similar to: Password change question/1: smbpasswd does not propagate passwords?!

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

Sorry, i came back on this, but: > In another, more generic, way: how password policies are enforced? still i need an answer on this question. I've done some tests, using my account, that pdbedit say: root at vdcsv1:~# LANG=C pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID:

On Tue, 26 Sep 2017 12:49:26 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > Im pretty sure this is a bug in the DC part. > > Ahem, sorry, but i'm lost in following this therad. I've hust setup my > test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > Im pretty sure this is a bug in the DC part. Ahem, sorry, but i'm lost in following this therad. I've hust setup my test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package, lous) on a debian jessie. Very minimal configuration: root at vdcsv1:~# samba-tool testparm Press enter to see a dump of your

On Mon, 23 Oct 2017 16:52:05 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C

> past ONE dc, that does not return nothing: Ok, supposing a xID/ACL trouble, this morning i've copied the 'idmap.ldb' from the DC with FSMO roles to the mulfunctioning DC, but still i get empty answer from the mulfunctioning DC. I've done a 'ldap compare' and all seems in sync: root at vdcsv1:~# samba-tool ldapcmp ldap://vdcsv1.ad.fvg.lnf.it

Mandi! Rowland Penny via samba In chel di` si favelave... > Now this is what I do not understand, my understanding is that 'PAM' is > used to find the correct authentication system and 'NSS' just connects > to that authentication system. No. NSS, roughly, 'extend the user database': https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html

Mandi! Rowland Penny via samba In chel di` si favelave... > This means that the Windows group is mapped to the Unix group 'users' > on a DC, up until you give Domain Users a gidNumber, then the ID will > change to the one you placed in the gidNumber attribute in Domain Users. I can confirm that. Using ADUC i've noted that 'Domain Users' have no GID assigned, so

In my DC, without setting explicitly a 'winbind default domain', i can check logins domainless: root at vdcsv1:~# id gaio uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication

Hai Marco, The idmap config part. The this for the member. ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 5000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config LNFFVG: backend = ad idmap config LNFFVG: schema_mode = rfc2307 idmap config LNFFVG: range = 10000-49999 idmap

What you show below is correct. In linux, DOM\user != user If you want that. See: https://wiki.samba.org/index.php/OpenSSH_Single_sign-on [realms] SAMDOM.EXAMPLE.COM = { auth_to_local = RULE:[1:SAMDOM\$1] } Now, since im not sure this works ok, i dont use it on my debian servers, i use option2. option2 is ignore the "not recommended setting : "winbind use

On Tue, 29 Jan 2019 18:47:45 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Now this is what I do not understand, my understanding is that > > 'PAM' is used to find the correct authentication system and 'NSS' > > just connects to that authentication system. >

On Mon, 18 Dec 2017 15:51:47 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > I've seen: > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > I've tried to enable offline logon, and seems to work as expected. > > I've only found a little strange thing, i think related to the fact > that in my DM i've set

> I've seen: > https://wiki.samba.org/index.php/PAM_Offline_Authentication I've tried to enable offline logon, and seems to work as expected. I've only found a little strange thing, i think related to the fact that in my DM i've set 'winbind use default domain = yes'. Folowing the wiki, i've enabled offline logon and then done: ['smbcontrol winbind

On Wed, 28 Nov 2018 18:11:59 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > If an ldap lookup works on every DC, except for one and the data is > > definitely there on the one DC it doesn't work on, then it must be > > something on that DC. is there a firewall or

Hai Marco, Few pointers. First, time is in sync? I guess it is, but check it. Second. Guest access enabled on a domain joint PC ? If you really really want that, then enable user guest in the AD also. But better is avoiding Guest access completely. Join the domain, dont allow guest access and configure it correctly, best tip i can give, for the software deploying share. [wpkg] path

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > What you show below is correct. > In linux, DOM\user != user I know. And i was using 'wbinfo', that, AFAIK query directly winbind and no POSIX stuff... > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] >

Mandi! Rowland Penny via samba In chel di` si favelave... > If an ldap lookup works on every DC, except for one and the data is > definitely there on the one DC it doesn't work on, then it must be > something on that DC. is there a firewall or apparmor/selinux in the > way ? No. Anyway, note that query return correctly 'result: 0 Success', simply return no data. Another

I'm starting to upgrade my domain members to debian stretch/samba 4.8, using louis packages. Domain controllers still on jessie/samba45. Upgrade went smooth, but after upgrade seems that the DM was not able anymore to retrieve rfc2307 data, eg: root at vdmsv2:~# getent passwd gaio gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false root at vdmsv2:~# ldbsearch -H

On Mon, 18 Dec 2017 16:44:32 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > What you show below is correct. > > In linux, DOM\user != user > > I know. And i was using 'wbinfo', that, AFAIK query directly winbind > and no POSIX stuff... > > > >