similar to: Script to reset group memberships...

Mandi! Rowland Penny via samba In chel di` si favelave... > No need to do that, just use 'samba-tool user disable' Ahem, Rowland, *I* *NEED* that. For internal policies, users that leave my organization have to be 'sanitized', and on detail, memberships have to be reset. So, apart some complex scripting, there's some way to do that? If comlex scripting have to be

I've not clear if is a squid or a samba/ntlm_auth trouble... indeed... In Squid i've added: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG --require-membership-of='LNFFVG\Domain Users' auth_param ntlm children 5 but in 'cache.log' i got: Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! Winbindd

I'm starting to upgrade my domain members to debian stretch/samba 4.8, using louis packages. Domain controllers still on jessie/samba45. Upgrade went smooth, but after upgrade seems that the DM was not able anymore to retrieve rfc2307 data, eg: root at vdmsv2:~# getent passwd gaio gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false root at vdmsv2:~# ldbsearch -H

Mandi! Rowland Penny via samba In chel di` si favelave... > > clearly, i've on [globals] 'map to guest = Bad User'. > That is how it is supposed to work, if a known user tries to use a > wrong password, the user is rejected. If the user is unknown, it is > mapped to the guest user (usually 'nobody') and allowed access to > shares where 'guest ok =

Mandi! Denis Cardon via samba In chel di` si favelave... > You can put your service accounts in an OU and add a GPO that deny > logon/services/tasks locally. Shortly come back. I've created a 'Restricted' OU, a 'Restricted' group (i'm short in fantasy, today ;) and i've created an 'mta' user, both user and group in 'Restricted' OU, of course.

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > What you show below is correct. > In linux, DOM\user != user I know. And i was using 'wbinfo', that, AFAIK query directly winbind and no POSIX stuff... > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] >

You know what windows did with the "default" local, Administrator on the PC.. They disabled them... If you joined a domain, then still, the PC administrator is disabled. And the users is called PCNAME\Administrator and not Administrator You have "BUILTIN\Administrator" on the servers. ( or SERVERNAME\Administrator ) I hope this helps you understanding your problem a

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

On Mon, 18 Dec 2017 15:51:47 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > I've seen: > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > I've tried to enable offline logon, and seems to work as expected. > > I've only found a little strange thing, i think related to the fact > that in my DM i've set

Mandi! Rowland Penny via samba In chel di` si favelave... > Ah, you said disable, when you meant 'delete' No, i meant exactly 'disabled'. Try to be more clearer: a) i cannot delete accounts, at least for years, because local law mandates accountability, and so i need SID/UID. OK, i can save SID/UID elsewhere, but... b) i want to ''reset'' group membership

On Thu, 2018-09-27 at 12:27 +0200, L.P.H. van Belle via samba wrote: > Hai marco,  > > More info on squid config might help here and no smb.conf..  > Ahead of things...   > > And you better use something like this, change to negotiate auth. ( > and use SSO ).  > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ >     --kerberos

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > idmap config LNFFVG: unix_primary_group = yes It is needed? AFAI've understood it means that users will have UNIX primary group the windows group and not 'domain users', but reeally i don't need that... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''

Mandi! Rowland Penny via samba In chel di` si favelave... > So, it sounds like you have a PDC for the domain 'DOMAIN' and an AD DC > for the domain 'DOMAIN' both using the same SID, I don't think this is > going to work. I suggest you turn the old PDC off. No no no! I'm not mad! ;-) There's the OLD PDC for the domain 'SVCORSI', and the new AD DC

In my DC, without setting explicitly a 'winbind default domain', i can check logins domainless: root at vdcsv1:~# id gaio uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication

Caming from Samba in NT mode with OpenLDAP backend i've created a bunch of ''things'' (apps, web tools, ...; but also printers and so on) that rely on reading ''public'' data in LDAP. With OpenLDAP ''public'' was a easy concept: anonymous access was the default, and ACL protect more sensitive data (mostly, passwords). Now i've to redo some

Mandi! Rowland Penny via samba In chel di` si favelave... > I think you need to post your smb.conf, I (at least) am struggling to > understand why you have moved 'sysvol' from /var/lib/samba/ > to /var/lib/samba/usershare/, it isn't a usershare! I've not done that! root at vdcsv1:/home# samba-tool testparm Press enter to see a dump of your service definitions #

I'm migrating from a (set of) NT domain, say SANVITO, to an AD domain, say LNFFVG. Both domain live in the same network, so there's no firewall/routing/... in the middle. In SANVITO domain, there's a share (say \\MEDIA\Software) with public access enabled. In SANVITO domain, public access works as expected. The same share are accessible with login (and password; so, non

I'm trying to move my freeradius server from debian jessie (freeradius 2.2.5+dfsg-0.2+deb8u1 and samba 4.2.14+dfsg-0+deb8u9) in a NT like domain to a new stretch server (freeradius 3.0.12+dfsg-5+deb9u1 and samba 4.8.5+mnu-1~deb9, louis packages). Many things changed. I've followed (also): https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory and added in

I'm still fighting a bit with guest access to shares via machine account. Little fast rewind: i'm using samba 4.5.8+dfsg-2+deb9u1~bpo8+1 (louis packages), and i use an SCM system called WPKG to deploy ad manage windows machine; that system do their works as SYSTEM account on local windows workstation. If the machine account (say, MALCOBB$) have a valid UID/GID, machine account are used

I've setup a portable system (ubuntu 16.04) joined to my AD domain, that in their primary network works as expected. But in this 'COVID time', the portable start to roam around, and users say me that, suddenly after some days of use, get incredibly sloooowww... after that users reboot, and cannot get back in, login refused. I've setup a VPN, but clearly if users cannot login