed the same. At first everything seemed fine, but when

>And if you really want to work with cloning, then provision the first, >join the second, do all your change, take a snapshot of both. Then you >have the same setup again for the next customer. As long as the >customers never will met and two of your systems come into the same >network, is is no problem, because the domain would have the same name, >SID, etc. I did more or less

Let me explain myself here. We ship video surveillance systems with build-in ad domain controllers on 2 servers. Right now we have 4 active projects and 3 more this year. Provisioning dc's by hand each time is a pain I would like to avoid. There's not much I want from a domain: groups 'video' and 'video admins' to exist, gpo's to auto redirect user profiles to network

ok, I've investigated the problem more closely. First of all, I didn't mention that I have 2 domain controllers: dc(initial) and bdc (backup). Rsync command /usr/bin/rsync -XAavz --delete-after dc:/usr/local/samba/var/locks/sysvol/* /usr/local/samba/var/locks/sysvol/ fires every 5 minutes on bdc. However, if I try to gpupdate from bdc I get the above error. Gpupdating from dc works

ok =( Guess I should repeat all the work from scratch. So just to check if I got it right: 1) Create a new container. Provision a ad dc on it. Can I join some machine to apply some gpo's and to create users at this point? I'll delete it afterwards 2) Power down the container from 1) and use it as a template for every other dc I need just by changing ip/dns 3) Create another template for

We actually sell whole systems with isolated lan and centralized authentication and password management. Typically about 7 servers and 5 workstations. 2015-10-19 18:58 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > On 19/10/15 16:23, Krutskikh Ivan wrote: > >> And if you really want to work with cloning, then provision the first, >>> join the second, do

Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error and misses something more severe later on. 2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > On 03/10/15 00:50, Krutskikh Ivan wrote: > >> Hi everyone. >> >> I ran into notorios gpo error on windows clients. When I go to my dc >> controller and run >>

Hi everyone, I need an active directory instance with some non-standart policies to users passwords: 1) Group users minimal length is 6, Group Administrators 12 2) Should have special symbols (!#$) and numbers are required 3) Password must not be dictionary words or based on them ( no admin, user, sysop etc) 4) Each new password must differ to the old one by 50%. Can I do all those in samba ad?

Hi everyone. I ran into notorios gpo error on windows clients. When I go to my dc controller and run samba-tool ntacl sysvolcheck I get an error: ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}

Hi, I'm trying a basic setup : samba 4.2 on vm as ad dc, linux server as a dc member with samba shares and win 7 as a ad member and samba client. Unix attrs are assigned, windows auth and linux kinit work ok. But when I try to access samba share from windows a get an error above in my log.smb: check_ntlm_password: Checking password for unmapped user [KURSK]\[video]@[EVENT] with the new

Hi all, I'm looking for the same setup: two samba ad servers to back up each other on failover. Have you managed to find a viable solution? Thanks in advance! 2015-06-24 19:41 GMT+03:00 Daniel Carrasco Marín <danielmadrid19 at gmail.com>: > 2015-06-24 11:12 GMT+02:00 Daniel Carrasco Marín <danielmadrid19 at gmail.com > >: > > > > > > > 2015-06-23

In re-reading the "Joining_a_Samba_DC_to_an_Existing_Active_Directory" Sambawiki page. Is it no longer necessary to manually delete all *.tdb and *.ldb database files from the soon to be joined (second) DC prior to joining? Are these database file deletions NOW "handled" by any one of the "three authentication methods you can use" to join the second DC? (With

Hey After a lot of work by Marcus the next Newsletter release is nearing completion. Could some people please proof read it. Cheers Didi ---- My www page: www.ribalba.de Email / Jabber: ribalba at gmail.com Skype : ribalba

Hi, I am interested in the "Dovecot Email Archive" solution. Does anyone know if it is suitable revision-proof archiving? Is it available for smaller companies? I tried to contact people at dovecot.fi but I haven?t gotten any response yet. Thanks Regards,

Hi. I know that R computes sums of squares based on the diagonal of t(Q) %*% y %*% t(y) %*% Q, where Q comes from the QR-decomposition of the model matrix. Does anyone know where I can find a proof for this result? All Best and Happy New Year, Ethan [[alternative HTML version deleted]]