similar to: LDAP permissions - ldbedit/ldapmodify?

Mandi! Rowland Penny via samba In chel di` si favelave... > Whilst there are attributes that do not get replicated between DC's, > the majority are, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch

HOn Tue, 26 Mar 2019 09:29:41 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 26 Mar 2019 05:18:20 +0100 > Franta Hanzlík <franta at hanzlici.cz> wrote: > > > Hi Tim and Rowland, thanks for Your support! > > I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba > > versions require Python3), but You are right, here

Hi Tim and Rowland, thanks for Your support! I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba versions require Python3), but You are right, here in DB can be problem - first Samba AD DC was created by migrating Samba3 NT4 domain to Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...', according to Samba Wiki): On Tue, 26 Mar 2019 10:14:02 +1300 Tim

Mandi! Rowland Penny via samba In chel di` si favelave... > S-1-5-21-160080369-3601385002-3131615632-1314 Bingo! Exactly the 'Restricted' group that own the users i use for generico LDAP access! I really think that we have found the trouble! Now... how can i fix it? ;-) And... why that vaule get not propagated?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

I've been been trying to investigate this for sometime now, hence I came to the experts :) I have rejoined all my DC's with new names, see below. ;; ANSWER SECTION: <domain>.corp. 3600 IN NS psad101zatcrh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS prdc001zafsrh.<domain>.corp. -> New

On 04/01/16 01:43, Jonathan Hunter wrote: > Hi, > > A while ago I successfully set permissions on a section of my LDAP / AD > tree, using either ADUC or ADSIEDIT (I forget which). These permissions > allowed my own user to access this section of the tree; I removed > permissions for 'Domain Admins' etc. to ensure that others would not be > able to view or change the

Mandi! Rowland Penny via samba In chel di` si favelave... > You need to explicitly ask for it, for instance: Oh, cool! Seems effectivaly different: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it nTSecurityDescriptor:

On Tue, 26 Mar 2019 05:18:20 +0100 Franta Hanzlík <franta at hanzlici.cz> wrote: > Hi Tim and Rowland, thanks for Your support! > I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba > versions require Python3), but You are right, here in DB can be > problem > - first Samba AD DC was created by migrating Samba3 NT4 domain to > Samba4 AD cca week ago

I tried your suggestion but still no luck, starting to think my domain is broken :( I did a debug when doing the migrate, not so if this will help On Thu, Nov 1, 2018 at 10:28 AM Rowland Penny via samba < samba at lists.samba.org> wrote: > On Thu, 1 Nov 2018 07:21:57 +0200 > Eben Victor <eben.victor at gmail.com> wrote: > > > I've been been trying to investigate

Hi, i was not able to find anything about my issue in the bug-tracker, the mailinglist or the release notes. We see the following issue using samba-tool dsacl: samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)' new descriptor for

Thank you, Rowland! On 4 January 2016 at 10:36, Rowland penny <rpenny at samba.org> wrote: > On 04/01/16 01:43, Jonathan Hunter wrote: > >> I can view the data using ldbsearch when logged in as root on the DC >> itself >> - but how do I view the permissions and edit them from the commandline? >> > > They are stored in a hidden attribute called

On 04/01/16 23:26, Jonathan Hunter wrote: > The story gets deeper, also.. (nothing is ever easy, right? :-)) > > Using the ldbsearch command above, I could at least view the SIDs that have > access to the OU. > > One of them should be a group called "mysecretou Managers"; I can see from > ADUC that my user is indeed still a member of this group (so far, so good).

The story gets deeper, also.. (nothing is ever easy, right? :-)) Using the ldbsearch command above, I could at least view the SIDs that have access to the OU. One of them should be a group called "mysecretou Managers"; I can see from ADUC that my user is indeed still a member of this group (so far, so good). However, "wbinfo -s S-1-5-21-000000000-1111111111-2222222222-1234"

On 5 Jan 2016 09:59, "Rowland penny" <rpenny at samba.org> wrote: > > On 04/01/16 23:26, Jonathan Hunter wrote: >> However, "wbinfo -s S-1-5-21-000000000-1111111111-2222222222-1234" does not >> return "DOMAIN\mysecretou Managers" as it should - but rather >> "DOMAIN\mysecretou Managers 2", which is not the name of the group and

Hello everyone, we are in the process of changing from a Windows Domain to a Samba Domain and tried to implement some restrictions for OU-Admins. In the Windows Domain those restrictions can be implemented with Security ID: S-1-3-4 (Owner Rights). In our old Windows Domain everything works fine and as expected. In our Samba Domain, it doesnt work. We tried to implement the same rights as in

Hi There seems to be a discrepancy in the s4 schema concerning security groups. Domain Users comes with gidNumber: 100. This is however contrary to what the schema allows. You can show this as follows: Create a new group. samba-tool group add mygroup. Use phpldapadmin to add the gidNumber attribute. There is an error because gidNumber is provided by the posixGroup class and that objectclass is

Hi,

Hi all, I use openldap and it''s newer slapd.d style of housing the configuration (as opposed to /etc/openldap/slapd.conf ). As such, to modify the config, the database itself, I''d prefer to use ldapmodify and ldapadd commands. I couldn''t find an existing ldap provider to nicely manage database entries (DNs), so I wrote one. It essentially does this: -

I have a samba 3 dc where users log on with their win xp workstations and I have a w2k3 domain where there is an exchange server the users connect to with outlook. I would like to do an ldapmodify command on active directory to initially align time password was set for both samba and exchane and then have the users notified when logon samba pwd is near to expirate and so they receive also

On 05/01/16 21:24, Jonathan Hunter wrote: > On 5 January 2016 at 15:02, Jonathan Hunter <jmhunter1 at gmail.com> wrote: > >> I'll try to use ldbedit to grant myself permissions on the OU again .. Is >> ldbedit safe to use: >> >> - on a running Samba server (or do I need to stop samba) >> - in a multi-DC environment (or do I need to run it and make the