similar to: Some hint reading password expiration data...

On Mon, 23 Oct 2017 16:52:05 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C

Sorry, i came back on this, but: > In another, more generic, way: how password policies are enforced? still i need an answer on this question. I've done some tests, using my account, that pdbedit say: root at vdcsv1:~# LANG=C pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID:

Hai Rowland, Im pretty sure this is a bug in the DC part. I'll show. On the DC. dc1:~# getent passwd winadmin NTDOM\winadmin:*:10000:100::/home/users/winadmin:/bin/bash wbinfo --group-info="Domain Users" NTDOM\domain users:x:100: id winadmin uid=10000(NTDOM\winadmin) gid=100(users) groups=100(users),3000004(BAZRTD\group policy creator owners),3000008(NTDOM\domain admins)

On Tue, 26 Sep 2017 12:49:26 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > Im pretty sure this is a bug in the DC part. > > Ahem, sorry, but i'm lost in following this therad. I've hust setup my > test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,

On Tue, 27 Mar 2018 13:38:56 -0400 Mark Foley wrote: > > On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at t-online.de> wrote: > > > > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba: > > > As a normal user, I want to change my Domain Password. I've tried: > > > > > > $ samba-tool user setpassword myuserId

Doing some test i've done, as root, in one DC: root at vdcpp1:~# smbpasswd gaio New SMB password: Retype new SMB password: root at vdcpp1:~# pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 Full

On Thu, 9 Nov 2017 11:08:26 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > I dont beleave it. > > Eh. «De gustibus non disputandum est». ;-) > > > > The setup for the Ad in the link below is the same but if you want > > access without auth, Have you tried to

In our network we found some client with clock differences. Some machine have effectively some troubles, eg have NO 'Windows Time' service defined, probably some glitches happened when moving from our old NT-like domain. Anyway, catching for that, we have found some other strangeness. Windows time service run: C:\Users\gaio>sc query w32time NOME_SERVIZIO: w32time TIPO

Mandi! Rowland Penny via samba In chel di` si favelave... > You need to explicitly ask for it, for instance: Oh, cool! Seems effectivaly different: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it nTSecurityDescriptor:

Currently for my user: root at vdmsv1:/etc/exim4# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=gaio)" | grep ": gaio$" cn: gaio name: gaio sAMAccountName: gaio uid: gaio msSFU30Name: gaio what field is betetr to use for querying for user 'gaio'? 'uid' no (because RFC2307 data can be missing), so? 'sAMAccountName'? or

Mandi! Rowland penny via samba In chel di` si favelave... > You cannot create an ldap filter using the above, you would have to filter > the result of the ldap search. I can confirm: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed # record 1 dn:

Mandi! Rowland Penny via samba In chel di` si favelave... > If an ldap lookup works on every DC, except for one and the data is > definitely there on the one DC it doesn't work on, then it must be > something on that DC. is there a firewall or apparmor/selinux in the > way ? No. Anyway, note that query return correctly 'result: 0 Success', simply return no data. Another

Following: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC i've demoted and removed a DC. Seems all went as expected: root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion Password for [LNFFVG\gaio]: Deactivating inbound replication Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize

Mandi! Andrew Bartlett via samba In chel di` si favelave... > It is an operational attribute. simply add  > msDS-UserPasswordExpiryTimeComputed > to the list of attributes requested when searching for the user. root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base "" maxPwdAge # record 1 dn:

I need to do a simple query, against some LDAP data in 'laster draft schema' format i've added to te samba/AD schema. All LDAP query return the same result on all (6) of the DC: root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password:

Mandi! Rowland Penny via samba In chel di` si favelave... > S-1-5-21-160080369-3601385002-3131615632-1314 Bingo! Exactly the 'Restricted' group that own the users i use for generico LDAP access! I really think that we have found the trouble! Now... how can i fix it? ;-) And... why that vaule get not propagated?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

2017-09-19 17:25 GMT+02:00 Marco Gaiarin via samba <samba at lists.samba.org>: > > > ...googling around seems to me that are ''old limitation'', now gone. > > No. > > For me Samba AD DC is running without any problem in an Ubuntu privileged LXC container. Best regards, Marcel

Mandi! Rowland penny via samba In chel di` si favelave... > You are authenticating to AD, so you need to use information that AD > understands, its dns domain (not an email domain) and the users name, or the > Netbios domain\username. But UPN is written 'domainful', eg 'username at ad.domain.name': root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b

I dont beleave it. That 5 years old now, normaly i'll dig into it, but exim... I dropped exim about 15 years ago.. First thing i do on debian... apt-get install --purge postfix That installs postfix and removes exim and purges exims config.. ;-) The setup for the Ad in the link below is the same but if you want access without auth, Have you tried to query the GC ports. ( 3268 or 3269

On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba wrote: > On 06/12/2019 11:47, Marco Gaiarin via samba wrote: > > Mandi! Rowland penny via samba > > In chel di` si favelave... > > > > > You cannot create an ldap filter using the above, you would have > > > to filter > > > the result of the ldap search. > > > > I can