Displaying 20 results from an estimated 7000 matches similar to: "Password change question/1: smbpasswd does not propagate passwords?!"
2017 Oct 20
2
Some hint reading password expiration data...
In my current ''production'' NT-like domain (samba 4.2, OpenLDAP
backend), password policies seems to ''get written'' to user data.
EG, if i set:
pdbedit -P "maximum password age" -C 7776000
and i change my password, 'Password must change' have a meningful value,
eg 90 days more then the last password change:
root at armitage:~# pdbedit -v
2017 Oct 23
0
Some hint reading password expiration data...
Sorry, i came back on this, but:
> In another, more generic, way: how password policies are enforced?
still i need an answer on this question.
I've done some tests, using my account, that pdbedit say:
root at vdcsv1:~# LANG=C pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID:
2017 Sep 26
1
Domain member server: user access
On Tue, 26 Sep 2017 12:49:26 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > Im pretty sure this is a bug in the DC part.
>
> Ahem, sorry, but i'm lost in following this therad. I've hust setup my
> test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
2017 Sep 26
0
Domain member server: user access
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> Im pretty sure this is a bug in the DC part.
Ahem, sorry, but i'm lost in following this therad. I've hust setup my
test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
lous) on a debian jessie.
Very minimal configuration:
root at vdcsv1:~# samba-tool testparm
Press enter to see a dump of your
2017 Oct 23
3
Some hint reading password expiration data...
On Mon, 23 Oct 2017 16:52:05 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> Sorry, i came back on this, but:
>
> > In another, more generic, way: how password policies are enforced?
>
> still i need an answer on this question.
>
>
> I've done some tests, using my account, that pdbedit say:
>
> root at vdcsv1:~# LANG=C
2018 Nov 27
0
Different LDAP query in different DC...
> past ONE dc, that does not return nothing:
Ok, supposing a xID/ACL trouble, this morning i've copied the
'idmap.ldb' from the DC with FSMO roles to the mulfunctioning DC, but
still i get empty answer from the mulfunctioning DC.
I've done a 'ldap compare' and all seems in sync:
root at vdcsv1:~# samba-tool ldapcmp ldap://vdcsv1.ad.fvg.lnf.it
2019 Jan 29
0
Winbind, cached logons and 'user persistency'...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> Now this is what I do not understand, my understanding is that 'PAM' is
> used to find the correct authentication system and 'NSS' just connects
> to that authentication system.
No. NSS, roughly, 'extend the user database':
https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
2017 Sep 26
1
Domain member server: user access
Mandi! Rowland Penny via samba
In chel di` si favelave...
> This means that the Windows group is mapped to the Unix group 'users'
> on a DC, up until you give Domain Users a gidNumber, then the ID will
> change to the one you placed in the gidNumber attribute in Domain Users.
I can confirm that.
Using ADUC i've noted that 'Domain Users' have no GID assigned, so
2017 Nov 10
1
[Curiosity] Default domain, DC and DM...
In my DC, without setting explicitly a 'winbind default domain', i can
check logins domainless:
root at vdcsv1:~# id gaio
uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication
2018 Sep 05
0
Upgraded a member server to 4.8, rfc2307 data?
Hai Marco,
The idmap config part. The this for the member.
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 5000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config LNFFVG: backend = ad
idmap config LNFFVG: schema_mode = rfc2307
idmap config LNFFVG: range = 10000-49999
idmap
2017 Dec 18
0
DM and ''offline'' PAM (and NSS?)...
What you show below is correct.
In linux, DOM\user != user
If you want that. See:
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
[realms]
SAMDOM.EXAMPLE.COM = {
auth_to_local = RULE:[1:SAMDOM\$1]
}
Now, since im not sure this works ok, i dont use it on my debian servers, i use option2.
option2 is ignore the "not recommended setting : "winbind use
2019 Jan 29
2
Winbind, cached logons and 'user persistency'...
On Tue, 29 Jan 2019 18:47:45 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > Now this is what I do not understand, my understanding is that
> > 'PAM' is used to find the correct authentication system and 'NSS'
> > just connects to that authentication system.
>
2017 Dec 18
3
DM and ''offline'' PAM (and NSS?)...
On Mon, 18 Dec 2017 15:51:47 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > I've seen:
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
>
> I've tried to enable offline logon, and seems to work as expected.
>
> I've only found a little strange thing, i think related to the fact
> that in my DM i've set
2017 Dec 18
0
DM and ''offline'' PAM (and NSS?)...
> I've seen:
> https://wiki.samba.org/index.php/PAM_Offline_Authentication
I've tried to enable offline logon, and seems to work as expected.
I've only found a little strange thing, i think related to the fact
that in my DM i've set 'winbind use default domain = yes'.
Folowing the wiki, i've enabled offline logon and then done:
['smbcontrol winbind
2018 Nov 28
0
Different LDAP query in different DC...
On Wed, 28 Nov 2018 18:11:59 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > If an ldap lookup works on every DC, except for one and the data is
> > definitely there on the one DC it doesn't work on, then it must be
> > something on that DC. is there a firewall or
2018 Sep 24
0
DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Hai Marco,
Few pointers.
First, time is in sync? I guess it is, but check it.
Second.
Guest access enabled on a domain joint PC ?
If you really really want that, then enable user guest in the AD also.
But better is avoiding Guest access completely.
Join the domain, dont allow guest access and configure it correctly,
best tip i can give, for the software deploying share.
[wpkg]
path
2017 Dec 18
2
DM and ''offline'' PAM (and NSS?)...
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> What you show below is correct.
> In linux, DOM\user != user
I know. And i was using 'wbinfo', that, AFAIK query directly winbind
and no POSIX stuff...
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> [realms]
> SAMDOM.EXAMPLE.COM = {
> auth_to_local = RULE:[1:SAMDOM\$1]
>
2018 Nov 28
2
Different LDAP query in different DC...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> If an ldap lookup works on every DC, except for one and the data is
> definitely there on the one DC it doesn't work on, then it must be
> something on that DC. is there a firewall or apparmor/selinux in the
> way ?
No. Anyway, note that query return correctly 'result: 0 Success',
simply return no data.
Another
2018 Sep 04
4
Upgraded a member server to 4.8, rfc2307 data?
I'm starting to upgrade my domain members to debian stretch/samba 4.8,
using louis packages.
Domain controllers still on jessie/samba45.
Upgrade went smooth, but after upgrade seems that the DM was not able
anymore to retrieve rfc2307 data, eg:
root at vdmsv2:~# getent passwd gaio
gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false
root at vdmsv2:~# ldbsearch -H
2017 Dec 18
0
DM and ''offline'' PAM (and NSS?)...
On Mon, 18 Dec 2017 16:44:32 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > What you show below is correct.
> > In linux, DOM\user != user
>
> I know. And i was using 'wbinfo', that, AFAIK query directly winbind
> and no POSIX stuff...
>
>
> >