similar to: samba-tool user disable doesn't change any object attributes?

On Thu, 24 Aug 2023 21:12:38 +0800 Reese Wang via samba <samba at lists.samba.org> wrote: > I used `samba-tool user disable testuser` to disable a user and > `samba-tool user show testuser` to display the user object and found > nothing was changed. And I can still get the user using filter >

Ah I understand the 512 + 2 thing. But the userAccountControl is still 512 after I run `samba-tool user disable` Rowland Penny via samba <samba at lists.samba.org> ?2023?8?24??? 21:38??? > > On Thu, 24 Aug 2023 21:12:38 +0800 > Reese Wang via samba <samba at lists.samba.org> wrote: > > > I used `samba-tool user disable testuser` to disable a user and > >

Dear list, I am trying to restore an deleted user object with samba 4.9.1 (sernet packages).  I am aware that the object will lose some attributes without recycle bin enabled (enabling it is still not recommended, right?) I tried to rename the object in order to make the  necessary modifications afterward (as documented in Stefan Kania's Samba 4 book). But ldbrename already fails. root

"userAccountControl:1.2.840.113556.1.4.803:=2" Sorry, I cannot read the Matrix. ;) Ole On 13.02.2017 17:19, Rowland Penny via samba wrote: > On Mon, 13 Feb 2017 16:46:12 +0100 > Ole Traupe via samba <samba at lists.samba.org> wrote: > > You could always replace: > >> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"

Hi, I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong. root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local Password: passdb: odhiambo at newideatest.local auth failed extra fields: temp Warning: auth-client:

Further test, after restarting samba, showed the userAccountControl changed to 514 as expected. Weird...

Hi, i sync the passwords from samba to other backends using "samba-tool user syncpasswords" On my operative system (samba 4.10 and python2) all works fine. I upgraded my test-DC to samba 4.11 and python3 and now the samba-tool user syncpasswords --daemon crashes. Fri Oct 4 12:29:47 2019: pid[983]: Attached to logfile[/usr/local/samba/var/log.syncpw] Fri Oct 4 12:29:47 2019:

Quick addendum: I just stumbled upon abandoned accounts receiving "password expired" notifications forever, even if they get disabled subsequently (by me). It might be helpful to include this in the script: uAC_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"

Guys needing some help with LDAP queries against samba4 this command works against MS AD's LDAP (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) but with samba4 I get C:\Users\Administrator>dsquery * --filter (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) I get the

On Thu, 24 Aug 2023 21:56:47 +0800 Reese Wang via samba <samba at lists.samba.org> wrote: > Ah I understand the 512 + 2 thing. > But the userAccountControl is still 512 after I run `samba-tool user > disable` > Hmm, what version of Samba is this and on what OS ? Where are you running the command ? On Debian bullseye with Samba from backports (4.17.10), if I check a user, I

Hi, I was revising our AD ldap user_filter and pass_filter to exclude more types of expired / disabled accounts. I started adding things like: > (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608))) but then I thought, why not simply do: >

Mandi! Rowland penny via samba In chel di` si favelave... > yes, Provided you use the right attribute to search on ;-) Ah! ;-) Just i'm here, i test three condition in account flags, eg: UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)

On Sat, 28 Oct 2023 13:50:31 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> I consider this a big security omission: if? Samba is the source of > >> information but not the the authenticator of the user, that > >> application cannot block expired users ! > > But, Samba when running as an AD DC is the source of information AND >

Op 28-10-2023 om 13:22 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 11:54:34 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 28-10-2023 om 09:37 schreef Rowland Penny via samba: >>> On Fri, 27 Oct 2023 23:48:22 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Hi

I've setup a script that scan non-disabled user base, base query: (&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) and for every user i check the 'last password change' data value, doing some thing (eg, disabling it ;-) if it is too far. I've found that my script get also some 'dns-*' account; looking at data i've

Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 13:50:31 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >>>> I consider this a big security omission: if? Samba is the source of >>>> information but not the the authenticator of the user, that >>>> application cannot block expired users !

Op 28-10-2023 om 17:19 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 16:22:23 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: >>> On Sat, 28 Oct 2023 13:50:31 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>>

On Sun, 29 Oct 2023 18:10:52 +0100 Kees van Vloten via samba <samba at lists.samba.org> wrote: > > Op 28-10-2023 om 17:19 schreef Rowland Penny via samba: > > On Sat, 28 Oct 2023 16:22:23 +0200 > > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > >> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: > >>> On Sat, 28

Op 28-10-2023 om 17:19 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 16:22:23 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: >>> On Sat, 28 Oct 2023 13:50:31 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>>

Hi, I have a domain with a single Windows 2003 DC running. Today I created a Samba4 DC (using 4.0.0 release) and asked it to join the existing domain as an additional controller. Replication of both the objects and dns entries appears to be working well, and the usual tests of adding a user to one and confirming it is available in the other is similarly working. However, the `ldapcmp` tool