from:"Christopher Whitehead"

Re: [Samba] Password expires every month even though 'Password Must Change' is set to 'never' (Samba+LDAP)

2011-10-12 Thread Christopher Whitehead

Was having similar issues with enforce password complexity.  Setting just
doesn't seem to stick.  Will have to do some research to figure out what is
going on.

On Wed, Oct 12, 2011 at 10:16 AM, Aaron E.  wrote:

> Just cuirous are you using pam or ldap backend?
>
>
> On 10/12/2011 09:22 AM, Marco Ciampa wrote:
>
>> On Wed, Oct 12, 2011 at 12:15:16PM +0800, Jeffrey Chan wrote:
>>
>>> Hi all,
>>>
>>> I've posted this a month ago but haven't gotten a reply. Can anyone
>>> please
>>> help?
>>>
>>> - Jeff
>>>
>>>
>>>
>>> On Mon, Aug 29, 2011 at 5:14 PM, Jeffrey Chan
>>>  wrote:
>>>
>>>  Hi all,

 Since a few months ago Samba ask each of our users to change password at
 log on every month and I have not been able to disable it.

 I found this page and follow the instructions:

 http://playingwithsid.**blogspot.com/2010/12/change-**
 samba-password-expiry-setting.**html

 The default ‘Password Must Change’ policy was set to never and pdbedit
 shows ‘Password Must Change: never’ for each user, yet the passwords
 still
 get expire once a month.

 Can anyone please give me some pointers?

 - Jeff

>>>
>> Just a hint (maybe wrong...)
>>
>> obey pam restrictions = No
>>
>> ...
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 and sysvol share

2011-09-29 Thread Christopher Whitehead

Alright, here is update Felix.

>From a default install, at least on the server I set up,  sysvol is
Authenticated Users(read/execute), Domain Admins(all), System(all). It and
all children.

As you dive deeper into folder structure there are some more  added like
Enterprise Admins and so forth(will full privileges).  I believe Owner is
also one as you get further down and it has no privileges set.

Chris

On Wed, Sep 28, 2011 at 4:25 PM, Christopher Whitehead <
cwhitehea...@gmail.com> wrote:

> No problem.  That setup I was talking about is running same version of
> Samba4 that you are.  Yea, that is definitely not good if someone could go
> in there and change what login scripts were run or what they are suppose to
> do.
>
> If it is indeed this way, then definitely nice find on your end.  Will have
> to be reported as config issue or something with Samba4 alpha17.
>
> It will probably be after lunch before I can let ya know though.  I'm
> waiting on a monitor to come in for a setup they needed.  So right after
> that gets over here tomorrow will head over there and get back with ya.
>
>
>
> On Wed, Sep 28, 2011 at 3:41 PM,  wrote:
>
>> >> Definitely that is where your login scripts and so forth are or the
>> >> general
>> >> place that you are suppose to put them.  I've got to go do some work
>> >> over
>> >> at
>> >> a place I have a Samba4 PDC setup tomorrow.
>> >>
>> >> Did you mess with the permissions or don't recall?  Was it like that
>> >> when
>> >> you installed?
>> >>
>> >> I wouldn't allow Everyone to have access.  Go the Authenticated Users
>> >> route
>> >> or maybe Domain Users with read/execute permissions.  I'll check all
>> the
>> >> different users on it tomorrow for ya and drop back a line to this
>> >> thread
>> >> though.  There might be a phantom User that only Samba knows about that
>> >> is
>> >> listed there that might be specific to your install.
>> >>
>> >> It would be nice if someone chimed in here, have been wondering about
>> >> that... ;)
>> >>
>> >> Chris
>> >>
>> > Hi Chris:
>> > It's a recent test installation using Samba4 alpha 17 tar. I have done
>> > nothing with the permissions. I haven't even touched smb.conf.
>> > I was browsing the content of sysvol in my Samba4 server with a domain
>> > user I created and then I tried deleting a file and I could do it, tried
>> > with the whole content of sysvol and I could delete all. Then I
>> > reinstalled samba and tried again with a new domain user, and could do
>> it
>> > again.
>> >
>> > The permission on a Windows 2003 server are as shown below and you're
>> > right only authenticated users should have read and execute permissions.
>> > But I tried with a windows client in a virtual pc against a real windows
>> > 2003 server and surprisingly I could list the content of sysvol in spite
>> > of this virtual pc not being a member of the windows 2003 server domain.
>> > That's why I suggested that may be it would be ok to allow everyone read
>> > and execute permissions.
>> >
>> My mistake. Unauthenticated users have no access to sysvol in windows 2003
>> server. Sorry!!!
>>
>> >
>> >
>> >> On Wed, Sep 28, 2011 at 1:55 PM,  wrote:
>> >>
>> >>> > On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote:
>> >>> >>>> On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote:
>> >>> >>>>> Hello.
>> >>> >>>>> I noticed that any domain user can delete the content of the
>> >>> shared
>> >>> >>>>> folder
>> >>> >>>>> sysvol in the domain controller from a windows client.
>> >>> >>>>>
>> >>> >>>>> How can I avoid that?
>> >>> >>>>>
>> >>> >>>>> Greetings,
>> >>> >>>>> Felix
>> >>> >>>>>
>> >>> >>>> What's the default windows behavior with this ?
>> >>> >>>>
>> >>> >>>> Matthieu.
>> >>> >>>>
>> >>> >>> Windows users  Windows permissions
>> >>> >>> -
>> >

Re: [Samba] Samba4 and sysvol share

2011-09-28 Thread Christopher Whitehead

No problem.  That setup I was talking about is running same version of
Samba4 that you are.  Yea, that is definitely not good if someone could go
in there and change what login scripts were run or what they are suppose to
do.

If it is indeed this way, then definitely nice find on your end.  Will have
to be reported as config issue or something with Samba4 alpha17.

It will probably be after lunch before I can let ya know though.  I'm
waiting on a monitor to come in for a setup they needed.  So right after
that gets over here tomorrow will head over there and get back with ya.



On Wed, Sep 28, 2011 at 3:41 PM,  wrote:

> >> Definitely that is where your login scripts and so forth are or the
> >> general
> >> place that you are suppose to put them.  I've got to go do some work
> >> over
> >> at
> >> a place I have a Samba4 PDC setup tomorrow.
> >>
> >> Did you mess with the permissions or don't recall?  Was it like that
> >> when
> >> you installed?
> >>
> >> I wouldn't allow Everyone to have access.  Go the Authenticated Users
> >> route
> >> or maybe Domain Users with read/execute permissions.  I'll check all the
> >> different users on it tomorrow for ya and drop back a line to this
> >> thread
> >> though.  There might be a phantom User that only Samba knows about that
> >> is
> >> listed there that might be specific to your install.
> >>
> >> It would be nice if someone chimed in here, have been wondering about
> >> that... ;)
> >>
> >> Chris
> >>
> > Hi Chris:
> > It's a recent test installation using Samba4 alpha 17 tar. I have done
> > nothing with the permissions. I haven't even touched smb.conf.
> > I was browsing the content of sysvol in my Samba4 server with a domain
> > user I created and then I tried deleting a file and I could do it, tried
> > with the whole content of sysvol and I could delete all. Then I
> > reinstalled samba and tried again with a new domain user, and could do it
> > again.
> >
> > The permission on a Windows 2003 server are as shown below and you're
> > right only authenticated users should have read and execute permissions.
> > But I tried with a windows client in a virtual pc against a real windows
> > 2003 server and surprisingly I could list the content of sysvol in spite
> > of this virtual pc not being a member of the windows 2003 server domain.
> > That's why I suggested that may be it would be ok to allow everyone read
> > and execute permissions.
> >
> My mistake. Unauthenticated users have no access to sysvol in windows 2003
> server. Sorry!!!
>
> >
> >
> >> On Wed, Sep 28, 2011 at 1:55 PM,  wrote:
> >>
> >>> > On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote:
> >>>  On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote:
> >>> > Hello.
> >>> > I noticed that any domain user can delete the content of the
> >>> shared
> >>> > folder
> >>> > sysvol in the domain controller from a windows client.
> >>> >
> >>> > How can I avoid that?
> >>> >
> >>> > Greetings,
> >>> > Felix
> >>> >
> >>>  What's the default windows behavior with this ?
> >>> 
> >>>  Matthieu.
> >>> 
> >>> >>> Windows users  Windows permissions
> >>> >>> -
> >>> >>> Domain Admins--->  Full Access
> >>> >>> Authenticated Users-->  Read&  Execute, List folder contents,
> >>> Read
> >>> >>> CREATOR OWNER--->  Special permissions (Maybe we don't need
> >>> >>> this)
> >>> >>> Server Operators>  Read&  Execute, List folder contents,
> >>> Read
> >>> >>> SYSTEM-->  Full Access
> >>> >>>
> >>> >> I think that what it is needed here is:
> >>> >> Domain Admins->  Full Access
> >>> >> and everybody else>  Read&  Execute, List folder contents,
> >>> Read
> >>> >>
> >>> >> I think that GPOs and some scripts are delivered to windows clients
> >>> >> through sysvol, that's why I don't want any of my users to be able
> >>> to
> >>> >> delete the sysvol content.
> >>> >>
> >>> >> What should I do to accomplish that goal?
> >>> > In theory we should have the ACLs ok, I have to check this things but
> >>> it
> >>> > won't be before next week I'm at IOLAB with microsoft this week
> >>> focusing
> >>> > on FRS replication.
> >>> >
> >>> >
> >>> > Sorry.
> >>> >
> >>> > Matthieu.
> >>> >
> >>> I understand. I'll be waiting for an answer.
> >>> Thanks.
> >>>
> >>> Felix.
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/optio

Re: [Samba] Samba4 and sysvol share

2011-09-28 Thread Christopher Whitehead

Definitely that is where your login scripts and so forth are or the general
place that you are suppose to put them.  I've got to go do some work over at
a place I have a Samba4 PDC setup tomorrow.

Did you mess with the permissions or don't recall?  Was it like that when
you installed?

I wouldn't allow Everyone to have access.  Go the Authenticated Users route
or maybe Domain Users with read/execute permissions.  I'll check all the
different users on it tomorrow for ya and drop back a line to this thread
though.  There might be a phantom User that only Samba knows about that is
listed there that might be specific to your install.

It would be nice if someone chimed in here, have been wondering about
that... ;)

Chris

On Wed, Sep 28, 2011 at 1:55 PM,  wrote:

> > On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote:
>  On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote:
> > Hello.
> > I noticed that any domain user can delete the content of the shared
> > folder
> > sysvol in the domain controller from a windows client.
> >
> > How can I avoid that?
> >
> > Greetings,
> > Felix
> >
>  What's the default windows behavior with this ?
> 
>  Matthieu.
> 
> >>> Windows users  Windows permissions
> >>> -
> >>> Domain Admins--->  Full Access
> >>> Authenticated Users-->  Read&  Execute, List folder contents, Read
> >>> CREATOR OWNER--->  Special permissions (Maybe we don't need
> >>> this)
> >>> Server Operators>  Read&  Execute, List folder contents, Read
> >>> SYSTEM-->  Full Access
> >>>
> >> I think that what it is needed here is:
> >> Domain Admins->  Full Access
> >> and everybody else>  Read&  Execute, List folder contents, Read
> >>
> >> I think that GPOs and some scripts are delivered to windows clients
> >> through sysvol, that's why I don't want any of my users to be able to
> >> delete the sysvol content.
> >>
> >> What should I do to accomplish that goal?
> > In theory we should have the ACLs ok, I have to check this things but it
> > won't be before next week I'm at IOLAB with microsoft this week focusing
> > on FRS replication.
> >
> >
> > Sorry.
> >
> > Matthieu.
> >
> I understand. I'll be waiting for an answer.
> Thanks.
>
> Felix.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Dual Authentication: Local and Active Directory

2011-09-18 Thread Christopher Whitehead

Thanks for the help both of you.  I will attempt this a bit later and see
how it turns out.

Chris

On Sun, Sep 18, 2011 at 10:01 AM, TAKAHASHI Motonobu wrote:

> From: Aaron Clausen 
> Date: Fri, 16 Sep 2011 15:59:32 -0700
>
> > I was wondering if it was possible to get a Samba server that was
> > acting as an AD member server to also be able to authenticate local
> > users, or is stuck just serving AD users?
>
> You mean that you want to make samba server authenticate users stored
> at local tdb file?
>
> To specify "SERVERNAME\Username" explicitly, an AD member server can
> authenticate its local users.
>
> If you speficy simply "Username", Samba 3.4.0 or later will authenticate
> as a local user for default, Samba 3.3.X or before will authenticate
> as an AD user. See "map untrusted to domain" parameter for the detail.
>
> ---
> TAKAHASHI Motonobu 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Dual Authentication: Local and Active Directory

2011-09-17 Thread Christopher Whitehead

I was wondering the exact same thing.  I hadn't messed with it a bunch,
since I have just set up my first Samba based PDC.  Mainly just doing some
testing and seeing how well Samba's implementation works as a DC.

This probably isn't the appropriate place, but BIG clap to the guys putting
all the work in to this project.  I have been very impressed with what has
been accomplished.

On Fri, Sep 16, 2011 at 5:59 PM, Aaron Clausen wrote:

> I was wondering if it was possible to get a Samba server that was
> acting as an AD member server to also be able to authenticate local
> users, or is stuck just serving AD users?
>
> --
> Aaron Clausen
> mightymartia...@gmail.com
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Password expires every month even though 'Password Must Change' is set to 'never' (Samba+LDAP)

Re: [Samba] Samba4 and sysvol share

Re: [Samba] Samba4 and sysvol share

Re: [Samba] Samba4 and sysvol share

Re: [Samba] Dual Authentication: Local and Active Directory

Re: [Samba] Dual Authentication: Local and Active Directory

6 matches

Site Navigation

Mail list logo

Footer information