In attach pcap My samba config [global] ??????? netbios name = DC1 ??????? realm = XXXX.LOCAL ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ??????? workgroup = XXXX ??????? log level = 1 auth_audit:3@/var/log/samba/auth.log ??????? log file = /var/log/samba/%m.log [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No [netlogon] ??????? path = /var/lib/samba/sysvol/wenus.local/scripts ??????? read only = No W dniu 1.11.2024 o?01:48, Douglas Bagnall pisze:> On 1/11/24 04:06, Programnet via samba wrote: >> I just want to make sure that Samba LDAP does not support ntlmsspNegotiate authentication and I will have to switch to >> Windows Server? > That sounds like an inaccurate conclusion. ntlmssp is not new. > > If you are looking at the conversation in Wireshark, you could > tell us what the packets are actually saying, or you could > show us your smb.conf and somebody will point out flaws > (not me, I don't know that stuff). > > Douglas > > >> W dniu 29.10.2024 o?13:42, Programnet via samba pisze: >>> Hello Everyone >>> >>> I am using samba 4.20.5 with debian backport. I have FortiClientEMS tool which connects to LDAP to get data. >>> FortiClientEMS version 7.0.x worked with Samba without any problem. Unfortunately newer version 7.2.x no longer works. >>> I noticed while examining Wireshark traffic that version 7.0.x connects using authentication: sasl (3). New version >>> 7.2.x authentication: ntlmsspNegotiate (10) and LDAP terminates the connection. >>> >>> >>> Can I configure Samba to solve my problem? I also tested on Samba version 4.17.x. I checked on Windows Server 2012 and >>> 2022 and this problem does not occur here. >>> >>> Best regards, Tomasz ?widerski >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions:? https://lists.samba.org/mailman/options/samba
On Sat, 2 Nov 2024 09:46:20 +0100 Programnet via samba <samba at lists.samba.org> wrote:> In attach pcap > > My samba config > [global] > ??????? netbios name = DC1 > ??????? realm = XXXX.LOCAL > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > ??????? workgroup = XXXX > ??????? log level = 1 auth_audit:3@/var/log/samba/auth.log > ??????? log file = /var/log/samba/%m.log > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > [netlogon] > ??????? path = /var/lib/samba/sysvol/wenus.local/scripts > ??????? read only = No >If you are going to sanitise your smb.conf, do it everywhere :-) If your TLD is '.local', then I take it you missed that it is reserved for Bonjour and Avahi, so if Avahi is running on the DC, you should turn it off (and everywhere else in your domain). You also seem to be running Bind9, is this set up correctly ? Please post the contents of: /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local I don't use forticlient, but it seems there are various ways to connect to it, which variant are you using ? Rowland