Displaying 20 results from an estimated 10000 matches similar to: "Best practice for creating an RO LDAP User in AD..."
2017 Nov 07
2
Best practice for creating an RO LDAP User in AD...
Mandi! Denis Cardon via samba
In chel di` si favelave...
> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.
Shortly come back.
I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
fantasy, today ;) and i've created an 'mta' user, both user and group
in 'Restricted' OU, of course.
2018 Sep 04
4
Upgraded a member server to 4.8, rfc2307 data?
I'm starting to upgrade my domain members to debian stretch/samba 4.8,
using louis packages.
Domain controllers still on jessie/samba45.
Upgrade went smooth, but after upgrade seems that the DM was not able
anymore to retrieve rfc2307 data, eg:
root at vdmsv2:~# getent passwd gaio
gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false
root at vdmsv2:~# ldbsearch -H
2017 Nov 09
2
Best practice for creating an RO LDAP User in AD...
On Thu, 9 Nov 2017 11:08:26 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > I dont beleave it.
>
> Eh. «De gustibus non disputandum est». ;-)
>
>
> > The setup for the Ad in the link below is the same but if you want
> > access without auth, Have you tried to
2017 Sep 26
3
Domain member server: user access
Hai Rowland,
Im pretty sure this is a bug in the DC part.
I'll show.
On the DC.
dc1:~# getent passwd winadmin
NTDOM\winadmin:*:10000:100::/home/users/winadmin:/bin/bash
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100:
id winadmin
uid=10000(NTDOM\winadmin) gid=100(users) groups=100(users),3000004(BAZRTD\group policy creator owners),3000008(NTDOM\domain admins)
2019 Feb 15
6
Demoted/removed a DC, and the NS records?
Following:
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
i've demoted and removed a DC. Seems all went as expected:
root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio
Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion
Password for [LNFFVG\gaio]:
Deactivating inbound replication
Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize
2018 Mar 21
2
log error about permissions in truncated share path...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> I think you need to post your smb.conf, I (at least) am struggling to
> understand why you have moved 'sysvol' from /var/lib/samba/
> to /var/lib/samba/usershare/, it isn't a usershare!
I've not done that!
root at vdcsv1:/home# samba-tool testparm
Press enter to see a dump of your service definitions
#
2017 Sep 26
1
Domain member server: user access
On Tue, 26 Sep 2017 12:49:26 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > Im pretty sure this is a bug in the DC part.
>
> Ahem, sorry, but i'm lost in following this therad. I've hust setup my
> test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
2018 Mar 21
2
log error about permissions in truncated share path...
In syslog of my DC (2:4.5.12+dfsg-2+deb9u2~bpo8+1) i found sometime rows like:
Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.826081, 0] ../source3/param/loadparm.c:3244(process_usershare_file)
Mar 21 09:53:40 vdcsv1 smbd[22686]: process_usershare_file: stat of /var/lib/samba/usershares/sysvo failed. Permesso negato
Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.831949,
2018 Nov 26
3
Different LDAP query in different DC...
I need to do a simple query, against some LDAP data in 'laster draft
schema' format i've added to te samba/AD schema.
All LDAP query return the same result on all (6) of the DC:
root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember
Enter LDAP Password:
2017 Nov 08
4
Best practice for creating an RO LDAP User in AD...
I dont beleave it.
That 5 years old now, normaly i'll dig into it, but exim... I dropped exim about 15 years ago..
First thing i do on debian...
apt-get install --purge postfix
That installs postfix and removes exim and purges exims config.. ;-)
The setup for the Ad in the link below is the same but if you want access without auth,
Have you tried to query the GC ports. ( 3268 or 3269
2017 Sep 19
1
[OT?] VM or Container for an AD DC?
2017-09-19 17:25 GMT+02:00 Marco Gaiarin via samba <samba at lists.samba.org>:
>
> > ...googling around seems to me that are ''old limitation'', now gone.
>
> No.
>
>
For me Samba AD DC is running without any problem in an Ubuntu privileged
LXC container.
Best regards,
Marcel
2017 Sep 19
7
[OT?] VM or Container for an AD DC?
Mandi! Andrew Bartlett via samba
In chel di` si favelave...
> There is a limitation for containers regarding xattrs as I understand
> it, so you may need to go to a full DC.
...googling around seems to me that are ''old limitation'', now gone.
I've also hitted:
https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html
so seems that
2017 Dec 06
4
DM and ''offline'' PAM (and NSS?)...
I'm using samba 4.5 on a debian jessie (Louis packages).
Rarely it happen that a power outgage tear down all the stuff, here.
I've noticed that if the DM start before the DC, clearly all account
data are inaccessible.
To prevent or minimize that, the ''offline mode'' of winbind can be
safely used also on DM servers? Or is tailoread against roaming client
(portables,
2018 Sep 24
3
DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba
In chel di` si favelave...
> > clearly, i've on [globals] 'map to guest = Bad User'.
> That is how it is supposed to work, if a known user tries to use a
> wrong password, the user is rejected. If the user is unknown, it is
> mapped to the guest user (usually 'nobody') and allowed access to
> shares where 'guest ok =
2017 Nov 08
5
Best practice for creating an RO LDAP User in AD...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> Not sure what you are proposing is going to work, AD expects every user
> to be a member of Domain Users, even though there is nothing in AD to
> show membership.
Ah.
> Do you require this user to visible on all domain machines ?
[...]
> It might help if you could explain how you are going to use your new
> user
2017 Nov 10
1
[Curiosity] Default domain, DC and DM...
In my DC, without setting explicitly a 'winbind default domain', i can
check logins domainless:
root at vdcsv1:~# id gaio
uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication
2017 Dec 18
3
DM and ''offline'' PAM (and NSS?)...
On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set
2017 Nov 10
2
Best practice for creating an RO LDAP User in AD...
On Fri, 10 Nov 2017 14:43:08 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > > gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b
> > > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
>
> > Try:
> > ldbsearch -H ldap://vdcsv1:3268 -P -b
2018 Sep 27
2
[OT?] passing group name with spaces to ntlm_auth...
I've not clear if is a squid or a samba/ntlm_auth trouble... indeed...
In Squid i've added:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG --require-membership-of='LNFFVG\Domain Users'
auth_param ntlm children 5
but in 'cache.log' i got:
Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID!
Winbindd
2017 Dec 18
2
DM and ''offline'' PAM (and NSS?)...
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> What you show below is correct.
> In linux, DOM\user != user
I know. And i was using 'wbinfo', that, AFAIK query directly winbind
and no POSIX stuff...
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> [realms]
> SAMDOM.EXAMPLE.COM = {
> auth_to_local = RULE:[1:SAMDOM\$1]
>