search for: lambrookschool

...convert sid S-0-0: NT_STATUS_NONE_MAPPED [ 2205]: request interface version (version = 28) [ 2205]: request location of privileged pipe [ 2205]: request misc info [ 2205]: pam auth LAMBROOK+tim.odriscoll child daemon request 13 [ 2160]: dual pam auth LAMBROOK+tim.odriscoll rpc_api_pipe: host mail3.lambrookschool.co.uk rpc_write_send: data_to_write: 376 rpc_read_send: data_to_read: 872 Plain-text authentication for user LAMBROOK+tim.odriscoll returned NT_STATUS_OK (PAM: 0) Finished processing child request 13 [ 2210]: request interface version (version = 28) [ 2210]: request location of privileged pipe getg...

Hello All, After updating to sernet-samba-4.6.4, ntlm_auth doesn't appear to work for me with challenge and nt-responses. I'm using ntlm_auth in freeradius to authenticate my wifi users against my AD. In sernet-samba-4.2.14 it was working perfectly. My freeradius server is an AD Member, and I've got two other sernet-samba-4.6.4 AD DC's. $ ntlm_auth --request-nt-key

Hi Rowland, On 27 May 2017 11:39: > Hmm, you mention: > > 'idmap_ldb:use rfc2307 = yes' and 'xidNumber' > > Is this on a DC or a Unix domain member ? This is on a DC. I only have two centOS7 AD DC's in my environment.. Tim

On 27 May 2017 12:45: On Sat, 27 May 2017 11:02:36 +0000 Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote: > The other lines never did anything on a DC. Thank you, I've removed them now.. > Unless you manually add uidNumber attributes to users and gidNumber > attributes to groups, id mapping on a DC is done in idmap.ldb and > results in ID numbers in the 3000000 range....

On Sat, 27 May 2017 11:02:36 +0000 Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote: > Hi Rowland, > > On 27 May 2017 11:39: > > Hmm, you mention: > > > > 'idmap_ldb:use rfc2307 = yes' and 'xidNumber' > > > > Is this on a DC or a Unix domain member ? > > This is on a DC. I only have two centOS7 AD DC&...

Hi Matthias, > Can you write up some of your findings please? I've not got my setup exactly as I want it yet. Once it's ready and I can document it, I will make it available. I also used the guide from freeradius, as well as many other snippets I found. Now I have to remove them all to see which ones are superfluous..

...{ process_limit = 1024 vsz_limit = 384 M } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lda { mail_plugins = sieve acl quota postmaster_address = postmaster at lambrookschool.co.uk } protocol imap { mail_plugins = acl acl imap_acl quota imap_quota }

Thank you for your help on this, Rowland. A tweak of PAM and a restart of nscd and suddenly all my file permissions were back. You've saved my weekend :-) Tim

On 27 May 2017 16:07 > After thinking everything was fine, I'm now getting RPC failures on my Windows clients. > I can map a drive with 'net use..', but 'net user tim.odriscoll /domain' returns a 1722 error, 'The RPC server > is unavailable'. Turns out 'authconfig' (used to modify PAM files), also adds a few extra bits to smb.conf. It adds

Hi Kees, I assume you deployed the wifi profile via GPO? I wonder if I've got that part wrong, although seeing as I'm getting to the ntlm_auth prompt with the correct machine name format (with the $ at the end)? Tim

> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only Yes, I found that here: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client. > This is related to the missing ntlm_auth option

On 29 May 2017 12:32 >When running 'winbindd -SFd5', I see a little more of the problem after I run my two ntlm_auth commands > one after the other. I believe the 'crap' part is an acronym for 'Challenge Response > Authentication Protocol', so why would it be failing? Edit2: wbinfo -a tim.odriscoll%<mypass> works perfectly, with the winbindd debug logs

Hello All, Is it possible to migrate from 4.2.14-SerNet-RedHat-23.el7 to samba-4.4.4-13.el7_3.x86_64 on centOS7? I've got two centos7 servers running sernet versions of samba. Both are AD DC's, with 600 users. If I run yum install samba4, I get a promising error back: Package samba-4.4.4-13.el7_3.x86_64 is obsoleted by 99:sernet-samba-4.2.14-23.el7.x86_64 which is already installed So,

Dear All, Well, this is very embarrassing.... It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters. I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN. I apologise for wasting

Hi Marc, On 25 May 2017 10:25: > You can build Samba yourself. See Wiki. Thank you, that looks like the solution. Although I'm tempted to wait for 4.7 in case I break something.. > A migration documentation (package to self-compiled, self-compiled to > packages, or package to other packages) is currently work in progress. > Maybe I have it finished next week. Am I correct in

Dear All, I'm trying to setup FreeRADIUS to authenticate a machine account to grant access to wifi for domain-connected machines. I think I've got the GPO's set up properly and the CA deployed to the clients, as I'm not getting any errors there. The errors I'm getting are to do with ntlm_auth not authenticating my machine account. Everything looks OK (to me) on the command

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 > Is this set as a UPN (with the realm appended) on the user? I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you? I've run

Hello All, I've bitten the bullet and upgraded from sernet-samba-4.2 to 4.6.4-SerNet-RedHat-7.el7. Now my AD users don't show up in Linux, with the result that the [homes] share fails to connect. Other shares work fine, it's just the homes share. There doesn't appear to be any uidNumber mapping going on. I used to be able to use the unix command 'id' to show user info,

> I guess we have to look at the conf files then, first these two: Thank you for the config file snippets. I can confirm mine were almost identical, so I've tweaked them so that they are now exactly the same as yours except for the "--require-membership-of=example\authorization_groupname" line in ntlm_auth. Unfortunately it's still erroring out: (7) mschap: Creating