search for: authn

...assignment to the user and the host will be done at the same time. So now my policy looks like that: ------------- root at addc-01:~# samba-tool domain auth policy view --name=winclient-pol { "cn": "winclient-pol", "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", "instanceType": 4, "msDS-AuthNPolicyEnf...

...> the host will be done at the same time. So now my policy looks like that: > ------------- > root at addc-01:~#? samba-tool domain auth policy view --name=winclient-pol > { > ? "cn": "winclient-pol", > ? "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "instanceType": 4, > ? &qu...

...o now my policy looks like > > that: > > ------------- > > root at addc-01:~# samba-tool domain auth policy view -- > > name=winclient-pol > > { > > "cn": "winclient-pol", > > "distinguishedName": "CN=winclient-pol,CN=AuthN > > Policies,CN=AuthN > > Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > >...

I was playing around again with Windows and when you add members to silos, or remove them, it should not set/unset assigned silo on the user. So I've got a new pull request in Draft state still where I remove that functionality, as well as add some new commands to samba-tool user command. It turned out to be easier to add sub commands to user, as edit user wasn't quite what I thought

...not use LDAP as the account backend database, and 3) specify samba to use but use "encrypt passwords = true", and 4) use an ldap server as the authentication source for samba. Is that possible? I'd assumed it would be given that samba is pam-aware, and I can tell pam to use ldap for authN. However, the man page for smb.conf seems to say no, as it says that "obey pam restrictions = true" will be ignored when "encrypt password" is set to true. Am I understanding this correctly? Is there a work-around? I don't want to add the samba schema to my existing ldap...

Hello all, I am trying to understand how SAMBA finds nearest Domain Controller when configured to use Active Directory for AuthN. There are some great articles and wikis about how to configure SAMBA against AD, but couldn't find much on what I was looking for. For example 1. Does Samba have built in dc locator functionality like windows clients ? 2. What is the default authN it uses, NTLM or Kerb ? 3. I understand from...

...All necessary ports are open (137-139, 445). > > I'm stuck at this point. Makes zero sense to me. I have a very similar set > up in another CentOS 8 box that works flawlessly as every other > installation I've done in 20 years. > > [Snipped lines above that show successful AuthN, forced mapping to "Domain > Users", etc. all correct] > colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially > as user chris (uid=1000, gid=1000) (pid 98051) > [2020/09/23 19:03:37.024156, 3] > ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_r...

My company uses 389-ds for its LDAP service, and all services are configured to use that LDAP for authentication. I'd like to start using Samba4 as an AD DC, in order to control/manage MsWin computers. It was simplest to me to install Samba4 configured to use its own internal LDAP server, rather than make it use my existing 389-ds LDAP server. However, I want Samba4 to authenticate to the

...ation. Dovecot, in turn, consults a custom internal server that answers Dovecot?s userdb queries. When IMAP connections arrive, for some users we want to forward those connections--without authentication--to an external IMAP server. For these users, we return ?proxy_maybe? and ?nopassword? in the authn response from our userdb server. This tells Dovecot to proxy the connection to a new server without trying to authenticate. Exim, though, doesn?t grok ?proxy_maybe?, so it just sees ?nopassword?. In response, it just skips SMTP authentication entirely. We could address this if our custom servic...

...39, 445). > > > > I'm stuck at this point. Makes zero sense to me. I have a very similar > set > > up in another CentOS 8 box that works flawlessly as every other > > installation I've done in 20 years. > > > > [Snipped lines above that show successful AuthN, forced mapping to > "Domain > > Users", etc. all correct] > > colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ > initially > > as user chris (uid=1000, gid=1000) (pid 98051) > > [2020/09/23 19:03:37.024156, 3] > > ../../source3/rpc_se...

...s getting through properly. All necessary ports are open (137-139, 445). I'm stuck at this point. Makes zero sense to me. I have a very similar set up in another CentOS 8 box that works flawlessly as every other installation I've done in 20 years. [Snipped lines above that show successful AuthN, forced mapping to "Domain Users", etc. all correct] colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially as user chris (uid=1000, gid=1000) (pid 98051) [2020/09/23 19:03:37.024156, 3] ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req) api_pipe_bind_req: l...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, 2023-02-22 at 11:08 +0000, Marc wrote: > I don't even get what the advatages are of doing this with sql. If you > use local replicated ldap and use local credential caching then your > master ldap can go down without issues, even the local caching handle > some local slapd issues. Going to have to +1 this. LDAP also does

Hi. I''m using Apache2.2 built from source + mod-proxy + ssl + svn. Everything works fine but I''m sure you I could disable a ton of modules during the build process and in httpd.conf to speed things up and run a tighter memory footprint. Has anyone bothered building Apache2.2 from source disabling all the unneeded modules. I am planning on going through the Apache docs but I

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

I''ve seen a lot of issue regarding the stability of Rails apps. I''m charged with investigation of Rails for my company and I''ve looked at numerous fourms, groups, etc. (Textdrive, here, etc.) and it *seems* like there is a stability problem with Rails (ie: crashes, etc.) Is this as common as it looks, or is this tied to things like Lighttpd (web server) or Typo

[ using FreeBSD 8.2, but I don't think the problem is specific to their port ] For fail2ban purposes I'd like to log failed SSH authentication attempts of correct (i.e., existing) usernames. I have no issue with the logging of authn attempts to non-existing usernames. I've tried to set LogLevel=VERBOSE and MaxAuthAttempts=1 in sshd_config, but even then I didn't see /var/log/auth.log entries for failed login attempts from a third host to an existing username. (I didn't spot any other relevant knobs in sshd_config...

...ervice foobar), the winbind log shows that the user is authenticated only using Plain-text. Why not challenge-response? ****************************************** package FOO::PAM; use Authen::SimplePam; use strict; sub is_good_pam { my ($user, $pass) = @_; my $service = "foobar"; my $authn = new Authen::SimplePam(); if ($authn->auth_user($user, $pass, $service) eq 1) { debug("success, returning 1"); return 1; } else { debug("failure, returning 0 with user=$user and pass=$pass"); return 0; } } 1; ****************************************** Here is the output from...

...read in the docs that: "Master user is still subject to ACLs just like any other user, which means that by default the master user has no access to any mailboxes of the user." ... and that the standard workaround is to return master_user=%u from the userdb. But why is the master_user authn-id used in the ACLs and not the authz-id (requested-login-user) ? Isn't the whole point of SASL authz-id semantics to have authorization resolved based on the authz-id? /Peter

Hello, Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate users against Samba 4.2.1. When I edit 'apache2.conf' with <Directory /> Options FollowSymLinks AllowOverride None Require all granted Allow from all AuthName "AD authentication" AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On AuthLDAPURL ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*) AuthLDAPBind...

...rationale for not just forward the SASL handshake. - First, blindly forwardning will not do, since the mech data has to be decoded anyway to do any per/user passdb lookup (to, say, find the target host). But you don't need authentication to actually succeed to do that. You only need AuthZ-id or AuthN-id. - Secondly, the design of the interaction between imap-login processes and the auth-service in general prevent in general to forward multi-handshake SASL mechanisms, since the authentication must be done before the proxying can be started. But it doesn't prevent forwarding of single handsh...