search for: krb5auth

Hi, I'm having trouble realizing a krb5auth with pam_winbind with trusted domain users (external trust) on our clients. The client is joined to a local domain, which has a "external trust" to a global domain. The following things are working for all users (local and trusted domain): "wbinfo -i" "wbinfo --pam-logo...

...ntlm_auth --request-lm-key --username=username Password: NT_STATUS_OK: Success (0x0)   3 ntlm_auth --username=username --ntlmv2 Password: NT_STATUS_OK: Success (0x0)   4 ntlm_auth --username=username --lanman Password: NT_STATUS_OK: Success (0x0)   5 ntlm_auth --username=username --krb5auth=username Password: NT_STATUS_OK: Success (0x0)     But... 6 ntlm_auth --diagnostics --username=username Password: Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) W...

...nternal.domain.tld@ = root Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: dinsdag 22 augustus 2017 9:36 > Aan: Andreas Hauffe via samba > Onderwerp: [Samba] Winbind with krb5auth for trust users > > Hi, > > I'm having trouble realizing a krb5auth with pam_winbind with > trusted domain users (external trust) on our clients. The > client is joined to a local domain, which has a "external > trust" to a global domain. > > The follo...

Hi, the external trust, we have, is a one directional external trust. So users of the trusted dom can logon on local dom clients, but not the other way around. In case of "wbinfo -a" all communication is between the client and the domain controller of the local domain, which is the proxy for the auth process. In case of "wbinfo -K" all communication is between the client

...ch as possible to the default settings. Im testing the following.   ntlm_auth --request-nt-key --username=someTestUser ntlm_auth --request-lm-key --username=someTestUser ntlm_auth --username=someTestUser --ntlmv2 ntlm_auth --username=someTestUser –lanman ntlm_auth --username=someTestUser --krb5auth=someTestUser ntlm_auth --diagnostics --username=someTestUser wbinfo -a someTestUser wbinfo --krb5auth=someTestUser wbinfo --krb5auth='NTDOM\someTestUser' wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’     Situation . Samba AD DC. 4.5.3 Config : ( left out the shares, th...

...> Hai, > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Andreas Hauffe via samba >> Verzonden: dinsdag 22 augustus 2017 11:26 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Winbind with krb5auth for trust users >> >> Hi, >> >> thanks for the fast answer. >> >> All DCs (local and trusted domain) running on Windows Server >> 2012. The client is running on OpenSUSE Leap 42.3. The samba >> version is 4.6.5. >> >> Right now I'm a s...

Hai, > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: dinsdag 22 augustus 2017 11:26 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Winbind with krb5auth for trust users > > Hi, > > thanks for the fast answer. > > All DCs (local and trusted domain) running on Windows Server > 2012. The client is running on OpenSUSE Leap 42.3. The samba > version is 4.6.5. > > Right now I'm a step before nfs. At first I just wa...

Hi, I already added the two lines in smb.conf for my last test. Andreas [global]        security = ADS        workgroup = LOC        realm = LOC.EXAMPLE.COM        dedicated keytab file = /etc/krb5.keytab        kerberos method = secrets and keytab        log file = /var/log/samba/%m.log        log level = 1        template homedir = /home/%D/%U        template shell = /bin/bash

On Tue, 22 Aug 2017 17:18:59 +0200 Andreas Hauffe via samba <samba at lists.samba.org> wrote: > Hi, > > the external trust, we have, is a one directional external trust. So > users of the trusted dom can logon on local dom clients, but not the > other way around. In case of "wbinfo -a" all communication is between > the client and the domain controller of the

Hi, sorry for not reading the comment above idmap config. I uninstalled and reinstalled samba and configs to remove all old id mappings and so on. Then changed all configs as adviced. The id mapping is working correctly (wbinfo -i) for local and trusted domain. But I still cannot logon with wbinfo -K with a trusted domain account. Andreas Am 22.08.2017 um 12:59 schrieb Rowland Penny via

On Tue, 22 Aug 2017 13:51:24 +0200 Andreas Hauffe via samba <samba at lists.samba.org> wrote: > Hi, > > sorry for not reading the comment above idmap config. I uninstalled > and reinstalled samba and configs to remove all old id mappings and > so on. Then changed all configs as adviced. The id mapping is working > correctly (wbinfo -i) for local and trusted domain. But I

See inline comments: On Tue, 22 Aug 2017 12:20:04 +0200 Andreas Hauffe via samba <samba at lists.samba.org> wrote: > Hi, > > hier are the file. I replaced the real domain/realm name by > "search&replace", so there should not be a typping error in my file > concernig the realm or domain names. > > Regards, > Andreas > > client:~ # more

...rd authentication failed wbcAuthenticateUserEx(TEST\protecteduser): error code was NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) error message was: Account restriction Could not authenticate user TEST\protecteduser with challenge/response Whereas Kerberos auth works ok root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' plaintext kerberos password authentication for [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 when we have a regular user from the same win2k client that is not part of "Protected User", plaint...

Hi Rowland, I tried both pam winbind & also samba with fix for CVE-2018-1139. But still cannot get windows 2016 "protected users" to work with samba. Note that "wbinfo --krb5auth" manages to authenticate. This I see it uses WINBIND_PAM_AUTH & not WINBIND_PAM_AUTH_CRAP. I dont see how to switch to WINBIND_PAM_AUTH instead of AUTH_CRAP. Any further insights? Thanks! --Shyam On Tue, 14 Aug 2018 19:18:42 +0530 Shyam Kaushik <shyam at zadarastorage.com> wrote:...

I just updated Samba on Gentoo due to a security vulnerability and the authentication for domain accounts is now failing. Has anyone else seen this? -- Jas

I have been ready everything I can regarding this setup but am having a problem that I am unsure of. I am unable to authenticate any user despite the following commands working: %> getent passwd <username> %> wbinfo -u %> wbinfo -g With the getent passwd I am able to see all of my UID/GID being mapped via winbdind to the rid of the domain user account. This command fails: %>

...ticateUserEx(TEST\protecteduser): error code was > NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) > error message was: Account restriction > Could not authenticate user TEST\protecteduser with > challenge/response > > Whereas Kerberos auth works ok > root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' > plaintext kerberos password authentication for > [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > > when we have a regular user from the same win2k client that is not > part of &quo...

...rd authentication failed wbcAuthenticateUserEx(TEST\protecteduser): error code was NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) error message was: Account restriction Could not authenticate user TEST\protecteduser with challenge/response Whereas Kerberos auth works ok root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' plaintext kerberos password authentication for [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 when we have a regular user from the same win2k client that is not part of "Protected User", plaint...

...> > NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) > > error message was: Account restriction > > Could not authenticate user TEST\protecteduser with > > challenge/response > > > > Whereas Kerberos auth works ok > > root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' > > plaintext kerberos password authentication for > > [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > when we have a regular user from the same win2k cl...