similar to: Little strangeness on dns-* account...

On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote: > On Tue, 18 Dec 2018 19:13:16 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > > > > > I've setup a script that scan non-disabled user base, base query: > > > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont > >

On Tue, 18 Dec 2018 19:13:16 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > I've setup a script that scan non-disabled user base, base query: > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > and for every user i check the 'last password change' data value, > doing some thing

The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull here and dont remove this user. Normaly, you would have exected to have the DNS/spn on the serverObject in the AD. So imo yes, a small bug, but as Andrew told this is intended. Adding : isCriticalSystemObject: TRUE Should not be needed. What i would do here is, use the description field. ( DNS Service Account

Mandi! Andrew Bartlett via samba In chel di` si favelave... > > > isCriticalSystemObject: TRUE > > Not sure where that came from, both my dns-* users do not have that > > line > We probably should add it however.  ;-) Can i safely add this? > > No, it wouldn't be good idea to disable them, not if you want > > BIND9_DLZ to work. [...] > For the

Mandi! Rowland penny via samba In chel di` si favelave... > yes, Provided you use the right attribute to search on ;-) Ah! ;-) Just i'm here, i test three condition in account flags, eg: UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)

On 17/07/19 16:22, Rowland penny via samba wrote: > I don't think there is a 'best way'. This used to come up fairly often > in the early days of Samba AD, I think all you can do is to search in > sam.ldb and remove any mention of the old DC, but DO NOT alter the > files under sam.ldb.d, reading this might help: > >

On 18/07/19 11:42, Rowland penny via samba wrote: > Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to > create it yourself. > > Easiest way will be to remove all mention of the dead DC, then use > 'samba_upgradedns' to upgrade to the internal dns server, then run it > again to upgrade to Bind9 again, this will create the required user

Hi All I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have backported Samba 4.3.18 and is working well. I have installed a SDC (if I may use that name) on a different network, the same version of Samba but on a Debian Jessie on AMD64. I followed every instruction in https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory. So every test

Hi, I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong. root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local Password: passdb: odhiambo at newideatest.local auth failed extra fields: temp Warning: auth-client:

Guys needing some help with LDAP queries against samba4 this command works against MS AD's LDAP (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) but with samba4 I get C:\Users\Administrator>dsquery * --filter (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) I get the

Roland, Thank you very much for your attention to this. You should get a medal for all the help you give everyone on this list. On Sun, 10 May 2015, Rowland Penny wrote: > Why ? And why don't they show up when you ask for the zones with samba-tool ? I have that many subnets. As for why they don't show up: they are defined in BIND's configuration and not samba's; they never

I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3

Hello Andrew Bartlett, Friday, June 9, 2023, 11:25:01 PM, you wrote: > On Thu, 2023-06-08 at 13:41 +0300, Andrey Repin via samba wrote: >> Greetings, All! >> >> I've added a new DC to the working AD, transferred FSMO roles >> (checked, all 7 >> are ok') and (supposedly) correctly demoted the old DC. >> >> SchemaMasterRole owner: CN=NTDS

"userAccountControl:1.2.840.113556.1.4.803:=2" Sorry, I cannot read the Matrix. ;) Ole On 13.02.2017 17:19, Rowland Penny via samba wrote: > On Mon, 13 Feb 2017 16:46:12 +0100 > Ole Traupe via samba <samba at lists.samba.org> wrote: > > You could always replace: > >> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

On Sat, 28 Oct 2023 13:50:31 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> I consider this a big security omission: if? Samba is the source of > >> information but not the the authenticator of the user, that > >> application cannot block expired users ! > > But, Samba when running as an AD DC is the source of information AND >

On Thu, 24 Aug 2023 21:12:38 +0800 Reese Wang via samba <samba at lists.samba.org> wrote: > I used `samba-tool user disable testuser` to disable a user and > `samba-tool user show testuser` to display the user object and found > nothing was changed. And I can still get the user using filter >

Hi, I hope you're all right. I describe below the scenario where the problem occurs. I'm trying to activate a master user [1] to be able to access all the boxes of all users by imap. I have configured the dovecot-master-users [2] file with the appropriate permissions. When I try to access, for example with roundcube, through user at mydomain.com*my_master_user at not-exist.com I see in the

Quick addendum: I just stumbled upon abandoned accounts receiving "password expired" notifications forever, even if they get disabled subsequently (by me). It might be helpful to include this in the script: uAC_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"

I used `samba-tool user disable testuser` to disable a user and `samba-tool user show testuser` to display the user object and found nothing was changed. And I can still get the user using filter (&(objectClass=user)(sAMAccountName=testuser)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) Shouldn't `samba-tool user disable` change userAccountControl to 2 or something?