search for: libpam_krb5

...ttings. # /opt/ssh/sbin/sshd -o "usepam yes" -o "challengeresponseauthentication no" -o "kerberosauthentication no" -o "passwordauthentication yes" -o "kerberosorlocalpasswd no" Authentication ,Password management modules were set to "libpam_krb5.so.1" and Session,Account management modules were set to "libpam_unix.so.1" in pam configuation file. During ssh conneciton, Kerberos password got succeeded when the ssh client was prompted for password. This violates the steps commented in sshd_config file.Can anyone clarify th...

As the unix servers  running linux (I know some people wouldn't call that real unix) or a "real" unix like Solaris ? Linux has sssd which can make things simpler. In either case you probably need a proxy account for the unix system to retrieve user and group info (not passwords) via LDAP. On 09/11/18 03:56, Rowland Penny via samba wrote: > On Tue, 11 Sep 2018 08:56:35 +0200

...b5 installed, I have on my system : > yum list krb5-workstation pam_krb5 > krb5-workstation.x86_64 1.15.1-37.el7_6 @updates > pam_krb5.x86_64 2.4.8-6.el7 @base > > Is pam_krb5 equivalent to libpam-krb5 on centos 7 ? Sorry for the late reply, yes pam_krb5 is the Centos equivalent of libpam_krb5 I think we need to see your entire smb.conf and the passwd & group lines from /etc/nsswitch.conf Rowland

...rectory, so if the machine you are trying to join as a DC cannot find the KDC via dns, then it is likely to have problems later. You must have working dns before the join. I have read your join howto and have the following comments, based on my experience. I would also install libpam_winbind and libpam_krb5 /etc/krb5.conf needs to be only this: [libdefaults] default_realm = MONDOMAINE.LAN dns_lookup_realm = false dns_lookup_kdc = true I would stop smbd, nmbd, winbind before the join I would run the join command like this: samba-tool domain join mondomaine.lan DC -U administrator --rea...

Greetings, I currently am using Samba 4.8.5 as an AD DC on one server - working great! I am also using 4.8.5 on another server joined as a member server and I'm trying to configure the RID idmap backend and I believe I have the settings correct but when I try to access a share on the server from a joined Windows machine I am getting prompted for credentials. Here is my config on the DC:

----- On Sep 14, 2018, at 4:56 AM, Rowland Penny via samba samba at lists.samba.org wrote: > What OS ? > If it is debian, do you have libpam_krb5 installed ? It is CentOS 7. I feel stupid because it was super simple. See Below. > Having rfc2307 attributes in AD shouldn't affect the way the 'rid' > backend works. > I was thinking this as well. > > Did you find it easy to understand ? > I thought so but i...

...: >> yum list krb5-workstation pam_krb5 >> krb5-workstation.x86_64 1.15.1-37.el7_6 @updates >> pam_krb5.x86_64 2.4.8-6.el7 @base >> >> Is pam_krb5 equivalent to libpam-krb5 on centos 7 ? > > Sorry for the late reply, yes pam_krb5 is the Centos equivalent of > libpam_krb5 > > I think we need to see your entire smb.conf and the passwd & group > lines from /etc/nsswitch.conf > > Rowland > > >

...ed as a member > server and I'm trying to configure the RID idmap backend and I > believe I have the settings correct but when I try to access a share > on the server from a joined Windows machine I am getting prompted for > credentials. > What OS ? If it is debian, do you have libpam_krb5 installed ? Snip > Another piece to the puzzle is that I had this configured and working > with the AD backend but I wanted to try to set it up a little simpler > so that I don't have to select unix attributes every time I create a > new user. So due to this some of my users alre...

Hello Rowland, Sorry for the workgroup and realm name, I put MYDOMAIN to anonymize, should be : realm = MYDOMAIN.LOCAL workgroup = MYDOMAIN About libpam-krb5 installed, I have on my system : yum list krb5-workstation pam_krb5 krb5-workstation.x86_64 1.15.1-37.el7_6 @updates pam_krb5.x86_64 2.4.8-6.el7 @base Is pam_krb5

...to AD. No, you do not need the > red-hat tools at all. > >> In either case you probably need a proxy account for the unix system >> to retrieve user and group info (not passwords) via LDAP. > No, you just need to set up pam correctly, which is easy on debian, > just install libpam_krb5 > > Rowland > > >

...an explicit configuration of KDC in /etc/krb5.conf. And actually it is a must have in a large multi-site setup with slow VPN and strict firewall rules. > I have read your join howto and have the following comments, based on > my experience. > > I would also install libpam_winbind and libpam_krb5 we are limiting at much as possible shell connection to the AD (a compromission on your AD is a compromission of your whole network). So we don't enable this kind of authentication on DC. SSH key exchange for the lucky few that manage the AD is much better suited IMHO. > /etc/krb5.conf...

Hi Rowland > My DC doesn't know domains users and groups by name, only by uid/gid. Sounds like you haven't set up the libnss_winbind.so links or /etc/nsswitch.conf I had not installed Winbind, but I installed it now. (winbind, libnss-winbind and libpam-winbind packages). I configured /etc/nsswitch as below: passwd: compat winbind group: compat winbind shadow:

We added a DNS entry to Samba via the Windows DNS Manager which apparently was invalid. Now we can't see the list of forward lookup in the Window DNS Manager because it immediately errors and we have to restart the Samba service. Running Samba 4.3.11-Ubuntu on Ubuntu 16.04 Additionally, a samba-tool dns query fails with the following error: > $ samba-tool dns query dc1.mydomain.com