search for: adsecurity

...to the AD. We can change machine account passwords with `samba-tool user setpassword COMPUTERNAME$` This works, we have SUCCESS with `eapol_test` on the Radius server. The question is if it is save to set and use the machine account password. Microsoft says a lot about this password: https://adsecurity.org/?p=280 Does someone has an opinion or/and experience on that? Tobias -- collect at shift.agency

Hi, I'd like to report something here, so it will not happen to others. We moved all disabled users in our samba AD to a dedicated folder in ADUC, which we called 'disabled'. A little while after we did that, our network started 'falling apart'. Some things still worked, others did not. I could for example no longer start ADUC, some users could not logon or map drives, etc,

...with `samba-tool user >> setpassword COMPUTERNAME$` This works, we have SUCCESS with >> `eapol_test` on the Radius server. >> >> The question is if it is save to set and use the machine account >> password. Microsoft says a lot about this password: >> https://adsecurity.org/?p=280 >> >> Does someone has an opinion or/and experience on that? >> > > -- Arnaud FLORENT IRIS Technologies

Hi Mathias and all. Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne: > Hi, > > I'm glad that helped you : ) > > About SPN, I found that link few days ago: > https://adsecurity.org/?page_id=183 > It tries to list the string values available usable for SPN. > > And it gives also that link: > http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper to > explain...

...netlogon of \\servername\sysvol Well thats protected by windows these these days. Try with \\servername.domain.tld\netlogon or \\servername.domain.tld\sysvol Does that work? Yes, There is a whole chaper of this on the list somewhere.. Best is to read howto override this. https://adsecurity.org/?p=1405 and for you member server, how is you share setup. did you remove "authenticated users" ? if so best is that you add "domain computer" or authenticated users back. And if you did not remove "authenticated users" from the share. Please post your share...

Hi again, Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann: > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: > Hi, Mathias and all > thank you for your answer. > > > Hi all, > > > > SPN = servicePrincipalName > > > > A simple search returning all servicePrincipalName declared in your AD: > > ldbsearch -H $sam

KRBTGT isn't even Samba specific, the same applies to all Active Directory setups: > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11) > https://adsecurity.org/?p=483 On 2018-01-23 15:51, lists via samba wrote: > Hi, > > I'd like to report something here, so it will not happen to others. > > We moved all disabled users in our samba AD to a dedicated folder in > ADUC, which we called 'disabled'. > > A little whil...

any messages in the windows 10 event logs, that could give some extra insight. according to https://social.technet.microsoft.com/Forums/en-US/7f5207cc-b202-47fc-bbb8-9ebe46a31961/network-logon-script-failure?forum=WinPreview2014General >\\foo.lan\netlogon should work. but, https://adsecurity.org/?p=1405 has some good info about the latest patch about hardening GPO. (which imo wil be also in windows 10 ) im thinking it has to do also with this and since win10 is not RTM yet, that can be changed. Greetz, Louis >-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bo...

Hi, I'm glad that helped you : ) About SPN, I found that link few days ago: https://adsecurity.org/?page_id=183 It tries to list the string values available usable for SPN. And it gives also that link: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper to explain SPNs. I tried to read it but...

...ame.domain.tld\netlogon > > > or > > > \\servername.domain.tld\sysvol > > > > > > Does that work? Yes, > > > > > > There is a whole chaper of this on the list somewhere.. > > > Best is to read howto override this. > > > https://adsecurity.org/?p=1405 > > > > > > and for you member server, how is you share setup. > > > did you remove "authenticated users" ? > > > if so best is that you add "domain computer" or authenticated users > > back. > > > And if you did not...

...02:00 Markus Dellermann <li-mli at gmx.net>: > Hi Mathias and all. > Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne: > > Hi, > > > > I'm glad that helped you : ) > > > > About SPN, I found that link few days ago: > > https://adsecurity.org/?page_id=183 > > It tries to list the string values available usable for SPN. > > > > And it gives also that link: > > > http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ > > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a...

...; Try with > > > > \\servername.domain.tld\netlogon > > or > > \\servername.domain.tld\sysvol > > > > Does that work? Yes, > > > > There is a whole chaper of this on the list somewhere.. > > Best is to read howto override this. > > https://adsecurity.org/?p=1405 > > > > and for you member server, how is you share setup. > > did you remove "authenticated users" ? > > if so best is that you add "domain computer" or authenticated users > back. > > And if you did not remove "authenticated us...

...>>>>> \\servername.domain.tld\sysvol >>>>> >>>>> Does that work? Yes, >>>>> >>>>> There is a whole chaper of this on the list somewhere.. >>>>> Best is to read howto override this. >>>>> https://adsecurity.org/?p=1405 >>>>> >>>>> and for you member server, how is you share setup. >>>>> did you remove "authenticated users" ? >>>>> if so best is that you add "domain computer" or authenticated users >>>> back. &g...

...etlogon >>>> or >>>> \\servername.domain.tld\sysvol >>>> >>>> Does that work? Yes, >>>> >>>> There is a whole chaper of this on the list somewhere.. >>>> Best is to read howto override this. >>>> https://adsecurity.org/?p=1405 >>>> >>>> and for you member server, how is you share setup. >>>> did you remove "authenticated users" ? >>>> if so best is that you add "domain computer" or authenticated users >>> back. >>>> And i...

...ervername.domain.tld\sysvol >>>>>> >>>>>> Does that work? Yes, >>>>>> >>>>>> There is a whole chaper of this on the list somewhere.. >>>>>> Best is to read howto override this. >>>>>> https://adsecurity.org/?p=1405 >>>>>> >>>>>> and for you member server, how is you share setup. >>>>>> did you remove "authenticated users" ? >>>>>> if so best is that you add "domain computer" or authenticated users >>&...

I was experiencing problems with Group Policy Objects. The Windows Event Viewer spits out so many different errors, most of them less than helpful, so Iwas seeking help here with some of those messages. In the end, and after many hours and even days of researching this problem, I seem to have pin-pointed the main issue to some simple permission irregularities that I don't know how to

...ERR_NETNAME_DELETED) >> 1 consecutive failure(s). >> Last success @ Sat Sep 17 19:25:44 2016 CEST >> >> This error propagates from dc2 to dc1 to dc3 back to dc1 and back to >> dc3 then it is gone. >> > After reading this https://adsecurity.org/?p=483 I tried to change the > krbtgt passwort using "samba-tool user setpassword krbtgt". > After that the remianing tickets using rc4 now also use aes256. Also > running "kinit Administrator; klist -e" show aes256 is used for ticket > and session encryption now...

...T failed, > result 64 (WERR_NETNAME_DELETED) > 1 consecutive failure(s). > Last success @ Sat Sep 17 19:25:44 2016 CEST > > This error propagates from dc2 to dc1 to dc3 back to dc1 and back to > dc3 then it is gone. > After reading this https://adsecurity.org/?p=483 I tried to change the krbtgt passwort using "samba-tool user setpassword krbtgt". After that the remianing tickets using rc4 now also use aes256. Also running "kinit Administrator; klist -e" show aes256 is used for ticket and session encryption now. Above article...

...;> 1 consecutive failure(s). >>> Last success @ Sat Sep 17 19:25:44 2016 CEST >>> >>> This error propagates from dc2 to dc1 to dc3 back to dc1 and back to >>> dc3 then it is gone. >>> >> After reading this https://adsecurity.org/?p=483 I tried to change the >> krbtgt passwort using "samba-tool user setpassword krbtgt". >> After that the remianing tickets using rc4 now also use aes256. Also >> running "kinit Administrator; klist -e" show aes256 is used for ticket >> and sessio...

Am 17.09.2016 um 17:07 schrieb Achim Gottinger via samba: > > > Am 17.09.2016 um 06:14 schrieb Achim Gottinger via samba: >> >> >> Am 17.09.2016 um 04:53 schrieb Achim Gottinger via samba: >>> >>> >>> Am 17.09.2016 um 03:24 schrieb r moulton via samba: >>>> On Fri, Sep 16, 2016 at 6:08 PM, Achim Gottinger via samba >>>>