similar to: prevent ldap bind for specific user

Hi Rowland, Thanks! On 3-12-2019 16:32, Rowland penny via samba wrote: > How about using the userAccountControl attribute ? > > Add 2 to it and the account becomes disabled and a disabled account > cannot authenticate to AD But the accounts still needs to be able to logon to certain (a specific list of) workstations... A disabled account account can not logon at all. MJ

Ho Mourik Thanks for your reply, any other attribute which we can duplicate? Br. Umar On Fri, Jan 23, 2015 at 1:47 PM, mourik jan heupink - merit < heupink at merit.unu.edu> wrote: > Hi, > > In AD, the attribute mail can only exist once. > > MJ > > On 01/23/2015 05:27 AM, Umar Draz wrote: > >> Hi All >> >> I am tying to create a user in SAMBA 4

Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older: > https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ >

Hi, I was revising our AD ldap user_filter and pass_filter to exclude more types of expired / disabled accounts. I started adding things like: > (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608))) but then I thought, why not simply do: >

Hi All I am tying to create a user in SAMBA 4 AD with ldapadd, but its not allow me to add multiple mail attributes, here is my ldif of user. dn: CN=ayesha,CN=Users,DC=samba4pdc,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: ayesha name: ayesha sAMAccountName: ayesha userPrincipalName: Ayesha Umar objectCategory:

It's very difficult at least. I can't instantly think any sensible way forward, but you might be able to get somewhere using %a variable. Aki > On December 31, 2016 at 11:38 AM mj <lists at merit.unu.edu> wrote: > > > Hi, > > Does the lack of replies mean that what I'm asking is not possible? > > (or am I missing something SO obvious that nobody

Hi, I noticed the following in the logs of our debian wheezy server: > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): bind search: base=CN=Users, DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA > ccountName=username)(!(userAccountControl=514))) > Mar 21 07:13:47 mail dovecot: auth: Debug:

Or. maybe it is the holidays and people actually have a life? On December 31, 2016 4:38:53 AM EST, mj <lists at merit.unu.edu> wrote: >Hi, > >Does the lack of replies mean that what I'm asking is not possible? > >(or am I missing something SO obvious that nobody bothers to point it >out..?) > >MJ > >On 12/29/2016 09:23 PM, mj wrote: >> Hi, >>

On 10/16/2017 11:13 AM, Rowland Penny via samba wrote: > On Mon, 16 Oct 2017 16:53:17 +0200 > mj via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> dbcheck tells us we have two "dangling forward links" that I am >> trying to get rid of. On my test domain, I have simply done >> >> ldbedit -e nano -H

Hi Mark, Just to let you know that we are running dovecot with AD. (and I guess: *many* people are running that combination) It worked without issues, we are using in dovecot-ldap.conf.ext: > auth_bind = yes this user/passwd filter: > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > dn = cn=search_dovecit,cn=users,dc=company,dc=com > dnpass =

Hi, I would like to ask how exactly the "password server =" smb.conf option works. The man pages say that the option is to "restrict Samba to to do all its username/password validation using a specific remote server" I know that we should normally leave it empty, to have samba auto-discover the DCs. But my question is: Suppose it's defined it like: > password

Hi! You can ignore it, or you can change the socket permissions to 0666. service stats { unix_listener stats-writer { mode = 0666 } } Aki > On 23/10/2020 17:52 mj <lists at merit.unu.edu> wrote: > > > Hi, > > Nobody? > > It happens so rarely, and the system appears to be running fine > otherwise, should I just ignore it? > > Still

Hi, I would like to have two seperate imap listeners, with different authentication settings, but the mailstore and userbase etc will be identical. I know I can do this: > service imap-login { > inet_listener imap { > port = 143 > } > inet_listener imap2 { > port = 144 > } > } But I'm unsure how to configure imap/143 with "driver =

Hi, To make our AD more robust, I'd like to provide more than one dns forwarder, like for example: dns forwarder = 8.8.8.8 8.8.4.4 However, this seems to break dns resolution completely (and without logging errors in the logs!): # Host test.com not found: 3(NXDOMAIN) With only one forwarder things work: $ test.com has address 208.64.121.161 Am I really allowed to specify only one

On Tue, 5 Dec 2017 16:42:15 +0100 mj <lists at merit.unu.edu> wrote: > Hi, > > Not much time to reply now. > > On 12/05/2017 05:21 AM, Mark Foley wrote: > > mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready > > to try my config (have to do so after hours), but I have some probably simple-minded questions: >

https://technet.microsoft.com/en-us/magazine/jj631606.aspx goes through the steps I remember taking in a windows environment. As you can see step 2 is to install ADFS this is what would need emulated with some web server. So I will try and google ADFS on apache or nginx or linux. I'll let you know if I find anything interesting. On Mon, Jun 6, 2016 at 1:53 PM, Jeff Sadowski <jeff.sadowski

On Thu, 15 Jun 2017 10:14:45 +0200 mj via samba <samba at lists.samba.org> wrote: > Nobody knows..? > > Or my question is unclear..? > OK, whilst it is recomended to use 'password server = *' you can use a list of servers instead. I personally do not see the point of setting it as you are proposing, surely it is just the same as using '*' ? I am also

Hi James, Thanks for the quick reply. On 10/09/2017 08:52 PM, lingpanda101 via samba wrote: > You should be able to fix the 'replPropertyMetaData' errors with; > > samba-tool dbcheck --cross-ncs --fix --yes > 'fix_replmetadata_unsorted_attid' Yep, worked great! Fixed all of those replPropertyMetaData errors! :-) > The highwatermark doesn't necessarily

Hi, On 25/05/2020 23:04, Voytek wrote: > jumping here with a question, if I use 143 with STARTTLS, and, force > TLS/SSL in configuration, that's equivalent from security POV, isn't > it? and, same for 110 STARTTLS? Or am I missing something? Interesting point, after some googling, I think you are right, and as long as we have set "disable_plaintext_auth = yes" (and we

Hi, On 07/31/2016 04:36 PM, aki.tuomi at dovecot.fi wrote: > We are discussing about making ce repos at some point. This would probably help some people. > > Aki We're following this thread with interest. What exactly is a "ce repository"? (google doesn't help) MJ