Kontrol-Suporte
2018-Jun-24 23:32 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Hi Rowland, Thanks Much for the help, as usual! About Kerberos: Yes, I have implemented Kerberos and NTLM. I need both working. About winbindd_privileged: Not sure what you mean with " I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago." Shouldn't that folder be there anymore? Everytime I install Samba47 or 48 it creates the folder with the "pipe" inside of it. I just needed to change the permissions/ownership to the folder. Isn't Ok to use that way anymore? About Lanman2: Hummm... now you got me confused. I could swear that option was to force ntlm v2 as minimum. The idea is to force NTLM v2 as minimum protocol. Should I use option "smb2" instead? Thanks a Lot, Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Sunday, June 24, 2018 4:26 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Sat, 23 Jun 2018 17:04:39 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Gentlemen. > OK, Tests were made. I got some errors only when using Samba48 > (samba47 is still fine) IMPORTANT: I forgot to mention... This is > being used with SQUID Proxy for SSO authentication. > > Got NTLMSSP neg_flags=0xa2088207 > Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 > len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due > to [{Access Denied} A process has requested access to an object but > has not been granted those access rights.] GENSEC login failed: > NT_STATUS_ACCESS_DENIED > > I tried the new settings as suggested and also partial changes. Both > are presenting the same behaviour. Nothing was changed in the AD side. > I also re-checked the permissions/ownership on > "/var/db/samba4/winbindd_privileged" folder which is used by SQUID.I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago.> > To Rowland: You asked if I really need the "min protocol = LANMAN2" > option. Well, the idea was to enforce a minimum security level. >I actually thought that, but 'LANMAN2' ??? why not 'NT1' at least. Have you considered using kerberos with squid ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Jun-25 07:43 UTC
[Samba] use spnego question - samba 47 to samba48 migration
On Sun, 24 Jun 2018 20:32:20 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hi Rowland, > Thanks Much for the help, as usual! > > About Kerberos: Yes, I have implemented Kerberos and NTLM. I need > both working. About winbindd_privileged: Not sure what you mean with > " I think you might want to check that again, the > 'winbindd_privileged' dir went away quite some time ago." Shouldn't > that folder be there anymore? Everytime I install Samba47 or 48 it > creates the folder with the "pipe" inside of it. I just needed to > change the permissions/ownership to the folder. Isn't Ok to use that > way anymore?I was convinced that it had been removed, but no, it is still there, so yes you can still use it.> > About Lanman2: Hummm... now you got me confused. I could swear that > option was to force ntlm v2 as minimum. The idea is to force NTLM v2 > as minimum protocol. Should I use option "smb2" instead?Try reading 'man smb.conf' where you will find this: Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. If you want to enforce NTLMv2, then either do not have an 'ntlm auth' line in smb.conf, or use this instead: ntlm auth = mschapv2-and-ntlmv2-only Rowland
Kontrol-Suporte
2018-Jun-25 22:51 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Hi Rowland. Very good point (man smb.conf) - I found out that, if I have the line " client NTLMv2 auth = yes" then I don't need any other setting. Also, the Min Protocol is for the sharing purposes, not authentication. So, I am deleting the "min protocol" entry and keeping the "client NTLMv2 auth=yes". I am also using SPNEGO, which is required in this case. After all these changes the samba48 is now working fine (Kerberos and NTLMv2) with SQUID. Many Thanks!! I appreciate it! Fabricio -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Monday, June 25, 2018 4:44 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Sun, 24 Jun 2018 20:32:20 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hi Rowland, > Thanks Much for the help, as usual! > > About Kerberos: Yes, I have implemented Kerberos and NTLM. I need both > working. About winbindd_privileged: Not sure what you mean with " I > think you might want to check that again, the 'winbindd_privileged' > dir went away quite some time ago." Shouldn't that folder be there > anymore? Everytime I install Samba47 or 48 it creates the folder with > the "pipe" inside of it. I just needed to change the > permissions/ownership to the folder. Isn't Ok to use that way anymore?I was convinced that it had been removed, but no, it is still there, so yes you can still use it.> > About Lanman2: Hummm... now you got me confused. I could swear that > option was to force ntlm v2 as minimum. The idea is to force NTLM v2 > as minimum protocol. Should I use option "smb2" instead?Try reading 'man smb.conf' where you will find this: Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. If you want to enforce NTLMv2, then either do not have an 'ntlm auth' line in smb.conf, or use this instead: ntlm auth = mschapv2-and-ntlmv2-only Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba