Displaying 20 results from an estimated 8000 matches similar to: "Little strangeness on dns-* account..."
2018 Dec 18
3
Little strangeness on dns-* account...
On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote:
> On Tue, 18 Dec 2018 19:13:16 +0100
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > I've setup a script that scan non-disabled user base, base query:
> >
> > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont
> >
2018 Dec 18
0
Little strangeness on dns-* account...
On Tue, 18 Dec 2018 19:13:16 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> I've setup a script that scan non-disabled user base, base query:
>
> (&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>
> and for every user i check the 'last password change' data value,
> doing some thing
2018 Dec 19
1
Little strangeness on dns-* account...
The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull here and dont remove this user.
Normaly, you would have exected to have the DNS/spn on the serverObject in the AD.
So imo yes, a small bug, but as Andrew told this is intended.
Adding : isCriticalSystemObject: TRUE
Should not be needed.
What i would do here is, use the description field. ( DNS Service Account
2018 Dec 19
0
Little strangeness on dns-* account...
Mandi! Andrew Bartlett via samba
In chel di` si favelave...
> > > isCriticalSystemObject: TRUE
> > Not sure where that came from, both my dns-* users do not have that
> > line
> We probably should add it however. ;-)
Can i safely add this?
> > No, it wouldn't be good idea to disable them, not if you want
> > BIND9_DLZ to work.
[...]
> For the
2019 Nov 18
1
Account locked and delayed user data propagation...
Mandi! Rowland penny via samba
In chel di` si favelave...
> yes, Provided you use the right attribute to search on ;-)
Ah! ;-)
Just i'm here, i test three condition in account flags, eg:
UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)
2019 Jul 18
2
messy replication
On 17/07/19 16:22, Rowland penny via samba wrote:
> I don't think there is a 'best way'. This used to come up fairly often
> in the early days of Samba AD, I think all you can do is to search in
> sam.ldb and remove any mention of the old DC, but DO NOT alter the
> files under sam.ldb.d, reading this might help:
>
>
2023 Oct 28
1
query account expired state
On Sat, 28 Oct 2023 13:50:31 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >> I consider this a big security omission: if? Samba is the source of
> >> information but not the the authenticator of the user, that
> >> application cannot block expired users !
> > But, Samba when running as an AD DC is the source of information AND
>
2019 Jul 18
2
messy replication
On 18/07/19 11:42, Rowland penny via samba wrote:
> Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to
> create it yourself.
>
> Easiest way will be to remove all mention of the dead DC, then use
> 'samba_upgradedns' to upgrade to the internal dns server, then run it
> again to upgrade to Bind9 again, this will create the required user
2019 Nov 15
3
Account locked and delayed user data propagation...
I need to do some testing, but before to hit by head on a known wall, i
ask here.
My AD domain get used (via PAM/Winbind) to give access to some other
dervice, most notably here dovecot.
When password expire (or users change it) the MUA try the old password
some times, then ask for a new password; users cleraly get scared,
press randomly 'OK' or 'Cancel', but if they press 2-3
2016 May 10
2
NT_STATUS_INVALID_SID in a SDC
Hi All
I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
backported Samba 4.3.18 and is working well.
I have installed a SDC (if I may use that name) on a different network,
the same version of Samba but on a Debian Jessie on AMD64. I followed
every instruction in
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
So every test
2017 Feb 13
2
Users list and the date the password will expire
"userAccountControl:1.2.840.113556.1.4.803:=2"
Sorry, I cannot read the Matrix. ;)
Ole
On 13.02.2017 17:19, Rowland Penny via samba wrote:
> On Mon, 13 Feb 2017 16:46:12 +0100
> Ole Traupe via samba <samba at lists.samba.org> wrote:
>
> You could always replace:
>
>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"
2017 Oct 20
2
Some hint reading password expiration data...
In my current ''production'' NT-like domain (samba 4.2, OpenLDAP
backend), password policies seems to ''get written'' to user data.
EG, if i set:
pdbedit -P "maximum password age" -C 7776000
and i change my password, 'Password must change' have a meningful value,
eg 90 days more then the last password change:
root at armitage:~# pdbedit -v
2023 Oct 28
1
query account expired state
Op 28-10-2023 om 13:22 schreef Rowland Penny via samba:
> On Sat, 28 Oct 2023 11:54:34 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 28-10-2023 om 09:37 schreef Rowland Penny via samba:
>>> On Fri, 27 Oct 2023 23:48:22 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi
2020 Nov 22
2
Dovecot+Samba AD - authentication failure
Hi,
I have setup samba4 as AD and hoping to have dovecot authenticate users
against it. I am facing challenges though and I am unable to figure it out.
I could do with a third eye to help me spot what is wrong.
root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local
Password:
passdb: odhiambo at newideatest.local auth failed
extra fields:
temp
Warning: auth-client:
2015 May 10
2
bind fails to start w/missing records
Roland,
Thank you very much for your attention to this. You should get a medal for
all the help you give everyone on this list.
On Sun, 10 May 2015, Rowland Penny wrote:
> Why ? And why don't they show up when you ask for the zones with samba-tool ?
I have that many subnets. As for why they don't show up: they are defined
in BIND's configuration and not samba's; they never
2014 Mar 10
1
LDAP Queries
Guys
needing some help with LDAP queries against samba4
this command works against MS AD's LDAP
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
but
with samba4 I get
C:\Users\Administrator>dsquery * --filter
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
I get the
2023 Oct 28
1
query account expired state
Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
> On Sat, 28 Oct 2023 13:50:31 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>>>> I consider this a big security omission: if? Samba is the source of
>>>> information but not the the authenticator of the user, that
>>>> application cannot block expired users !
2023 Jun 11
1
Unable to contact RPC server on a new DC
Hello Andrew Bartlett,
Friday, June 9, 2023, 11:25:01 PM, you wrote:
> On Thu, 2023-06-08 at 13:41 +0300, Andrey Repin via samba wrote:
>> Greetings, All!
>>
>> I've added a new DC to the working AD, transferred FSMO roles
>> (checked, all 7
>> are ok') and (supposedly) correctly demoted the old DC.
>>
>> SchemaMasterRole owner: CN=NTDS
2023 Aug 24
1
samba-tool user disable doesn't change any object attributes?
On Thu, 24 Aug 2023 21:12:38 +0800
Reese Wang via samba <samba at lists.samba.org> wrote:
> I used `samba-tool user disable testuser` to disable a user and
> `samba-tool user show testuser` to display the user object and found
> nothing was changed. And I can still get the user using filter
>
2023 Oct 28
1
query account expired state
On Sat, 28 Oct 2023 16:22:23 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
> > On Sat, 28 Oct 2023 13:50:31 +0200
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >>>> I consider this a big security omission: if? Samba is the source
>