Web lists-archives.com

Re: [Samba] winbind offline logon




Hai Pivial, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Piviul via samba
> Verzonden: dinsdag 19 februari 2019 14:58
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] winbind offline logon
> 
> Il 19/02/19 12:02, L.P.H. van Belle via samba ha scritto:
> > [...]
> > Everything, you can do in NTDOM, you can in AD DOM.
> you are saying me that an AD domain can be configured to 
> allow a domain user to move the time back of one year or more 
> (what I have seen today for example) in a member PC of a AD domain? 

Ah, here it starts.. Why would you allow a user to set the time back a year? 
That is an Administrator it task, not a user in my opinion. 
In a normal NTDomain setup, this is also not allowed by default. 

Rule 1. Never ever ever ever ever ever work as Administrator or with administrator rights. 
Rule 2. If you the Domain admin, rule 1 applies.
Rule 3. If you the Boss, rule 1 applies. 
Its to easy to break in a computer when your working as admin, really, its really easy. 

Now per example if you would do this with ad, ! NOT recommended but possible, yes. 
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/change-the-system-time 
You change the local service, so a group of users is allowed to change time.
So next  ;-),. 

> I have read that an authentication ticket have a very strict validation time... 
> but I don't know AD. 

I know a good book, but i dont know if you can read german.. 
If you can read german, https://www.kania-online.de/fachbuecher/samba-4/ 

Or start here : 
https://blogs.technet.microsoft.com/ashwinexchange/2012/12/18/understanding-active-directory-for-beginners-part-1/ 
Old be still valid. 

Sorry, i dont have any italian sites. Maybe one of the 2 Marco's have some good italian sites about AD for you. 

> 
> Any way I agree with you, more time you wait to upgrade more problems 
> you will find when you decide to upgrade... but, even if a 
> part of these problems, helas, will fall over my shoulder 
> I have no weapon to quicken this upgrade.

You have "the Samba list" and it is ok to ask for help. 
That's hard sometimes and we all know that. 

Just dont start and rush in, think before you start. 
Make a todo list, and remember you always forget about 20%-25%.. 

> 
> Have a great day
> 
> Piviul


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba