search for: obilhaut

On 16-05-2024 18:46, Rowland Penny via samba wrote: > On Thu, 16 May 2024 17:40:45 +0200 > Olivier BILHAUT <obilhaut at fondation-misericorde.fr> wrote: > >> Thanks Rowland for once again, an analysis that looks good. >> >> To you, >> is there a workaround at this stage ? > Not from myself,it has been years since I looked into this and only > really got has far as mapping the s...

Hi All ! Using Samba Version 4.1.12, updated from source from 4.0beta1 I've created a user, let say kerbuser, for a web server to authenticate with kerberos and provide SSO to the end-users. In my example, my domain is MYDOMAIN.LOCAL, the apache server is webserver.mydomain.local and the AD user is kerbuser I've added a principal on the user and exported everything in a keytab so

...mba services and the ID numbers will be allocated for you. > > Rowland > > Content-Transfer-Encoding: 7bit > From: Andrew Bartlett <abartlet at samba.org> > Precedence: list > MIME-Version: 1.0 > Cc: samba <samba at lists.samba.org> > To: Olivier BILHAUT <obilhaut at fondation-misericorde.fr> > References: <54f3ed5e7fe98f6c98775fdc7578e2f1 at fondation-misericorde.fr> > In-Reply-To: <54f3ed5e7fe98f6c98775fdc7578e2f1 at fondation-misericorde.fr> > Date: Sun, 08 Feb 2015 20:53:02 +1300 > Message-ID: <1423381982.13498.6.camel at je...

Hi Rowland, Yes, I read this documentation carefully. I have two working Apache2 with kerberos authentication working. My question is more about troubleshooting a keytab. If I need to test manually a keytab file chalenging a specific principal, what's the prefered method ? I thougt that a kinit could be done using a principal name, but I am unable to kinit with somehting else than the

Hi Rowland, Thanks for your help again. I understand the difference between the UPN (User Principal Name) and the SPN (Service Principal Name). But in your second exemple, you never mention the SPN, neither in the keytab export or in the kinit command. Does that means that there is no kinit possible using the SPN? So I am worried of what is the benefice of adding a SPN to a user instead of

Hi Andrew, Hi Sam, Many thanks for your quick replies, we already worked on this doc page but due to the lack of smart card reader/writer, we did not finished the setup. We'll buy some hadware and create a testing S4 lab to finish this config. What about biometry ? Is there a way to store any biometrical information into the ldap backend ? Is there by any chance any other third-party

Hi list :) I am looking for the right command to achieve my goal. I would like to remove the account expiry date of an ACCOUNT with a samba-tool command (account never expires) Options of "samba-tool user setexpiry" are : --filter=FILTER LDAP Filter to set password on --days=DAYS Days to expiry --noexpiry Unfortunately, the "noexpiry" parameter just set another option

Hi Rowland and list, I allow myself to give a UP to my message in case someone has an idea. Thanks, --Oliver Le 2023-05-24 15:55, Olivier BILHAUT via samba a ?crit : > Hi Rowland, and many thanks for fast reply, > > When using --noexpiry, > the userAccountControl is set to 66048, which disable expiry for > password as well (in MS console, "password never

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

Hi Samba List, hope you're doing well all. We have realized a security audit of our Samba4 Active Directory. It returns that the security descriptors options of all our GPO objects are wrong. They should be : SE_DACL_AUTO_INHERITED SE_DACL_PRESENT instead of this, the options are by default : SE_DACL_PROTECTED SE_DACL_PRESENT We can change the options, but the "sysvolreset"

Hi Rowland, and many thanks for fast reply, When using --noexpiry, the userAccountControl is set to 66048, which disable expiry for password as well (in MS console, "password never expires" is now checked). This means that the password expiry (let say, every 6 month) will never popup again to the user, which is in my sense a wrong behaviour. Is there a way to change ONLY

Hi friends. This morning waking up is painfull. We've got a great CUPS+Samba+Winbind print server sharing 30+ printers to our windows clients. Until this morning no issue, used on production for a couple of weeks. Today, the printer shares became unbrowsable from windows. We can see the printers names from samba share : "\printserver", but when we click on the "Show

Hi to Samba list, dev, contributors and all the community. We are samba users for a long time now, and S4 since the early alpha version. We run now 5 DC for 700 users in our hospital and are very enthusiastic. This is definitely a great project. But now, we face a new challenge. We look over a new authentication method rather than the old user/password. Because we have many users switching

Hi Samba List! We are using Samba Version 4.1.12 on two master DC. We've noticed that a corrupted group has been created, we tried to delete it, and since then, the replication fail between the two DC. The result of the command : "samba-tool drs showrepl" is the following : On the first DC, INBOUND NEIGHBORS : Last attempt @ Wed Feb 4 11:26:41 2015 CET failed, result 58

Hi Samba list, As you know, security is currently the buzzword for most critical organizations. Active Directory implementations are an important node of all the security chain. French security agency, called ANSSI release a tool to audit Active Directory implementations, called ORADAD : https://github.com/ANSSI-FR/ORADAD/releases This tool retrieves all configuration from your AD, and make

Hi all. I have read carefully all your posts and I am glad to see that some of you workaround this new MS surprise... To solve the problem, I understand that : * if you use the "AD way of deploying printers", the workaround is to use the "Computer ConfigurationPoliciesAdministrative TemplatesPrintersOverride Print Driver Compatibility Execution Setting Reported By Print