Samba4 user groups rights management problem

Similar Messages

• Rights Management problem (http / https)

  How do I fix the error: "You are attempting to connect to an adobe livecycle rights management server using an insecure protocol."
  Is there a way to leave the server as http and change the policies to not ask for https protocol?
  I've tried changing the BASE URL to http://localhost:8443 but cannot find any documentation to help me further.

  Is the client using Netscape Navigator or IE? There used to be a problem
  with Netscape not sending the cookies established for a domain like:
  something.com:7001/xxxxx
  if a redirect sends the user to
  something.com:7002/zzzzz
  Because of the port change in the URL, it treats these as different domains
  and doesn't send previous cookie containing session ID.
  Works fine if you use default ports for http/https and do NOT put them in
  the URL.
  Not sure if this is at all related to your problem.
  -Greg
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.oreilly.com/catalog/entjbeans3 or www.titan-books.com
  "Peter Morelli" <[email protected]> wrote in message
  news:3bf478a9$[email protected]..
  >
  We have an apache 1.3.20 with the weblogic ssl plugin front ending two5.1sp10
  weblogic servers.
  The plug-in load balances between the two servers, but when a userestablishes
  a session, all requests are served by the wl instance that established thesession.
  So far, the correct, sticky behavior.
  The problem occurs when a user establishes a session with non-SSL http,then switches
  to SSL HTTPS, or vice versa. It looks like a new session is established,and in
  some cases, the requests are now served by the other server.
  Is there any way to maintain sessions across HTTP and HTTPS?
  Thanks.
  --pete

• User groups and permissions problem

  Hello everyone,
  I've been running Arch Linux for about a month now and I have noticed a few things related to permissions associated with user groups that annoy me. My user is part of the storage, wheel and network groups, amongst others. I can see this when I run the `groups` command. From what I could read on the Wiki, the storage group should allow me to mount/umount drives such as my USB key and my iPod when they are plugged in and access the files from my user account without using sudo. The network group should let me manage the network connection via ifconfig, iwconfig, etc. once again without using sudo.
  However, when I run iwconfig as my normal user, I get incomplete and inaccurate information. I get about 2 lines telling me essentially that I am not associated with any Access Point, which I clearly am. When I run it with sudo, I get the full information, including my Access Point's ESSID. iwconfig does not get the same data when run with and without sudo. Same goes with ifconfig. Also, I can not run dhcpcd or wpa_supplicant at all as a normal user.
  I get a similar problem with the storage group. I can not mount or umount drives without sudo and I can not write to mounted drives that I've mounted with sudo. This is particularly annoying when I try to manage my iPod.
  Does anyone have a clue what could be causing this?
  Thanks a lot

  I have searched Google and the Arch Wiki, have tried a lot of the suggestions from the forums, such as the 'how I beat policykit and hal' forum post.  Nothing seems to let me mount my drives.  I can see them in Nautilus, I click them but they don't mount.  I can do it as root.  It's really frustrating because I can't figure it out.  I haven't filed a bug report because I thought it was a problem that I was having.
  I haven't tried the iwconfig or network yet.
  This is pretty much the only thing holding me back from everything working.

• Neat OAM Trick (showing users' groups), but a problem...

  Hi,
  I took an OAM class this week, and the instructor showed us a way to show users' group membership in User Manager.
  To do this, create a derived attribute for the inetorgperson attribute, e.g., named "ThisUsersGroupMembership", and configure it with:
  Self
  groupofuniquenames
  uniquemember
  Then, add the derived attribute to the user panel, and then go into User Manager and display an individual user's profile. The user's group membership should be displayed as the "ThisUsersGroupMembership".
  I thought that this was pretty nice, but I noticed that if I go to the User Manager's main page and customize it to display the "ThisUsersGroupMembership" attribute,
  the attribute name is shown, but no values are shown for that attribute.
  I'm trying to figure out why the values for the derived attributes are not being displayed on the main User Manager page, and also if it's possible to get that working?
  Thanks,
  Jim

  Jim,
  Yes even I am not able to list users. I did not understand what you were exactly pointing to in your earlier mail.
  This seems to be a bug with OAM but before we arrive at this conclusion. I think we should try and look at the xml response sent by OAM for search result. I am not able to recall how we can see the xml response in the browser. If you know then you can try and see if the Groups of the user are returned? If groups are returned then you will have to look at the stylesheet being used and modify it to display the groups.
  If groups are not fetched then it must be a bug with OAM.
  Thanks
  Preetam

• ES Rights Management login

  After successful installation ES Preview Release(without PDF Generator),
  and assigning all the roles to the user kvarsen (including LiveCycle Rights Management End User) I still cannot login to the Rights Management...
  any ideas?

  I've already assigned all the roles to this user but it does not work!
  Here's c&p from the assigning roles:
  Do you want to assign the following role(s):
  Output Administrator
  Administration Console User
  Resource Administrator
  LiveCycle Rights Management End User
  LiveCycle Rights Management Invite User
  LiveCycle Rights Management Policy Set Administrator
  LiveCycle Workspace Administrator
  LiveCycle Workflow Process Administrator
  PDFG User
  PDFG Administrator
  Reader Extensions Web Application
  Security Administrator
  LiveCycle Rights Management Super Administrator
  Services User
  LiveCycle Workspace User
  Process Administrator
  LiveCycle Workflow Process Developer
  LiveCycle Rights Management Administrator
  Application Administrator
  Super Administrator
  LiveCycle Rights Management Manage Invited and Local Users
  Document Services Administrator
  Forms Administrator
  Trust Administrator
  to the following users and groups?
  kvarsen

• Rights management setup

  would someone tell me the rights management setup step by setp? thank you very much!

  CREATE USER WITH ‘RIGHTS MANAGEMENT USER’ ROLE
  Using the LiveCycle AdminUI, create a local user with the role “LiveCycle Rights Management User”
  ENSURE HTTPS ACCESS TO THE RIGHTS MANAGEMENT WEBUI
  Please note that the ‘Administrator’ user cannot login to Rights Management by default.
  If the server is using a self-signed certificate, import the certificate to the local Windows certificate store. If this is not done, Acrobat will throw this error:
  “Unable to connect to the service. SSL protocol error. Certificate is either invalid or common name or authority are not recognized.”
  Launch your browser. Point it to the SSL over HTTP URL of the server such as follows:
  https://lces2.adobe.com:9443/edc/Login.do
  In IE8, you will get a message that says “There is a problem with this website’s security certificate.”
  1) Click “Continue to this website (not recommended).”
  2) At the top, to the right of the URL field, there shoul be a button that now says “Certificate Error”.
  3) Click it. Then click the link “View Certificates”.
  4) Click the button ‘Install Certificate”
  5) Let the wizard guide you through the install. Choose “Automatically select the certificate store based on the type of certificate”.
  6) If everything went fine, you should get a message that says “The import was successful”.
  7) Click OK
  8) Load the same URL again (https://lces2.adobe.com:9443/edc/Login.do). This time you should not get a certificate error. Instead, the Rights Management login page should load.
  In Windows Vista, instead of letting IE choose the certificate store based on the type of certificate, choose the radiobutton ‘Place all certificates in the following store’, click ‘Browse’ and then choose ‘Trusted Root Certification Authorities‘.
  For Firefox, you choose the link “Add an exception”. Click ‘Get Certificate” and then “Confirm Security Exception”.
  CONFIGURE ADOBE READER OR ADOBE ACROBAT
  - Choose the menu option Advanced->Security Settings
  - Highlight “Adobe LiveCycle Rights Management Servers” and click ‘New’
  - Put something useful in the name field such as “Test Adobe RM”.
  The Server Name should be the fully resolvable DNS name of your server, or that of the Reverse Proxy.
  - Change port from 443 to the SSL port of the appserver instance that hosts LiveCycle. This can also be the port on which SSL is configured for the Reverse Proxy (usually 443). In our example, it is 9443.
  - Click “Connect to this Server”
  CONFIGURE BASE URL FOR POLICIES
  Login to the LiveCycle AdminUI. Navigate to Services->LiveCycle Rights Management->Configuration->Server Configuration. Change the ‘Base URL’ to a valid URL such as https://lces2.adobe.com:9443. This URL is a CRITICAL part configuration. If this URL becomes invalid at a later time due to domain registration expiry, corporate acquisitions, server certificate expiry etc, all of the documents published up to that point with this URL will be become totally useless.
  Cheers,
  Vipin

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• How to create user in specific user group in Microsoft Active Directory ?

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  Following is the code I am using which adds user to default group Domain Users.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• What roles assignments for Rights Management?

  System: Adobe LiveCycle Server ES3 system.
  Question and Issue: I need to create a user that is able to manage the settings via the web administrator (adminui) for:
  1. Policies
  2. Documents
  3. Events
  4. Watermarks
  However this user must not have the abiltiy to change the server configuration, key management, etc that is most of the stuff in the "LiveCycle Rights Management->Configuration" page except for "Watermarks".
  I had assigned this user the following Role Assignments:
  1. Rights Management Policy Set Administrator
  2. Rights Management Invite User
  3. Rights Management End User
  4. Rights Management Manage Invited and Local Users
  The above lists works for most part except this user is unable to configure/manage the Watermarks.  The ability to configure/manage Watermarks is critical in our scenario.
  I found that by assigning this user the "Rights Management Super Administrator" role, it would allow this user the "Watermark" capability; however it also allows the user other capabilities that we do not want the user to manage/configure.  I believe the "Rights Manage Configuration" permission gives this role the ability to configure all aspects of the Rights Management. 
  So is there a permission that just allows the user the ability to configure just the "Watermark"?  Is this configuration even possible?
  Regards,
  TS

  Watermark is in the Configuration part of RM UI so as per current implementation there is no such role defined by which an user can configure the Watermark only.
  It is designed as such because only an administrator can change such configuration and create or modify Watermark.

• Incorrect User Group contact info

  Hi, it was brought to my attention that your site has incomplete/incorrect contact information for the Nebraska Oracle Users Group. The URL is http://otn.oracle.com/collaboration/user_group/htdocs/central.html.
  The correct info is:
  Steven Givens
  President - Nebraska Oracle Users Group
  Database Manager
  Technical Services
  Enterprise Systems
  First Data Corporate (FDC)
  10910 Mill Valley Rd.
  Mailstop P10T
  Omaha, NE 68154
  Phone:      (402) 222-7967
  Fax:          (402) 222-8370
  Email:     [email protected]
  Thanks,
  Steve

  This change has been made.
  Regards, OTN

• Microsoft Rights Management Sharing Application for Windows and the connection with AD RMS

  Hi,
  I have installed AD RMS and now installed on end users Microsoft Rights Management Sharing Application for Windows.
  When I choose protect a document in any end user machine, does it connect with AD RMS server to get a certificate and encrypt the content, or does not use at all AD RMS services? What about when choosing to protect  with an AD RMS template distributed
  to end users?
  Thanks 

  Hi Ardi -
  The first time a user creates or consumes protected content, they must contact the RMS server to "bootstrap".  In this process, the user obtains certificates to identity them within the context of RMS.
  Once a user has bootstrapped, he or she can create protected protected content without access to the RMS server.
  To open protected content, a user must connect to the AD RMS server to obtain a "use license".
  Does that help?
  Micah LaNasa
  Synergy Advisors
  synergyadvisors.biz

• LC Rights Management End User can not find groups or users during policy creation process

  hello,
  I'm using LC8.0.1 turnkey install on win2003 box.
  Problem is LC Rights Management End User can not find groups or users (search result is empty) during policy creation process, thus can not apply specific restriction to certain groups or users.
  I have create a user in the DefaultDom and assigned the following roles:
  Live Cycle Rights Management Invite User
  Live Cycle Rights Management End User
  How can I allow the above created user to search for groups and user during policy creation? Thanks.

  Good catch Phuc. Make sure you do this for each Policy Set as well as My Policies.
  Here's an overview of Policy Sets:
  http://blogs.adobe.com/security/2008/04/delegating_control_over_policy.html
  Cut and paste the URL.

• Is there a way in 10.8 Profile Manager to assign certain users the sole right of adding/removing users to user groups?

  Hello,
  I want to assign certain network users the ability to login via browser to the profile manager for 10.8.x server and add/remove other users from user groups.  Think teachers managing their class rosters, if the class was a group and the users their students.  I do not want any other admin funtionality beyond that for them.
  Suggestions?

  Well thank you for being so polite.  Yes, on looking on my 10.8 server, I have the same thing.  How annoying.  I have no idea how to answer your question.  If the management abilities are no longer in Workgroup Manager then there's a change that the server doesn't pay any attention to the settings, so manually changing settings in LDAP won't have any effect either.
  At least I can verify that it's not just you who gets that result.  I wonder what happened and how we're meant to do this now.

• Problems Managing User Access Rights for Web Gallery

  Has anyone else had issues changing the user access rights for a web gallery? It seems like the access is everyone or no one. Are the user rights handled per event in the gallery? I had issues adding events to the user's view/download rights in the publish settings.
  Also, can these settings only be set when an event is first published? Attempting to change the user access rights after the event is published seems to require a re-upload of the images.
  Any thoughts?

  Problem solved.
  I had to put the following lines in the specified "0000_any_80.my.website.conf" file:
          <Directory "/Library/WebServer/subdomain.domain">
                  Options All +MultiViews -ExecCGI -Indexes -Includes
                  AllowOverride None
                  # For Password protection
                  AuthType Digest
                  AuthName "Password Protection"
                  require valid-user
                  <IfModule mod_dav.c>
                          DAV Off
                  </IfModule>
          </Directory>

• Proper user and group rights

  Dear readers and admins
  My question is about the "correct" setting of the user and group rights, so the following is possible. It relates to Server 10.3 and to 10.4.
  Requirements:
  Group 1 = "Regular user"
  Group 2 = "Administration, Accounting"
  User 1 and 2 belong to Group 1, users 3 and 4 belong to Group 2.
  User 1 & 2 must have read/write access to files and folders in Group 1, but may not have access to files and folders of Group 2.
  User 1 & 2 must be in a position of creation and deletion of file and directory of Group 1, as if they were their own files and directories. I.e. User 2 must be in a position to delete or change files and directories that an other user of Group 1 has created.
  User 3 & 4 must have read and write access to files and directories of Group 1 & 2. They must be able to creating and changing such files and directories, as if they were their own files and directories. I.e. User 3 & 4 must be able to create and change files and directories which belong to user 1 & 2.
  As I understand it, this can be achieved with ACL's under Server 10.6.
  Am I right?
  What would such a structure look like with ACL's?
  I unfortunately don't have a server 10.6 running, as, down due to technical problems, my server is down.
  Thank you in advance for your help.
  All a happy new year.
  Regards
  Thomas Thaler

  Yes - and it's pretty easy.
  1. You would create whatever share points you would like (very easy to do)
  2. You would make sure in Workgroup Manager you have the users assigned to the correct groups that you discussed.
  3. On the folders for Group 1 you would add ACL permissions of Full Control for Group 1 and Full Control for Group 2.
  4. On the folders for Group 2 you would add an ACL permission of Full Control for Group 2.