similar to: Upgraded a member server to 4.8, rfc2307 data?

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > idmap config LNFFVG: unix_primary_group = yes It is needed? AFAI've understood it means that users will have UNIX primary group the windows group and not 'domain users', but reeally i don't need that... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''

Hai Marco, The idmap config part. The this for the member. ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 5000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config LNFFVG: backend = ad idmap config LNFFVG: schema_mode = rfc2307 idmap config LNFFVG: range = 10000-49999 idmap

On Mon, 28 Jan 2019 12:52:45 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > Strictly speaking, why winbind cache ''PAM'' data and not ''NSS'' > > > one (seems to me)? > > The problem is (for myself anyway), I do not understand the >

On Tue, 29 Jan 2019 18:47:45 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Now this is what I do not understand, my understanding is that > > 'PAM' is used to find the correct authentication system and 'NSS' > > just connects to that authentication system. >

On Mon, 18 Dec 2017 15:51:47 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > I've seen: > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > I've tried to enable offline logon, and seems to work as expected. > > I've only found a little strange thing, i think related to the fact > that in my DM i've set

Mandi! Rowland Penny via samba In chel di` si favelave... > Now this is what I do not understand, my understanding is that 'PAM' is > used to find the correct authentication system and 'NSS' just connects > to that authentication system. No. NSS, roughly, 'extend the user database': https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > What you show below is correct. > In linux, DOM\user != user I know. And i was using 'wbinfo', that, AFAIK query directly winbind and no POSIX stuff... > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] >

In my DC, without setting explicitly a 'winbind default domain', i can check logins domainless: root at vdcsv1:~# id gaio uid=10000(LNFFVG\gaio) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),11001(LNFFVG\sir),10999(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication

Hai Marco, If you dont need it, then you can remove it. And in addition to Rowland comment, i'll show how i use it. In reply to. >It is needed? AFAI've understood it means that users will have UNIX primary group the windows group >and not 'domain users', but reeally i don't need that... I'll explain how i use it and why, maybe its useable for you or others.

On Tue, 26 Sep 2017 12:49:26 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > Im pretty sure this is a bug in the DC part. > > Ahem, sorry, but i'm lost in following this therad. I've hust setup my > test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,

It looks from str(SA) that Response IPS1 is a data.frame of class "anova", which probably cannot be coerced to vector. Maybe you can use unlist() instead of as.vector() Or something like SA[["Response IPS1"]]["as.factor(WSD)",] ## to select the first row only, even maybe with unlist() Without a better REPRODUCIBLE example, I cannot tell more (maybe some others

Mandi! Rowland Penny via samba In chel di` si favelave... Sorry for the late answer. > I have Ubuntu 22.04 with Samba 4.15.13 running in a VM and it just works > for myself. Exactly the same, but on a real hardware. > Had the user 'gaio' logged in previously, it will not work if the user > hasn't logged in at least once before the network has disconnected. Sure!

Mandi! Rowland Penny via samba In chel di` si favelave... >> In samba the share is: > I wish people wouldn't do this, if you are going to post a share, > please post the global section as well. Sorry. # Global parameters [global] log file = /var/log/samba/log.%M map to guest = Bad User netbios aliases = CUPSSV FILESV HOMESV ntlm auth = mschapv2-and-ntlmv2-only panic

I was used, for users that leave my network, to disable the account but also ''sanitize'' the memberships, eg reset group membership to a default values (normally, 'domain users'). Clearly, using smbldap-tools in a NT domain was easy. How can achieve the same result in a samba AD domain? Seems that avaliable commands/tools (pdbedit, wbinfo, samba-tool) does not have this

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

On 22/05/2023 10:14, Marco Gaiarin via samba wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > >> I would undo that, it appears to be wrong. > > OK, i've undo also i. > > >> I have tested this on a Ubuntu 22.04 computer and it works, so I have >> updated the wiki page: >>

I've not clear if is a squid or a samba/ntlm_auth trouble... indeed... In Squid i've added: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG --require-membership-of='LNFFVG\Domain Users' auth_param ntlm children 5 but in 'cache.log' i got: Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! Winbindd

Mandi! Rowland Penny via samba In chel di` si favelave... > > clearly, i've on [globals] 'map to guest = Bad User'. > That is how it is supposed to work, if a known user tries to use a > wrong password, the user is rejected. If the user is unknown, it is > mapped to the guest user (usually 'nobody') and allowed access to > shares where 'guest ok =

Mandi! Denis Cardon via samba In chel di` si favelave... > You can put your service accounts in an OU and add a GPO that deny > logon/services/tasks locally. Shortly come back. I've created a 'Restricted' OU, a 'Restricted' group (i'm short in fantasy, today ;) and i've created an 'mta' user, both user and group in 'Restricted' OU, of course.

On Mon, 24 Sep 2018 17:33:47 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > I hope this helps you understanding your problem a bit more. > > See also: > > https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts > > No,