similar to: Automatically assigning uidNumber / gidNumber attributes

On 05.06.2019 22:40, Rowland penny via samba wrote: >> >> https://lists.samba.org/archive/samba/2019-June/223478.html >> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a >> gidNumber attribute." > Domain Admins is a group that must own files in Sysvol. Samba runs on Unix and groups cannot own files on Unix, so Domain Admins is

Am 07.06.2019 um 17:48 schrieb Rowland penny via samba: > On 07/06/2019 16:37, ?ukasz Michalski via samba wrote: >> On 05.06.2019 22:40, Rowland penny via samba wrote: >>>> >>>> https://lists.samba.org/archive/samba/2019-June/223478.html >>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a >>>> gidNumber

> Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user. I looked on a brand new test DC (with nss-winbind), and it looks like it doesn't work right with winbind: root at dc1# ls -l /var/lib/samba/sysvol/ad-test.vx/Policies/ total 16 drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41 {31B2F340-016D-11D2-945F-00C04FB984F9}

On 05/06/2019 21:12, Jonathon Reinhart via samba wrote: > All, > > I'm working on a script to automatically assign uidNumber and gidNumber > attributes to users. I have a few questions: > > 1) Which users should be excluded from this assignment? Any you want to be visible to Unix > > I'm currently using this LDAP filter (simplified syntax used here): >

On 07/06/2019 16:37, ?ukasz Michalski via samba wrote: > On 05.06.2019 22:40, Rowland penny via samba wrote: >>> >>> https://lists.samba.org/archive/samba/2019-June/223478.html >>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a >>> gidNumber attribute." >> Domain Admins is a group that must own files in Sysvol.

On 11/06/2019 09:41, Christian via samba wrote: > Am 07.06.2019 um 17:48 schrieb Rowland penny via samba: >> On 07/06/2019 16:37, ?ukasz Michalski via samba wrote: >>> On 05.06.2019 22:40, Rowland penny via samba wrote: >>>>> https://lists.samba.org/archive/samba/2019-June/223478.html >>>>> In this post, Rowland said "Oh good, 'Domain

Hello, A user of my "adman" utility recently opened this issue [1]: "Add support for setting uidNumber for machine account" I was aware that computer accounts were also users in AD, but I hadn't considered assigning a uidNumber to them. It makes sense that winbind (in idmap="ad" mode) would not "see" the accounts with a uidNumber. Naturally, groups of

I have a script which carefully manages uidNumber and gidNumber attributes for users and groups. We just recently put it into production. I plan to release it as open source software soon -- and get Rowland's blessing :-) On Fri, Jun 21, 2019 at 3:42 AM Rowland penny via samba < samba at lists.samba.org> wrote: > On 21/06/2019 07:49, Pisch Tam?s via samba wrote: > > Hi, >

> > I was aware that computer accounts were also users in AD, but I hadn't > considered assigning a uidNumber to them. It makes sense that winbind > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > Naturally, groups of which the computer accounts are members would > need gidNumber assigned as well. This is interesting. I also have a

On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba <samba at lists.samba.org> wrote: [snip] > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use > > "template homedir" and "template shell", and will not respect the RFC > > 2307 attributes in LDAP. Is that correct? > > Yes and no ;-) > > If you use the

On 16/07/2019 14:16, Jonathon Reinhart wrote: > On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 16/07/2019 14:02, Jonathon Reinhart wrote: >>> Rowland, >>> >>> You could go another step further and run that with "notify" to >>> monitor for changes, instead of having to run it in a cron

On 16/07/2019 16:40, Jonathon Reinhart wrote: > On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 16/07/2019 14:16, Jonathon Reinhart wrote: >>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba >>> <samba at lists.samba.org> wrote: >>>> On 16/07/2019 14:02, Jonathon Reinhart wrote:

On Sun, Apr 7, 2019 at 2:17 PM Rowland Penny via samba < samba at lists.samba.org> wrote: > > On Sun, 7 Apr 2019 13:45:11 -0400 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > Interesting, I'm getting the same error using the LDB tools: > > > > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H > >

Interesting, I'm getting the same error using the LDB tools: ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H ldap://localhost ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return

Sorry to hop on an existing conversation but this seemed like a good point to jump in with this question. Say I have a service account, with a random password that is set to never expire. What component is expected to periodically renew (or request anew) the Kerberos TGT using that password? I see lots of information about SSSD handling this, but less so with Samba. Also, I understand that in

On 16/07/2019 14:02, Jonathon Reinhart wrote: > Rowland, > > You could go another step further and run that with "notify" to > monitor for changes, instead of having to run it in a cron job. In my > experience, "notify" works using smbclient, but not so with > libsmbclient. Problem is, the script is written to be run on DC's that do not hold the PDC

On Tue, 26 Mar 2019 07:37:54 -0400 Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > I recently went through these steps from the wiki and took the > following notes which I had not yet shared / suggested for the wiki. > (This is from mobile, sorry for the terse message.) > > - You need to clear the idmap cache after copying idmap.ldb ("net > cache

Hello, I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab environment, set up like this: https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/ I would now like to configure this server to enable login via domain credentials. I'm aware that the Samba wiki recommends the following: -

Hello, I'm trying to use the "notify" API of libsmbclient, testing against a Samba AD DC. The function is returning with errno=22 (mapped from NT_STATUS_REVISION_MISMATCH), and I'm getting the following error message: smb1cli_req_writev_submit: called for dialect[SMB3_11] server[dc1.example.com] It looks like libsmbclient is, for some reason, using SMB1 but needs to be

Hello, A client is asking about disabling, deleting or renaming the domain "Administrator" account on a Samba AD. I've seen this done on Windows AD domains for security purposes. Assuming the risk of being locked-out is mitigated (i.e. an equivalent user is created and is a member of the same groups), is there any reason this can't be done on a Samba AD as well? Is the