similar to: [OT?] Strangeness on clients migrating NT -> AD...

Mandi! Rowland Penny via samba In chel di` si favelave... > How is the 'old' server now set up ? > Is it now an AD DC domain member ? No, it remain in the old state, simply we have a tool that keep in sync passwords, so access works to the old server because users and password matches. > It sounds like the machines are still looking for the old PDC. How do > the win7

Mandi! Rowland Penny via samba In chel di` si favelave... > So, it sounds like you have a PDC for the domain 'DOMAIN' and an AD DC > for the domain 'DOMAIN' both using the same SID, I don't think this is > going to work. I suggest you turn the old PDC off. No no no! I'm not mad! ;-) There's the OLD PDC for the domain 'SVCORSI', and the new AD DC

On Thu, 22 Mar 2018 10:16:19 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Yesterday we have done our first trunk of migration from our > Samba4-NT4 domains to our new Samba 4 (2:4.5.12+dfsg-2+deb9u2~bpo8+1) > AD domain. > > Main shares are kept on old server, so we have migrated computers and > users (homes and roaming profiles). How is the

Reding the thread in list about gluster, i've found that in your samba packages 4.5.12+dfsg-2+deb9u2~bpo8+1 there's no vfs_glusterfs module, only the manpage. root at vdmsv1:~# grep glusterfs /var/lib/dpkg/info/samba*.list /var/lib/dpkg/info/samba-vfs-modules.list:/usr/share/man/man8/vfs_glusterfs.8.gz root at vdmsv1:~# grep /vfs/ /var/lib/dpkg/info/samba*.list

In syslog of my DC (2:4.5.12+dfsg-2+deb9u2~bpo8+1) i found sometime rows like: Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.826081, 0] ../source3/param/loadparm.c:3244(process_usershare_file) Mar 21 09:53:40 vdcsv1 smbd[22686]: process_usershare_file: stat of /var/lib/samba/usershares/sysvo failed. Permesso negato Mar 21 09:53:40 vdcsv1 smbd[22686]: [2018/03/21 09:53:40.831949,

Mandi! Rowland Penny via samba In chel di` si favelave... > > There's the OLD PDC for the domain 'SVCORSI', and the new AD DC for > > the domain 'LNFFVG', with different SID! They are different domains! > OK, but if the win7 machines were domain members of 'SVCORSI', then > they still might be trying to find it, best thing is to turn it off.

Mandi! Data Control Systems - Mike Elkevizth via samba In chel di` si favelave... > 4.7.6) which also doesn't work. If you are only using it to authenticate > to an AD controller, you should switch to using sssd. I have multiple Some hints on docs to follow? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''

I've setup a portable system (ubuntu 16.04) joined to my AD domain, that in their primary network works as expected. But in this 'COVID time', the portable start to roam around, and users say me that, suddenly after some days of use, get incredibly sloooowww... after that users reboot, and cannot get back in, login refused. I've setup a VPN, but clearly if users cannot login

Mandi! Rowland penny via samba In chel di` si favelave... > Do you have ANY Windows clients ? Sure! Most of my clients are windows. > If the answer is yes, then you need to follow the 'Setting up a share using > windows ACLs' page and make your Linux clients work with this. > If the answer is no, then you can follow the POSIX ACLs page. > Do not try to mix the two.

Mandi! Rowland Penny via samba In chel di` si favelave... > Just like Windows you can create a user with a password and then make > them change the password when they login, see: Sure, but initial password still have to complain to complexity rules. In my 'NT like' samba domains i was (ab)used to set initial password the same of the login, forcing the change on next login.

Someone out there have compiled successfully winexe with recent (4.5+) samba version? I've tried that repository: https://sourceforge.net/u/markr123/winexe/ci/master/tree/ that seems the latest fork available. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della

Mandi! Rowland penny via samba In chel di` si favelave... I came back on this, because still some glitches happen. Yesterday I'm locked out. 'pdbedit -vL gaio' say me that account IS locked. But: > yes, Provided you use the right attribute to search on ;-) > Something like this will give you if/when the account was locked out: > ldbsearch -H

In our network we found some client with clock differences. Some machine have effectively some troubles, eg have NO 'Windows Time' service defined, probably some glitches happened when moving from our old NT-like domain. Anyway, catching for that, we have found some other strangeness. Windows time service run: C:\Users\gaio>sc query w32time NOME_SERVIZIO: w32time TIPO

Mandi! Marc Muehlfeld via samba In chel di` si favelave... [in the meantime, moved to 4.5...] > > Ahem, i've typed '--comploxity'... sorry... OK, option is available in > > samba-tool in 4.2, but does not seems to work: > This just turns off the need of complex passwords, but there are more > settings, such as minimum length, number of previous passwords not >

Mandi! Rowland penny via samba In chel di` si favelave... > > And my Windows client works happily! > If you only had Unix clients, then you could stick with this way of doing > things, but you have Windows clients, so you need to work the Windows way > and make your Unix clients work the same way. No. In these years i've worked with 'POSIX ACLs', setting up scripts

I'm doing some test moving from a NT domain to ad AD domain, using debian jessie samba (4.2) and obviously the 'classicupgrade' procedure. In my setup i use(d) extensively some script to reset password to users. I was (ab)used to have 'smbpasswd' behave differently if executed by root, eg change the password without taking in consideration password policy and check password

I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3

My previous email on this topic get no answer, i try to explain me better. The problem. Simply i was (ab)used, in my previous samba NT-mode domains, to have file created with the group-owner as the UNIX primary group; now, in AD, files get created group-owned by Windows primary group, eg 'Domain Users'. This simply 'breaks' most of my ACLs setup. I've read:

Mandi! Andrew Bartlett via samba In chel di` si favelave... > I hope this clarifies things, Super-clear! Thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t

Reading here i've understod that for LDAP query it is better to use SAMAccountName as 'login', but today i've found: https://docs.microsoft.com/it-it/windows/desktop/ADSchema/a-samaccountname so, 'SAMAccountName' is a compatibility field with NT mode, limited to 20 chars. Someone here use 21 chars logins? ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66