similar to: Settings ACL question

Ok so If I well understand the concept, ACL should be apply-able _on_ the object himself only from the parent object? For instance : if I want read attribute on a directory I have to set it on the parent directory. And if I want read attribute inside a directory, I can set it on the directory. Hope this instance is clear to understand... Thanks for confirm me that. ;) Samuel Le 30/08/2016

Read wasn't the question. Question was about removing children but not the parent. parent-folder -> not removable |_ Children1 -> |_ Children2 -> both removable I don't know how Samba deal with that, but that's not the point for now. For now you have to understand NTFS permissions a little bit (I have not the knowledge to write something like a lesson about NTFS

Hard day, sorry. I'll try to read that this evening, but can't promise anything.. 2016-08-31 14:12 GMT+02:00 Sam <sr42354 at gmail.com>: > Ok so If I well understand the concept, ACL should be apply-able *on* the > object himself only from the parent object? > > For instance : > if I want read attribute on a directory I have to set it on the parent > directory.

On 19/10/15 16:46, mathias dufresne wrote: > AD from Samba or Microsoft is mainly a database for storing users (and > associated stuffs). It comes also with stuffs (protocols) to connect and > retrieve information. > > How the client uses these information is, as always, a choice from that > specific client. > > Your AD client is your Squid/Squidguard(ian) server. Its job

Hi all, Playing with delegation today we delegated rights to some user on some OU and its contents for it can modify users inside that OU and children. We used "advanced view" in ADUC then "properties" on our delegated OU, then "security" tab, and finally we gave rights to our user. Perhaps this process is not correct but we believe it is a valid process to delegate

On Thu, 31 Aug 2017 16:27:12 +0200 mathias dufresne <infractory at gmail.com> wrote: > PS: the short way to explain %u is adding domain/workgroup to > username is the fact we are using trust relationship? > Probably, what you have to get your head around is this: The users 'fred', 'DOMAINA\fred' and 'DOMAINB\fred' are all different users. Winbind will

On Mon, 2015-11-16 at 16:50 +0100, mathias dufresne wrote: > transaction: operations error at > ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147 Looking at that line in your version of Samba may give you some idea why it failed. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer,

Hey, Thank you Louis for this script, I didn't yet took time to dig in but I'll do. I didn't took time neither to perform another test. That should be done today. Anyway I waited for DC synchronisation before posting. I joined my DC and removed the old ones almost at same time then I gave more than 12 hours to my DC to synchronize. Then I tried to understand what happened, I wrote

Hi all, I just add into my AD a user with different values for attributes "CN" and "name". Here is an extract of the LDIF used to add this user: ------------------------------------------------------------------------------------ dc202:~# egrep 'cn:|name:' mathias.ldif cn: Mathias Dufresne (CN) *name: mathias.dufresne*

Ok, I see. Nevertheless, thank you very much for your effort! I must say that I can't actually believe that no one knows an answer to this problem. It must affect MANY people using Samba DCs. According to all the tests on the wiki, everything is working fine. Then I pull the plug on my first DC and no one can log on. And this time I waited far longer than the suggested "refresh

Hi Mathias and all. Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne: > Hi, > > I'm glad that helped you : ) > > About SPN, I found that link few days ago: > https://adsecurity.org/?page_id=183 > It tries to list the string values available usable for SPN. > > And it gives also that link: >

The issue is (almost) solved. As shown the previously explained process to repair, nothing's clear about that resolution. Perhaps just the big clean-up was necessary, perhaps synchronisation of a first DC was necessary, no idea. Anyway replication is working, almost. On 4 DCs among 5: ldbsearch -H $sam objectclass=* dn | tail -3 # returned 50968 records # 50965 entries # 3 referrals On one

Hi again, Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann: > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: > Hi, Mathias and all > thank you for your answer. > > > Hi all, > > > > SPN = servicePrincipalName > > > > A simple search returning all servicePrincipalName declared in your AD: > > ldbsearch -H $sam

Hi all, When created through RSAT OUs receive, by default, ACLs to refuse removal. When created through LDIF and ldbadd OUs do not receive these ACLs. Is there a way to create these ACLs using command line tools? Cheers, mathias

Thank you Rowland for that reply, even if answer to Q2 is not a list of deplicated attributes but the schema which contains all attributes. To answer you: I'm trying to understand. I'm currently working for one company to help them design an AD hosted by Samba. I won't be there to manage it and they already have peoples working with LDAP trees, these coming with their own habits. I

On 11/20/2015 10:17 AM, mathias dufresne wrote: > > > 2015-11-20 15:11 GMT+01:00 James <lingpanda101 at gmail.com > <mailto:lingpanda101 at gmail.com>>: > > On 11/20/2015 7:40 AM, Ole Traupe wrote: > > > > Am 20.11.2015 um 11:54 schrieb mathias dufresne: > > Hi Ole, > > I'm still not answering your issue

Hi all, SPN = servicePrincipalName A simple search returning all servicePrincipalName declared in your AD: ldbsearch -H $sam serviceprincipalname=* serviceprincipalname An extract from result concerning a lambda client: # record 41 dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld servicePrincipalName: HOST/MB38W746-0009 servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld

Hi Ole, I'm still not answering your issue but I come back to speak about TTL. Perhaps someone would be able to bring us some light on that. This morning I'm trying to reproduce the way I do broke my test AD domain. This leads me to deal with SOA record (I broke my test AD seizing FSMO roles before removing old FSMO owner, SOA was not changed during that process and I suspect this was

Hi, You're quiet right, I'm using a 64 bits system and I was surprised by this file size limitation on such a system. My bad regarding the title : ) Cheers, mathias 2015-06-01 15:03 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>: > On 01/06/15 13:47, mathias dufresne wrote: > >> Sorry I don't understand you answer. For me 32 bits platforms are dead on

ACL should be apply-able on the object, the object and its children or on children only. Apply full control ACL for children only and for the folder itself MS should have something to allow content modification only... 2016-08-30 16:16 GMT+02:00 Sam via samba <samba at lists.samba.org>: > Hello all, > > I try to set full control permission to a "Boss" directory for one