similar to: Recommended backup procedure for standalone samba file server configuration?

Dear samba-list, please disregard my previous post. Since posting I have found a way to avoid the need to create a dedicated AD service account purely to allow Redmine to authenticate via LDAPS and AD. This neatly circumvents my original issue and is much more secure to boot. For future Redmine users googling, refer to this document here:

Hi Samba documentation admins, one of the the examples given on this page https://wiki.samba.org/index.php/User_and_Group_management is incorrect and probably should be updated. The snippet of code in question: $ samba-tool user add fbaggins    --random-password --use-username-as-cn    --surname="Baggins" --given-name="Frodo"    --initials=S --mail-address=fbaggins at

Hi everyone, just tried executing wbinfo -u and wbinfo -g on a particular Samba domain member that is acting as a file server in my setup. Much to my surprise i did not see the list of users or groups that I would normally expect to see outputted from these commands. Instead both commands just exited and returned no output. I have already tried restarting winbind, smbd, and nmbd on the domain

To be honest, the 'Dynamic Bind' method doesn't seem that secure to me, anybody could 'pretend' to be someone else. Rowland True! I agree with you Rowland that is a weakness. Unfortunately that is a universal weakness shared by all password-based authentication methods. I guess you would have to go with SSH-style encryption keys and certificates to circumvent that problem

Hi all, I have a couple of Samba 4 DCs on my network and I created a new service account LDAPReader on my DCs that my non-Samba third-party services such as Redmine successfully use to access AD via the LDAPS protocol. I have a couple of questions that relate to having service account of this nature implemented in Samba and I wondered if the group could possibly provide some advice? 1)

Hi everyone, i've just been following the instructions about setting up a Samba domain member as a file shares. I am using Samba version 4.5.16-Debian (yes its old, but i'm stuck with it for now ;) ) and I have been following the official Samba documentation found here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs I just wanted to give you a heads up, I am

On Fri, 22 Mar 2019 16:37:23 +0000 Stephen <stephen at ogdenradar.com> wrote: > Thanks for taking a look Roland, and I appreciate your comments > regarding your scripts. I am not a professional sysadmin so there > likely is stuff there that the grizzled unix veterans on this list > will find a little odd  :) > > I just restarted samba on ad2 as per your suggestion and I

I have a general question regarding smb.conf and I was hoping that some of the rather more knowledgeable and experienced people here could please comment please? I am currently setting my various SAMBA systems up via some shell-scripts. Within these scripts, I remove the stock smb.conf shipped with Samba and replace this with an empty smb.conf file to which I add my own configuration options

Hi everyone, I am using Samba 4.5.16-Debian on Raspbian and thanks to the help offered by everyone here I now finally have a mostly-working Active Directory network. I am now at the stage of creating inidividual user accounts for my domain and unfortunately I have a very basic but fundamental problem! I currently enter the following input at the command-line to create a new user on my DC: pi

Hi everyone, I am running Samba 4.5.16-Debian on Raspbian OS and I am currently attempting to deploy the provided samba-backup.sh script within my existing SAMBA installation to implement disaster recovery on my AD DC servers. Following the documentation provided here https://wiki.samba.org/index.php/Using_the_samba_backup_script I have so far managed a partial success on my backup: pi at

Patches supporting GSSAPI Key Exchange in OpenSSH 4.3p2 are now available from http://www.sxw.org.uk/computing/patches/openssh.html These patches add support for performing GSSAPI key exchange to the OpenSSH client and server. Whilst OpenSSH contains support for using GSSAPI in the user authentication step, this is inadequate for many sites, as it doesn't provide a mechanism for using

Go on, I give in, what is wrong with the official Samba documentation? Off the top of my head: 1) Your (ie Samba project) docs are structured a little poorly and actually pretty hard to follow - eg a single article describes setting up Samba both with SAMBA_INTERNAL and BIND which is confusing. Two separate articles, one on each topic would be better! 2) Despite being the official

On Wed, 10 Apr 2019 15:21:13 +0100 Stephen via samba <samba at lists.samba.org> wrote: > Hi all, I have a couple of Samba 4 DCs on my network and I created a > new service account LDAPReader on my DCs that my non-Samba > third-party services such as Redmine successfully use to access AD > via the LDAPS protocol. > > I have a couple of questions that relate to having

On Wed, 10 Apr 2019 16:25:47 +0100 Stephen via samba <samba at lists.samba.org> wrote: > To be honest, the 'Dynamic Bind' method doesn't seem that secure to > me, anybody could 'pretend' to be someone else. > > Rowland > > True! I agree with you Rowland that is a weakness. Unfortunately that > is a universal weakness shared by all password-based

On Fri, 3 May 2019 10:45:43 +0100 Stephen via samba <samba at lists.samba.org> wrote: > Hi Samba documentation admins, one of the the examples given on this > page https://wiki.samba.org/index.php/User_and_Group_management is > incorrect and probably should be updated. > > The snippet of code in question: > > $ samba-tool user add fbaggins >

Rowland - good news - the instructions in that document you suggested appear to have made all the difference! Now I find that if I do: pi at ad2:~ $ sudo systemctl restart samba-ad-dc pi at ad2:~ $ sudo samba-tool drs showrepl Default-First-Site-Name\AD2 DSA Options: 0x00000001 DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30 DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b ====

As always, posting your smb.conf might help. Oops forgot, thanks Rowland: pi at fs1:~ $ cat /etc/samba/smb.conf [global]         username map = /etc/samba/user.map         workgroup = samdom         realm = samdom.example.com         netbios name = fs1         security = ADS idmap config * : backend = tdb idmap config *: range = 3000-7999 idmap config SAMDOM:backend = ad idmap config

Hi All, This Samba release changelog (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS_File_Permissions) specifically mentions a security issue and that that the multiple *.pem files needed for LDAP via TLS all need "special permissions" - and mentions to delete old files without the required permissions to force file renewal. Yet in the official Samba documentation

Hi Rowland, thanks for your suggestions. I have read and re-read the Samba docs to try and understand where I went wrong here. I added the uidNumber and gidNumber exactly as per your comments and that seems to improve the situation markedly. I can now at least see that the share exists from SAMDOM\stephenellwood which wasn't possible before. File access is now possible from

What the password is, is in the output on you screen, if not, then script it. kinit Administrator # function random password. RANDOMPASSWD(){ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo; } # Pull a random into USERPASS USERPASS="$(RANDOMPASSWD)" # And create your user. sudo samba-tool user create "$USERNAME" --given-name="$GIVENNAME"