Script to reset group memberships...

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Script to reset group memberships...

Samba - General mailing list

I was used, for users that leave my network, to disable the account but
also ''sanitize'' the memberships, eg reset group membership to a
default values (normally, 'domain users').

Clearly, using smbldap-tools in a NT domain was easy.


How can achieve the same result in a samba AD domain? Seems that
avaliable commands/tools (pdbedit, wbinfo, samba-tool) does not have
this feature.


I'v think about enumerating the user's group, eg:

        id gaio | cut -d '=' -f 4 | tr -s ',' '\n' | cut -d '(' -f 2 | tr -d ')' | grep ^LNFFVG | cut -d '\' -f 2

and then remove 'all but the default group', but i'm seeking feedback.


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
On Wed, 4 Oct 2017 15:45:07 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

>
> I was used, for users that leave my network, to disable the account
> but also ''sanitize'' the memberships, eg reset group membership to a
> default values (normally, 'domain users').
>
> Clearly, using smbldap-tools in a NT domain was easy.
>
>
> How can achieve the same result in a samba AD domain? Seems that
> avaliable commands/tools (pdbedit, wbinfo, samba-tool) does not have
> this feature.
>
>
> I'v think about enumerating the user's group, eg:
>
> id gaio | cut -d '=' -f 4 | tr -s ',' '\n' | cut -d '(' -f 2
> | tr -d ')' | grep ^LNFFVG | cut -d '\' -f 2
>
> and then remove 'all but the default group', but i'm seeking feedback.
>
>
> Thanks.
>

No need to do that, just use 'samba-tool user disable'

See 'samba-tool user disable --help' for more info

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> No need to do that, just use 'samba-tool user disable'

Ahem, Rowland, *I* *NEED* that.

For internal policies, users that leave my organization have to be
'sanitized', and on detail, memberships have to be reset.


So, apart some complex scripting, there's some way to do that? If
comlex scripting have to be used, what will be the best 'path' to
achieve the result?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
On Wed, 4 Oct 2017 16:53:19 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > No need to do that, just use 'samba-tool user disable'
>
> Ahem, Rowland, *I* *NEED* that.
>
> For internal policies, users that leave my organization have to be
> 'sanitized', and on detail, memberships have to be reset.
>
>
> So, apart some complex scripting, there's some way to do that? If
> comlex scripting have to be used, what will be the best 'path' to
> achieve the result?
>
>
> Thanks.
>

Ah, you said disable, when you meant 'delete'

You can do this 'samba-tool user delete username'

This will delete the user and the users membership of groups.

i.e.

dn: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
......
member: CN=username,CN=Users,DC=samdom,DC=example,DC=com

Will become:

dn: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
.............
member:
CN=username\0ADEL:f2fcc083-f6fa-4878-973f-b2a4f2a043e2,CN=Deleted Object

Then when the tombstone lifetime comes around, the record will
disappear.

This is standard for AD, you cannot totally remove the record in one
move, but for all intents and purposes, the records are deleted.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Ah, you said disable, when you meant 'delete'

No, i meant exactly 'disabled'.

Try to be more clearer:

a) i cannot delete accounts, at least for years, because local law
 mandates accountability, and so i need SID/UID.
OK, i can save SID/UID elsewhere, but...

b) i want to ''reset'' group membership because if users come back
 (sometimes happen ;) i can't, even by accident, restore their
original memberships.


Better now? Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
On Wed, 4 Oct 2017 17:54:35 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Ah, you said disable, when you meant 'delete'
>
> No, i meant exactly 'disabled'.
>
> Try to be more clearer:
>
> a) i cannot delete accounts, at least for years, because local law
>  mandates accountability, and so i need SID/UID.
> OK, i can save SID/UID elsewhere, but...
>
> b) i want to ''reset'' group membership because if users come back
>  (sometimes happen ;) i can't, even by accident, restore their
> original memberships.
>
>
> Better now? Thanks.
>

NO ;-)

In AD you can disable a user very easily by adding 2 to the value stored
in the users 'userAccountControl' attribute and the user wouldn't be
able to log in, but this isn't quite what you want.

To do what you want to do, you will need to search the users object in
AD for 'memberOf' attributes, then parse these (if any, there shouldn't
be one for Domain Users) Then remove the user from each group with
'samba-tool group removemembers groupname username'. This will then
leave you with the user to delete or disable as you see fit.

If you delete a user in AD, you cannot recreate it exactly as the
original user, AD will not let you i.e. if you delete user 'fred' and
then create another user 'fred', this user, even though it has the
same username will be a new user to AD, it will have a different RID
and GUID.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> In AD you can disable a user very easily by adding 2 to the value stored
> in the users 'userAccountControl' attribute and the user wouldn't be
> able to log in, but this isn't quite what you want.

Only for a sake of completeness, it is the same of the 'D' account flag,
right?


> To do what you want to do, you will need to search the users object in
> AD for 'memberOf' attributes, then parse these (if any, there shouldn't
> be one for Domain Users) Then remove the user from each group with
> 'samba-tool group removemembers groupname username'. This will then
> leave you with the user to delete or disable as you see fit.

OK, thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Script to reset group memberships...

Samba - General mailing list
On Thu, 5 Oct 2017 15:22:56 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > In AD you can disable a user very easily by adding 2 to the value
> > stored in the users 'userAccountControl' attribute and the user
> > wouldn't be able to log in, but this isn't quite what you want.
>
> Only for a sake of completeness, it is the same of the 'D' account
> flag, right?

Yes

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba