similar to: Little strangeness on dns-* account...

On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote: > On Tue, 18 Dec 2018 19:13:16 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > > > > > I've setup a script that scan non-disabled user base, base query: > > > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont > >

On Tue, 18 Dec 2018 19:13:16 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > I've setup a script that scan non-disabled user base, base query: > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > and for every user i check the 'last password change' data value, > doing some thing

The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull here and dont remove this user. Normaly, you would have exected to have the DNS/spn on the serverObject in the AD. So imo yes, a small bug, but as Andrew told this is intended. Adding : isCriticalSystemObject: TRUE Should not be needed. What i would do here is, use the description field. ( DNS Service Account

Mandi! Andrew Bartlett via samba In chel di` si favelave... > > > isCriticalSystemObject: TRUE > > Not sure where that came from, both my dns-* users do not have that > > line > We probably should add it however.  ;-) Can i safely add this? > > No, it wouldn't be good idea to disable them, not if you want > > BIND9_DLZ to work. [...] > For the

Mandi! Rowland penny via samba In chel di` si favelave... > yes, Provided you use the right attribute to search on ;-) Ah! ;-) Just i'm here, i test three condition in account flags, eg: UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)

I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

On 17/07/19 16:22, Rowland penny via samba wrote: > I don't think there is a 'best way'. This used to come up fairly often > in the early days of Samba AD, I think all you can do is to search in > sam.ldb and remove any mention of the old DC, but DO NOT alter the > files under sam.ldb.d, reading this might help: > >

Mandi! Rowland penny via samba In chel di` si favelave... > You cannot create an ldap filter using the above, you would have to filter > the result of the ldap search. I can confirm: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed # record 1 dn:

Hi, I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong. root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local Password: passdb: odhiambo at newideatest.local auth failed extra fields: temp Warning: auth-client:

Guys needing some help with LDAP queries against samba4 this command works against MS AD's LDAP (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) but with samba4 I get C:\Users\Administrator>dsquery * --filter (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) I get the

On Sat, 28 Oct 2023 13:50:31 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> I consider this a big security omission: if? Samba is the source of > >> information but not the the authenticator of the user, that > >> application cannot block expired users ! > > But, Samba when running as an AD DC is the source of information AND >

Hi All I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have backported Samba 4.3.18 and is working well. I have installed a SDC (if I may use that name) on a different network, the same version of Samba but on a Debian Jessie on AMD64. I followed every instruction in https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory. So every test

On 18/07/19 11:42, Rowland penny via samba wrote: > Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to > create it yourself. > > Easiest way will be to remove all mention of the dead DC, then use > 'samba_upgradedns' to upgrade to the internal dns server, then run it > again to upgrade to Bind9 again, this will create the required user

"userAccountControl:1.2.840.113556.1.4.803:=2" Sorry, I cannot read the Matrix. ;) Ole On 13.02.2017 17:19, Rowland Penny via samba wrote: > On Mon, 13 Feb 2017 16:46:12 +0100 > Ole Traupe via samba <samba at lists.samba.org> wrote: > > You could always replace: > >> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"

Mandi! Rowland Penny via samba In chel di` si favelave... > Ah, you said disable, when you meant 'delete' No, i meant exactly 'disabled'. Try to be more clearer: a) i cannot delete accounts, at least for years, because local law mandates accountability, and so i need SID/UID. OK, i can save SID/UID elsewhere, but... b) i want to ''reset'' group membership

Op 28-10-2023 om 13:22 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 11:54:34 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 28-10-2023 om 09:37 schreef Rowland Penny via samba: >>> On Fri, 27 Oct 2023 23:48:22 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Hi

Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 13:50:31 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >>>> I consider this a big security omission: if? Samba is the source of >>>> information but not the the authenticator of the user, that >>>> application cannot block expired users !

On Thu, 24 Aug 2023 21:12:38 +0800 Reese Wang via samba <samba at lists.samba.org> wrote: > I used `samba-tool user disable testuser` to disable a user and > `samba-tool user show testuser` to display the user object and found > nothing was changed. And I can still get the user using filter >

Hi, I hope you're all right. I describe below the scenario where the problem occurs. I'm trying to activate a master user [1] to be able to access all the boxes of all users by imap. I have configured the dovecot-master-users [2] file with the appropriate permissions. When I try to access, for example with roundcube, through user at mydomain.com*my_master_user at not-exist.com I see in the