search for: openspecs

Displaying 20 results from an estimated 46 matches for "openspecs".

2019 Apr 24
0
Windows clients require reboot once a day in order to access mapped drives
...of traffic between a Windows 10 PC, that is currently unable to remount its mapped drives, and the samba server that is providing the shares. I see the following behaviour: - PC -> FS - encrypted and signed SMB3 packet with SMB2 TRANSFORM_HEADER <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d6ce2327-a4c9-4793-be66-7b5bad2175fa> showing a session ID of 0x000000005bb17760 - FS -> PC - plain text SMB2 packet with the same session ID as above, and an NT Status header that says STATUS_NETWORK_SESSION_EXPIRED (0xc000035c) - During the 17 s...
2024 Oct 28
2
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...:~# samba-tool forest directory_service dsheuristics > 0000000011001` > > Note that I also set fUserPwdSupport to 1, which I don't believe to > be needed (as I'm using `unicodePwd`, not `userPassword`), which > means TRUE according to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: > > "If this character is neither "0" nor "2", then the fUserPwdSupport > heuristic is TRUE. If this character is "2", then the fUserPwdSupport > heuristic is FALSE. If this character i...
2024 Oct 28
1
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...directory_service dsheuristics >> 0000000011001` >> >> Note that I also set fUserPwdSupport to 1, which I don't believe to >> be needed (as I'm using `unicodePwd`, not `userPassword`), which >> means TRUE according to >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: >> >> "If this character is neither "0" nor "2", then the fUserPwdSupport >> heuristic is TRUE. If this character is "2", then the fUserPwdSupport >> heuristic is FALSE. If th...
2024 Oct 27
1
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...to look at the payload). >>>>>> >>>> Did you enable password change via ldap? : >>>> >>>> samba-tool forest directory_service dsheuristics '000000001' >>> >>> According to >>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >>> a dSHeuristic is required only for changing passwords over >>> unencrypted LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). >> Above link talks about AD DS vs. AD LDS (where the latter refers to...
2024 Oct 28
1
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...t;>>>>> >>>>> Did you enable password change via ldap? : >>>>> >>>>> samba-tool forest directory_service dsheuristics '000000001' >>>> >>>> According to >>>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >>>> a dSHeuristic is required only for changing passwords over >>>> unencrypted LDAP >>>> (`fAllowPasswordOperationsOverNonSecureConnection`). >>> Above link talks about AD DS vs. AD LDS...
2019 Apr 18
3
Windows clients require reboot once a day in order to access mapped drives
Hi Rowland, > I hope someone has seen this before and knows what's going on. Given > > the time delay between the problem recurring, I'm guessing the issue > > lies with Kerberos, but I'm not sure how to verify that or how to > > resolve the issue. If you need more info, please let me know. > > > > Problem: > > Each morning, windows users are
2024 Oct 27
1
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...debugging >>>> purposes (no need for a MITM to look at the payload). >>>> >> Did you enable password change via ldap? : >> >> samba-tool forest directory_service dsheuristics '000000001' > > According to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, > a dSHeuristic is required only for changing passwords over unencrypted > LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). Above link talks about AD DS vs. AD LDS (where the latter refers to ldap, unclear what the fi...
2020 Jun 23
0
Update of operatingSystem and operatingSystemVersion attributes in AD
....org/archive/samba-technical/2007-March/052448.html that Windows clients update those attributes via the NetrLogonGetDomainInfo() MS-RPC call. Since 2007 a lot has changed obviously and it looks like Microsoft made the docs for NetrLogonGetDomainInfo available: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/7c3ad0cc-ee05-4643-b773-4d84e1d431dc https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3ae9e9a9-a303-4fa5-8e11-823d9e7e1e61 /-> The NETLOGON_WORKSTATION_INFO structure defines information passed into the NetrLogonGetDomainInfo method, as specified i...
2023 Aug 21
1
Editing user password hashes
...odify user's supplementalCredentials fields in /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ldb to migrate passwords? Provided that I could get the data structure right. (Documentations about supplementalCredentials should be here I think https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/84cefe3e-a688-4232-b997-ac5d9993f5eb) I have "ntlm auth = disabled" in smb.conf so I think not having NT hash is not a problem.
2024 Oct 27
2
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...ested LDAPS. I?m using LDAP for debugging >>> purposes (no need for a MITM to look at the payload). >>> > Did you enable password change via ldap? : > > samba-tool forest directory_service dsheuristics '000000001' According to https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, a dSHeuristic is required only for changing passwords over unencrypted LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). As mentioned, modifying `unicodePwd` does not work over LDAPS either in my specific case, so a heurist...
2024 Oct 27
1
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...oses (no need for a MITM to look at the payload). >>>>> >>> Did you enable password change via ldap? : >>> >>> samba-tool forest directory_service dsheuristics '000000001' >> >> According to >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >> a dSHeuristic is required only for changing passwords over unencrypted >> LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). > Above link talks about AD DS vs. AD LDS (where the latter refers to > ldap, u...
2024 Oct 11
1
Problem with a domain controller that is located in a separate site
...some reason this does not happen in > samba when one is on a separate site, > who can I contact who is working on kcc? It seems to me that this is > the problem there, Rowland, what do you think? > The thing is, according to this Microsoft page here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/302391a9-f6e1-4c0c-a1b2-5604a42e982b the 'repsTo' attribute is optional and, as far as I can find, is used to replicate to another DC in the same site, so if you don't have another DC in the same site, it should be empty (aka not there). There are, as far as...
2019 Dec 03
2
Account locked and delayed user data propagation...
...out: > ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' > See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 following the link here the code: user_is_locked () { # We folow spec, if zero, is not locked. local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" locko...
2019 Jul 02
2
Fwd: Need the ability to edit Samba SIDs.
...1, and the > Object SID ends in 998, eGroupware will assume the UID is 998. The SID shouldn't end in '998', all normal AD users, groups etc start at '1000', it is the Windows 'system' users & groups that start at 500, see here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab Rowland
2024 Oct 28
1
How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
...> >> 0000000011001` > >> > >> Note that I also set fUserPwdSupport to 1, which I don't believe to > >> be needed (as I'm using `unicodePwd`, not `userPassword`), which > >> means TRUE according to > >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: > >> > >> "If this character is neither "0" nor "2", then the fUserPwdSupport > >> heuristic is TRUE. If this character is "2", then the > >> fUserPwdSupport heuri...
2019 Apr 25
4
User mapping/login issue
On 24/04/19 19:51, L.P.H. van Belle wrote: > Hai, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: woensdag 24 april 2019 12:13 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] User mapping/login issue >> >> On Wed, 24 Apr 2019 11:38:58 +0200
2019 Jul 02
2
Fwd: Need the ability to edit Samba SIDs.
...Groupware will assume the UID is 998. >> The SID shouldn't end in '998', all normal AD users, groups etc start >> at '1000', it is the Windows 'system' users & groups that start at >> 500, see here: >> >> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab >> >> >> Rowland >> >> > The rationale is that not every Samba AD is RFC2307 Compliant. Whilst this is technically correct (you have to specify '--use-rfc2307' when provisioning), all the RFC230...
2019 Nov 15
3
Account locked and delayed user data propagation...
I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3
2019 Jul 02
2
Fwd: Need the ability to edit Samba SIDs.
...t;>>> The SID shouldn't end in '998', all normal AD users, groups etc start >>>> at '1000', it is the Windows 'system' users & groups that start at >>>> 500, see here: >>>> >>>> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab >>>> >>>> >>>> >>>> Rowland >>>> >>>> >>> The rationale is that not every Samba AD is RFC2307 Compliant. >> Whilst this is technically correct (you h...
2019 Jun 15
1
Samba + sssd deployment: success and failure
On Thu, 2019-06-13 at 17:10 +0100, Rowland penny via samba wrote: > I do not really care what Microsoft calls them, to me a SID identifies a > domain, a RID identifies an object in a domain and a SID-RID is a > combination of the two and identifies an object in a particular domain. > > If you want to call a SID-RID a SID, be my guest, I will not stop you ;-) Rowland, it helps