Displaying 20 results from an estimated 10000 matches similar to: "Script to reset group memberships..."
2017 Oct 04
2
Script to reset group memberships...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> No need to do that, just use 'samba-tool user disable'
Ahem, Rowland, *I* *NEED* that.
For internal policies, users that leave my organization have to be
'sanitized', and on detail, memberships have to be reset.
So, apart some complex scripting, there's some way to do that? If
comlex scripting have to be
2018 Sep 27
2
[OT?] passing group name with spaces to ntlm_auth...
I've not clear if is a squid or a samba/ntlm_auth trouble... indeed...
In Squid i've added:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG --require-membership-of='LNFFVG\Domain Users'
auth_param ntlm children 5
but in 'cache.log' i got:
Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID!
Winbindd
2018 Sep 04
4
Upgraded a member server to 4.8, rfc2307 data?
I'm starting to upgrade my domain members to debian stretch/samba 4.8,
using louis packages.
Domain controllers still on jessie/samba45.
Upgrade went smooth, but after upgrade seems that the DM was not able
anymore to retrieve rfc2307 data, eg:
root at vdmsv2:~# getent passwd gaio
gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false
root at vdmsv2:~# ldbsearch -H
2018 Sep 24
3
DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba
In chel di` si favelave...
> > clearly, i've on [globals] 'map to guest = Bad User'.
> That is how it is supposed to work, if a known user tries to use a
> wrong password, the user is rejected. If the user is unknown, it is
> mapped to the guest user (usually 'nobody') and allowed access to
> shares where 'guest ok =
2017 Nov 07
2
Best practice for creating an RO LDAP User in AD...
Mandi! Denis Cardon via samba
In chel di` si favelave...
> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.
Shortly come back.
I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
fantasy, today ;) and i've created an 'mta' user, both user and group
in 'Restricted' OU, of course.
2017 Dec 18
2
DM and ''offline'' PAM (and NSS?)...
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> What you show below is correct.
> In linux, DOM\user != user
I know. And i was using 'wbinfo', that, AFAIK query directly winbind
and no POSIX stuff...
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> [realms]
> SAMDOM.EXAMPLE.COM = {
> auth_to_local = RULE:[1:SAMDOM\$1]
>
2018 Sep 24
2
DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
You know what windows did with the "default" local, Administrator on the PC..
They disabled them...
If you joined a domain, then still, the PC administrator is disabled.
And the users is called PCNAME\Administrator and not Administrator
You have "BUILTIN\Administrator" on the servers. ( or SERVERNAME\Administrator )
I hope this helps you understanding your problem a
2017 Dec 06
4
DM and ''offline'' PAM (and NSS?)...
I'm using samba 4.5 on a debian jessie (Louis packages).
Rarely it happen that a power outgage tear down all the stuff, here.
I've noticed that if the DM start before the DC, clearly all account
data are inaccessible.
To prevent or minimize that, the ''offline mode'' of winbind can be
safely used also on DM servers? Or is tailoread against roaming client
(portables,
2017 Dec 18
3
DM and ''offline'' PAM (and NSS?)...
On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set
2017 Oct 04
2
Script to reset group memberships...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> Ah, you said disable, when you meant 'delete'
No, i meant exactly 'disabled'.
Try to be more clearer:
a) i cannot delete accounts, at least for years, because local law
mandates accountability, and so i need SID/UID.
OK, i can save SID/UID elsewhere, but...
b) i want to ''reset'' group membership
2018 Sep 27
1
[OT?] passing group name with spaces to ntlm_auth...
On Thu, 2018-09-27 at 12:27 +0200, L.P.H. van Belle via samba wrote:
> Hai marco,
>
> More info on squid config might help here and no smb.conf..
> Ahead of things...
>
> And you better use something like this, change to negotiate auth. (
> and use SSO ).
>
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> --kerberos
2018 Sep 05
3
Upgraded a member server to 4.8, rfc2307 data?
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> idmap config LNFFVG: unix_primary_group = yes
It is needed? AFAI've understood it means that users will have UNIX primary
group the windows group and not 'domain users', but reeally i don't need
that...
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
2018 Mar 22
2
[OT?] Strangeness on clients migrating NT -> AD...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> So, it sounds like you have a PDC for the domain 'DOMAIN' and an AD DC
> for the domain 'DOMAIN' both using the same SID, I don't think this is
> going to work. I suggest you turn the old PDC off.
No no no! I'm not mad! ;-)
There's the OLD PDC for the domain 'SVCORSI', and the new AD DC
2017 Nov 10
1
[Curiosity] Default domain, DC and DM...
In my DC, without setting explicitly a 'winbind default domain', i can
check logins domainless:
root at vdcsv1:~# id gaio
uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication
2017 Oct 19
3
Best practice for creating an RO LDAP User in AD...
Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
of ''things'' (apps, web tools, ...; but also printers and so on) that
rely on reading ''public'' data in LDAP.
With OpenLDAP ''public'' was a easy concept: anonymous access was
the default, and ACL protect more sensitive data (mostly, passwords).
Now i've to redo some
2018 Mar 21
2
log error about permissions in truncated share path...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> I think you need to post your smb.conf, I (at least) am struggling to
> understand why you have moved 'sysvol' from /var/lib/samba/
> to /var/lib/samba/usershare/, it isn't a usershare!
I've not done that!
root at vdcsv1:/home# samba-tool testparm
Press enter to see a dump of your service definitions
#
2018 Feb 01
1
Guest access to a foreign NT domain fail...
I'm migrating from a (set of) NT domain, say SANVITO, to an AD domain,
say LNFFVG.
Both domain live in the same network, so there's no
firewall/routing/... in the middle.
In SANVITO domain, there's a share (say \\MEDIA\Software) with public
access enabled. In SANVITO domain, public access works as expected.
The same share are accessible with login (and password; so, non
2018 Oct 09
2
Samba and Freeradius...
I'm trying to move my freeradius server from debian jessie (freeradius 2.2.5+dfsg-0.2+deb8u1
and samba 4.2.14+dfsg-0+deb8u9) in a NT like domain to a new stretch
server (freeradius 3.0.12+dfsg-5+deb9u1 and samba 4.8.5+mnu-1~deb9,
louis packages). Many things changed.
I've followed (also):
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
and added in
2018 Feb 08
2
Again guest access and machine account...
I'm still fighting a bit with guest access to shares via machine
account.
Little fast rewind: i'm using samba 4.5.8+dfsg-2+deb9u1~bpo8+1 (louis
packages), and i use an SCM system called WPKG to deploy ad manage
windows machine; that system do their works as SYSTEM account on local
windows workstation.
If the machine account (say, MALCOBB$) have a valid UID/GID, machine
account are used
2020 Sep 11
4
Winbind offline cache and strangeness...
I've setup a portable system (ubuntu 16.04) joined to my AD domain,
that in their primary network works as expected.
But in this 'COVID time', the portable start to roam around, and users
say me that, suddenly after some days of use, get incredibly
sloooowww... after that users reboot, and cannot get back in, login
refused.
I've setup a VPN, but clearly if users cannot login