search for: ca_only

https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Bug ID: 3577 Summary: CASignatureAlgorithms supports -cert alogrithms Product: Portable OpenSSH Version: 9.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at

...log file = /var/log/samba/log.%m interfaces = eth0, lo bind interfaces only = Yes tls enabled = yes tls keyfile = /opt/samba/private/tls/addc.key tls certfile = /etc/ssl/certs/addc.pem tls cafile = /etc/ssl/certs/DigiCertCA.crt tls verify peer = ca_only printcap name = /dev/null ldap server require strong auth = allow_sasl_over_tls # idmap config for the EXAMPLEAD domain idmap config EXAMPLEAD : backend = ad idmap config EXAMPLEAD : schema_mode = rfc2307 idmap config EXAMPLEAD : range = 1005-999999 idmap config * : backend =...

...mba/log.%m # ldap debug level = 3 interfaces = eth0, lo bind interfaces only = Yes tls enabled = yes tls keyfile = /opt/samba/private/tls/addc.key tls certfile = /etc/ssl/certs/addc.pem tls cafile = /etc/ssl/certs/DigiCertCA.crt tls verify peer = ca_only ldap server require strong auth = allow_sasl_over_tls printcap name = /dev/null load printers = no printing = bsd idmap_ldb:use rfc2307 = yes template shell = /bin/mosh template homedir = /homel/%U kerberos method = secrets and keytab [netlogon] path = /opt/samba/var/locks/...

...g CHRONO-DOM : range = 10000-29999 > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > acl map full control = yes > syslog = 0 > log level = 7 auth:10 winbind:10 > tls verify peer = ca_only > > [netlogon] > path = /var/lib/samba/sysvol/chrono-dom.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > On the LAMP server with LTB Self Service Password and other web apps i > con...

In some customer yes, but they are with LTSP (pxe boot) where another use graphical interface, but would rather have a web interface to change the password. This tambpem would be used for windows stations off the field. Em 10-05-2016 16:05, Rowland penny escreveu: > Not even on the clients ??

...nd nss info = rfc2307 >>> winbind enum users = yes >>> winbind enum groups = yes >>> acl map full control = yes >>> syslog = 0 >>> log level = 7 auth:10 winbind:10 >>> tls verify peer = ca_only >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/chrono-dom.lan/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>&gt...

...clude_list *includes) { - char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword; + char *str, ***chararrayptr, **charptr, *arg, *arg2, *arg_pre, *p, *keyword; + char thishost[NI_MAXHOST], shorthost[NI_MAXHOST]; int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found; int ca_only = 0; SyslogFacility *log_facility_ptr; @@ -2130,6 +2131,12 @@ process_server_config_line_depth(ServerOptions *options, char *line, fatal("Include directive not supported as a " "command-line option"); } + + if (gethostname(thishost, sizeof(thishost)) == -1) +...

...ient connections using ncacn_http (with https://), which are only used by the openchange project. Support for ncacn_http was introduced in version 4.2.0. The security patches will introduce a new option called "tls verify peer". Possible values are "no_check", "ca_only", "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible". If you use the self-signed certificates which are auto-generated by Samba, you won't have a crl file and need to explicitly set "tls verify peer = ca_and_name". o...

...ient connections using ncacn_http (with https://), which are only used by the openchange project. Support for ncacn_http was introduced in version 4.2.0. The security patches will introduce a new option called "tls verify peer". Possible values are "no_check", "ca_only", "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible". If you use the self-signed certificates which are auto-generated by Samba, you won't have a crl file and need to explicitly set "tls verify peer = ca_and_name". o...

...ba_AD_DC That's the strange part. I have set up using TLS certificate (Lets Encrypt) as recommended in guide. When I do # ldbsearch -U Administrator --password='[password]' -H ldaps://dc.ad-lan.com:636 I get TLS ../source4/lib/tls/tls_tstream.c:1609 - check failed for verify_peer[ca_only] and peer_name[dc.ad-lan.com] status 0x42 (invalid signer_not_found ) Failed to connect to ldap URL 'ldaps://dc.ad-lan.com:636' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldaps://dc.ad-lan.com:636' with backend 'ldaps': LDAP client int...

...gt; interfaces = eth0, lo > bind interfaces only = Yes > tls enabled = yes > tls keyfile = /opt/samba/private/tls/addc.key > tls certfile = /etc/ssl/certs/addc.pem > tls cafile = /etc/ssl/certs/DigiCertCA.crt > tls verify peer = ca_only > ldap server require strong auth = allow_sasl_over_tls > > printcap name = /dev/null > load printers = no > printing = bsd > > idmap_ldb:use rfc2307 = yes > template shell = /bin/mosh > template homedir = /homel/%U > kerberos method = secrets an...

This allows the localhost percent-style escapes in arguments to the Include directive. These are useful for including host-specific ssh configuration. --- readconf.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/readconf.c b/readconf.c index a2282b562df0..ad47d0e9730a 100644 --- a/readconf.c +++ b/readconf.c @@ -1030,7 +1030,8 @@

Using these escapes, the include directive can be crafted to include differing, host-specific configuration. Ronan Pigott (2): Permit %L and %l percent escapes in ssh Include Permit %L and %l percent escapes in sshd Include readconf.c | 16 +++++++++++++--- servconf.c | 17 ++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) base-commit:

...>> winbind nss info = rfc2307 >> winbind enum users = yes >> winbind enum groups = yes >> acl map full control = yes >> syslog = 0 >> log level = 7 auth:10 winbind:10 >> tls verify peer = ca_only >> >> [netlogon] >> path = /var/lib/samba/sysvol/chrono-dom.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> On the LAMP server with LTB Self Servi...

Also: -H ldap://10.100.0.4 should probably be ldaps://URI You can potentially this in smb.conf, but that is definitely not recommended. https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC Kris Lou klou at themusiclink.net On Wed, Sep 5, 2018 at 2:10 AM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Wed, 05 Sep 2018 15:46:04 +0700

...: backend = ad idmap config CHRONO-DOM : range = 10000-29999 winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes acl map full control = yes syslog = 0 log level = 7 auth:10 winbind:10 tls verify peer = ca_only [netlogon] path = /var/lib/samba/sysvol/chrono-dom.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No On the LAMP server with LTB Self Service Password and other web apps i configure the ldap.conf with TLS_CACERT /etc/ssl/ca_c...