similar to: Home folder: a simple mapping or something more?

I'm starting to upgrade my domain members to debian stretch/samba 4.8, using louis packages. Domain controllers still on jessie/samba45. Upgrade went smooth, but after upgrade seems that the DM was not able anymore to retrieve rfc2307 data, eg: root at vdmsv2:~# getent passwd gaio gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false root at vdmsv2:~# ldbsearch -H

Samba 4.5 in AD mode, domain in ''beta'' stage. ;-) I've created homes for users following: https://wiki.samba.org/index.php/User_Home_Folders using 'POSIX' mode, eg using: [users] comment = Home Directories path = /home browseable = No veto files = /.mail/.inbox/.ssh/ root preexec = /etc/samba/createhome "%U" force create mode = 0600 force

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > idmap config LNFFVG: unix_primary_group = yes It is needed? AFAI've understood it means that users will have UNIX primary group the windows group and not 'domain users', but reeally i don't need that... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''

Mandi! Rowland Penny via samba In chel di` si favelave... > The error you are getting is usually caused by adding GPOs to the first > DC and then NOT copying them to the second DC before running > 'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD > to find where the GPOs are supposed to be, but if it cannot find any, > it errors out.

Reding the thread in list about gluster, i've found that in your samba packages 4.5.12+dfsg-2+deb9u2~bpo8+1 there's no vfs_glusterfs module, only the manpage. root at vdmsv1:~# grep glusterfs /var/lib/dpkg/info/samba*.list /var/lib/dpkg/info/samba-vfs-modules.list:/usr/share/man/man8/vfs_glusterfs.8.gz root at vdmsv1:~# grep /vfs/ /var/lib/dpkg/info/samba*.list

Reading here i've understod that for LDAP query it is better to use SAMAccountName as 'login', but today i've found: https://docs.microsoft.com/it-it/windows/desktop/ADSchema/a-samaccountname so, 'SAMAccountName' is a compatibility field with NT mode, limited to 20 chars. Someone here use 21 chars logins? ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

Mandi! Andrew Bartlett via samba In chel di` si favelave... > I hope this clarifies things, Super-clear! Thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t

I need to close a site. No, no people fired, i've defined sites and DC because i hope that get (re)opened, but... There's some care i need to have to remove a DC (clearly, without FSMO roles)? I've looked on wiki to 'remove a DC' but i was not able to find something... Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra

Mandi! Andrew Bartlett via samba In chel di` si favelave... > > I'm still on samba4.5, sorry me. > Fix that first. Eh... i hope on this year. > > I've done some (bash) scripting around ldbsearch, but i've found some > > performance and 'lock' trouble. > Correct, Samba before 4.7 has very poor unindexed search performance, > due to a bug.  OK.

I need to do a simple query, against some LDAP data in 'laster draft schema' format i've added to te samba/AD schema. All LDAP query return the same result on all (6) of the DC: root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password:

Mandi! Rowland Penny via samba In chel di` si favelave... > > But my question really is: why this policy apply, if i've not enabled > > in GPO? > Probably because GPOs have no effect on a Samba AD DC, they will only > effect Windows clients. Rowland, i'm speaking about windows clients, not samba servers! I've enabled 'complexity checks' in samba servers,

I'm still on samba4.5, sorry me. I've done some (bash) scripting around ldbsearch, but i've found some performance and 'lock' trouble. a) query seems 'slow'. If i user paged result (--paged) coud achive better performance? It is a 'network' optimization only, right? eg: ldbsearch --paged -H /var/lib/samba/private/sam.ldb ... is totally unuseful, right?

Ahem no one reply me. A little fast-rewind: i need to have some 'aliases' to my servers (DM); seems i need to add in smb.conf: netbios aliases = FILESV but also add a 'SPN'; trying to look around for an examples, lead me to ''nothing'', or to examples that seems to me unrelated. Supposing the domain is 'ad.fvg.lnf.it' and the FQDN of the real host is

As was used to (in Samba NT/LDAP), i've enabled quota on /homes, and homes are exported (as homedrive) for users. Editing quotas (with edquota) works as expected, and in windows explorer users get quota correctly reported, but a simple: repquota -a return nothing: root at vdmsv1:~# repquota -a *** Report for user quotas on device /dev/sdb1 Block grace time: 28days; Inode grace time:

Mandi! Rowland Penny via samba In chel di` si favelave... > Not sure what you are proposing is going to work, AD expects every user > to be a member of Domain Users, even though there is nothing in AD to > show membership. Ah. > Do you require this user to visible on all domain machines ? [...] > It might help if you could explain how you are going to use your new > user

In Samba/NT i was used to share mapping done in netlogon script, so users move around between sites, get home and profile from remote location but still have share mapped from local servers. In Samba/AD, using GPO, share mapping is in ''user policy'', and so user roam between sites and get different policies? I'm googling around but i'm a bit confused... i can still use

I'm using 'winexe': https://sourceforge.net/projects/winexe/ but this repository, compiled against samba 4.5, and works like a charm: https://sourceforge.net/u/mstowe/winexe/ci/master/tree/ I've tried to recompile them against samba 4.8 (louis repo), and compile flawlessy, but if i try to run them: winexe[10549]: segfault at 138 ip 00007fb165a2f3a4 sp 00007ffdf432a880 error

You guys mix to things. > AFAIK is the 'privileges' that are host-specific. Is correct. >the policies are on the domain (in the LDAP data, > the root DN, look at them!). Yes, but only the GPO policies and these are not applied to the samba server. And because of that, samba-tools password settings needs to be set on every DC. Greetz, Louis > -----Oorspronkelijk

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

OK, now i've to start to move the big part of my users from my old NT-like domains to my new AD domain. I've setup roaming profile in the new domain following the wiki (https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles, 'using windows ACL') and for new profiles works like a charm. But i've tried to move/copy old profile to the new domain, and seems work, with