Displaying 20 results from an estimated 10000 matches similar to: "User management scripts in AD mode..."
2017 Jun 23
2
User management scripts in AD mode...
Mandi! Rowland Penny via samba
In chel di` si favelave...
Sorry, i come back to that:
> Not sure what you are getting at here, if you add a user to a group in
> AD, you not only get a record in the group object, you also get a
> record in the users object
>
> dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> .....
> member: CN=Rowland
2017 Dec 06
4
DM and ''offline'' PAM (and NSS?)...
I'm using samba 4.5 on a debian jessie (Louis packages).
Rarely it happen that a power outgage tear down all the stuff, here.
I've noticed that if the DM start before the DC, clearly all account
data are inaccessible.
To prevent or minimize that, the ''offline mode'' of winbind can be
safely used also on DM servers? Or is tailoread against roaming client
(portables,
2019 Jun 04
2
AD group permissions on unix group
Hello,
We have some computers from a lab that the operating system is ubuntu and
are in the domain.
I need the "alunos" group to have permissions in the tty and dialout group,
since they need to use some arduinos.
I have tried the following:
net groupmap add ntgroup=alunos sid=1121 type=domain unixgroup=tty
net groupmap add ntgroup=alunos sid=1121 type=domain unixgroup=dialout
But
2018 Jul 20
4
Samba 4.5 and glusterfs...
Reding the thread in list about gluster, i've found that in your samba
packages 4.5.12+dfsg-2+deb9u2~bpo8+1 there's no vfs_glusterfs module, only
the manpage.
root at vdmsv1:~# grep glusterfs /var/lib/dpkg/info/samba*.list
/var/lib/dpkg/info/samba-vfs-modules.list:/usr/share/man/man8/vfs_glusterfs.8.gz
root at vdmsv1:~# grep /vfs/ /var/lib/dpkg/info/samba*.list
2019 Jun 26
2
<printername>.tdb error management...
Sometimes (rarely, very rarely) i spot a <printername>.tdb error that
seems to prevent the communication between samba and CUPS.
In log i see:
[2019/06/26 15:15:49.633876, 0] ../source3/lib/util_tdb.c:316(tdb_log)
tdb(/var/cache/samba/printing/sml5010-2.tdb): tdb_rec_read bad magic 0x25 at offset=26096
the only solution i've found, pretty drastic, is:
systemctl stop
2019 Jan 09
3
[Oddity] SAMAccountName and 20+ chars logins...
Reading here i've understod that for LDAP query it is better to use
SAMAccountName as 'login', but today i've found:
https://docs.microsoft.com/it-it/windows/desktop/ADSchema/a-samaccountname
so, 'SAMAccountName' is a compatibility field with NT mode, limited to
20 chars.
Someone here use 21 chars logins? ;-)
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
2019 Oct 16
4
vfs_recycle permission bug?!
Samba 4.8 (Louis debian repo), DM.
Today i've had to recovery a deleted file in that share, that use
'vfs_recycle' modules:
[Work]
comment = Spazio di Lavoro Utente
map acl inherit = Yes
path = /srv/work
read only = No
store dos attributes = Yes
vfs objects = acl_xattr recycle full_audit
volume = Work
full_audit:failure = none
full_audit:success = mkdir rmdir read pread
2019 Oct 01
5
Upgrade DC 4.5 -> 4.8, timings?
I've read all docs on upgrades, from wiki to Louis notes, and i think
i'm ready to upgrade.
First step, move from stretch to jessie, and from 4.5 to 4.8, upgrade
in place.
But having a domain with 6 DCs, i'm a bit scared to upgrade all DC in
one turn, and i'm think about something like:
a) upgrade DC with FSMO roles, then wait 1-2 day to spot troubles
b) then upgrade all DC in
2017 Dec 18
3
DM and ''offline'' PAM (and NSS?)...
On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set
2018 May 14
2
Samba, AD and devices compatibility...
Mandi! Andrew Bartlett via samba
In chel di` si favelave...
> I hope this clarifies things,
Super-clear! Thanks!
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t
2018 Sep 04
4
Upgraded a member server to 4.8, rfc2307 data?
I'm starting to upgrade my domain members to debian stretch/samba 4.8,
using louis packages.
Domain controllers still on jessie/samba45.
Upgrade went smooth, but after upgrade seems that the DM was not able
anymore to retrieve rfc2307 data, eg:
root at vdmsv2:~# getent passwd gaio
gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false
root at vdmsv2:~# ldbsearch -H
2018 Nov 26
3
Different LDAP query in different DC...
I need to do a simple query, against some LDAP data in 'laster draft
schema' format i've added to te samba/AD schema.
All LDAP query return the same result on all (6) of the DC:
root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember
Enter LDAP Password:
2017 Oct 04
2
Script to reset group memberships...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> No need to do that, just use 'samba-tool user disable'
Ahem, Rowland, *I* *NEED* that.
For internal policies, users that leave my organization have to be
'sanitized', and on detail, memberships have to be reset.
So, apart some complex scripting, there's some way to do that? If
comlex scripting have to be
2019 Dec 10
2
DC in trash...
Debian stretch, louis packages 4.9.16+dfsg-0.1~stretch~1 .
After some time (roughly: two weeks) my DC with FSMO roles (seems that
other DC are unaffected) goes suddenly on trash: memory jump from 50%
(3GB) to 100%, container start to swap and slow down (load 10-15) al
the phisical server.
A simple restart solve all the troubles.
Some hint on how to debug that? Thanks.
--
dott. Marco Gaiarin
2019 Jan 25
3
Removing sites and DC...
I need to close a site. No, no people fired, i've defined sites and DC
because i hope that get (re)opened, but...
There's some care i need to have to remove a DC (clearly, without FSMO
roles)?
I've looked on wiki to 'remove a DC' but i was not able to find
something...
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra
2019 Nov 15
3
Account locked and delayed user data propagation...
I need to do some testing, but before to hit by head on a known wall, i
ask here.
My AD domain get used (via PAM/Winbind) to give access to some other
dervice, most notably here dovecot.
When password expire (or users change it) the MUA try the old password
some times, then ask for a new password; users cleraly get scared,
press randomly 'OK' or 'Cancel', but if they press 2-3
2017 Dec 14
5
[Curiosity] 'netbios aliases' works in AD mode?
Ahem no one reply me.
A little fast-rewind: i need to have some 'aliases' to my servers (DM);
seems i need to add in smb.conf:
netbios aliases = FILESV
but also add a 'SPN'; trying to look around for an examples, lead me to
''nothing'', or to examples that seems to me unrelated.
Supposing the domain is 'ad.fvg.lnf.it' and the FQDN of the real host
is
2019 Feb 15
6
Demoted/removed a DC, and the NS records?
Following:
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
i've demoted and removed a DC. Seems all went as expected:
root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio
Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion
Password for [LNFFVG\gaio]:
Deactivating inbound replication
Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize
2019 Aug 28
4
[OT?] W10, SYSTEM, guest access.
[ I've just asked abut that, here, but now seems a simpler things, so i
retry... ]
This seems NON a samba touble, but a different behaviour in M$
client OS. But, really, i've not clue how to find an answer...
Suppose to have a Win7 and a Win10 machine, both NOT joined to a
domain. Suppose to have a share, with guest access enabled, where only
readonly access are needed.
Suppose also
2017 Nov 08
5
Best practice for creating an RO LDAP User in AD...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> Not sure what you are proposing is going to work, AD expects every user
> to be a member of Domain Users, even though there is nothing in AD to
> show membership.
Ah.
> Do you require this user to visible on all domain machines ?
[...]
> It might help if you could explain how you are going to use your new
> user