search for: pgoetz

OK, At a loss for what to try next. According to this page, it should be possible to make this work: http://www.hexblot.com/blog/centos-7-active-directory-and-samba However, I can't get AD users to authenticate when I run net use * \\cns-cryo-road1\my_share /user:austin\pgoetz Authenticating via ssh, su, or from the console using the same AD UserName is not a problem. It seems like the relevant smb.conf keys here are: security = user|ads server role = auto I've been leaving server-role set at auto (assuming this will do the right thing). When I set secur...

...I was calling it an SID (which, based on talking to Windows admins, I'm surmising is understood to mean RID, depending on context). Anyway, that was the genesis of this discussion. To give a concrete example, Running this command on one of sssd linux domain members: root at kraken:/home/pgoetz# getent passwd pgoetz pgoetz:*:1562224688:1007000513:Goetz Patrick G (pgoetz):/home/pgoetz:/bin/bash 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users group: root at kraken:/home/pgoetz# ls -l total 0 drwxr-xr-x 2 pgoetz domain users 25 Oct 1 2018 Desktop drwxr-xr-x 2 pg...

On Thursday, 13 June 2019 00:41:09 PDT Rowland penny via samba wrote: > On 13/06/2019 07:55, Alexey A Nikitin wrote: > > On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote: > >>>> I think you mean 'RID' instead of 'SID' > >>> Yes, you're right. The Windows people seem to use the terms synonymously. > >> I cannot

...ch, based on talking to Windows admins, I'm > surmising is understood to mean RID, depending on context). Anyway, > that was the genesis of this discussion. To give a concrete example, > > Running this command on one of sssd linux domain members: > > root at kraken:/home/pgoetz# getent passwd pgoetz > pgoetz:*:1562224688:1007000513:Goetz Patrick G > (pgoetz):/home/pgoetz:/bin/bash > > 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users > group: > Domain Users group is a standard group with a well-known SID of S-1-5-<domain id&...

...s there were some major changes between Samba 4.7.6 and Samba 4.8.3 ? On the functional CentOS system, when I try to map a share I see something like this in the log files: [2019/06/11 13:09:35.088714, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) Found account name from PAC: pgoetz [Goetz, Patrick G] On the Ubuntu system I see [2019/06/11 13:58:47.535611, 3] ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth) Got user=[pgoetz] domain=[austin] workstation=[CNS-VM-PGOETZ1] len1=24 len2=332 What then happens is it looks for user pgoetz in a non-existent passdb...

...(which, based on talking to Windows admins, I'm > surmising is understood to mean RID, depending on context). Anyway, > that was the genesis of this discussion. To give a concrete example, > > Running this command on one of sssd linux domain members: > > root at kraken:/home/pgoetz# getent passwd pgoetz > pgoetz:*:1562224688:1007000513:Goetz Patrick G > (pgoetz):/home/pgoetz:/bin/bash > > 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users > group: I doubt very much that your Windows RID is '1562224688', well not unless you have an...

...k at it. ( optional add root/spn ) But now you should be able todo cifs mounts with kerberos without joining the domain. Or just just user= pass= domain= for the mount settings. mount -t cifs -o credentials=/path/to/secret-info-file //host.FQDN/share /mnt/folder >net rpc rights list -U cns-pgoetz > Enter cns-pgoetz's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_NO_LOGON_SERVERS Thats most probley due to incorrect resolving setup. Your on ubuntu? Get this and run it/anonymize it. https://raw.githubusercontent.com/thctlo/samba4/ma...

...(requiring a netbios name seems illogical in an AD-only world), I'm sending it again. Apologies if this is a repost. -------- Forwarded Message -------- Subject: Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4,8.3 Date: Tue, 18 Jun 2019 17:15:47 -0500 From: Patrick Goetz <pgoetz at math.utexas.edu> To: samba at lists.samba.org A couple of days ago I posted about not being able to authenticate AD domain users when trying to mount SMB shares. Turns out my problem was that I hadn't set a netbios name in /etc/samba/smb.conf, even though I have netbios turned off!...

...e to use AD groups for authorization; then I wouldn't have to manage local groups in /etc/group (although ansible makes this less of a chore than it used to be). Right now this doesn't seem to work with sssd; i.e. you can't chgrp files/folders to the AD groups listed using, say `id pgoetz` on the domain-bound linux machine. - It would be super awesome if nested groups were supported. Right now sssd can't do this.

...dows machines to the mix and have installed the complete Samba package (sssd already uses Samba) on a file server. Jettisoning sssd is not an option, so hopefully there is a way to get this to work. Right now, when attempting to mount a share: net use I: \\krakenhost\emtifs /user:austin\pgoetz I get a password prompt, but then the authentication fails even though I can use my AD username to log in to the Samba host directly with no problem. Anyway, working on this now. > You are also correct that on a Unix domain member you need to have winbind running, so you might as well use...

...ps for authorization; then > I wouldn't have to manage local groups in /etc/group (although ansible > makes this less of a chore than it used to be). Right now this doesn't > seem to work with sssd; i.e. you can't chgrp files/folders to the AD > groups listed using, say `id pgoetz` on the domain-bound linux machine. A 'local' group is unknown to AD (whether you use winbind or sssd), so connecting an AD user to a local group isn't going to work. Rowland

...wed by deduplication of file system) keeping all containers up to date, whereas in Docker one just replaces the containers. I do see the Docker disadvantage of single app model relevant for Samba though... Best Regards, Joachim > -----Urspr?ngliche Nachricht----- > Von: Goetz, Patrick G <pgoetz at math.utexas.edu> > Gesendet: Montag, 8. Juli 2019 18:08 > An: Joachim Lindenberg <samba at lindenberg.one>; samba at lists.samba.org > Betreff: Re: AW: AW: [Samba] Container setup? > > > On 7/5/19 3:22 PM, Joachim Lindenberg wrote: > >> I've only used LX...

On 6/12/19 7:00 AM, Rowland penny wrote: > How are you actually running samba ? > How are you actually running samba ? I *think* setting security = user server role = auto makes Samba run as a standalone server, which is fine, because authentication is handled via /etc/nsswitch.conf: passwd: compat systemd sss group: compat systemd sss shadow:

...tion; then >> I wouldn't have to manage local groups in /etc/group (although ansible >> makes this less of a chore than it used to be).? Right now this doesn't >> seem to work with sssd; i.e. you can't chgrp files/folders to the AD >> groups listed using, say `id pgoetz` on the domain-bound linux machine. > A 'local' group is unknown to AD (whether you use winbind or sssd), so > connecting an AD user to a local group isn't going to work. Let me clarify. It would be nice to assign AD Security Groups as file/folder groups even if they can't...

Because most of our servers are restricted to specific user groups and the AD domain covers the entire university, I need to find a way to limit access to samba shares, preferably using AD security groups; i.e. I want to do something like: [EMdata] comment = TEM Data path = /EMdata valid users = @cns-cryo-emusers guest ok = no writeable = yes where cns-cryo-emusers is an

On 6/12/19 7:00 AM, Zach Doman wrote: > security = ads If you're using sssd instead of winbind, you need to set security to security = user (depending on your Samba version -- I can confirm this works for Samba 4.8.3)

On 6/12/19 12:14 PM, Rowland penny via samba wrote: >> >> ? From that perspective, unless you're using Samba as a PDC/BDC, the only >> security setting you ever want to use is >> >> ????? security = user >> >> Am I missing something? > > Yes, using that means it can only be a standalone server and not part of > a domain. > I guess I

Can someone explain what libwbclient.so.0 does? On Ubuntu 18.04, the libwbclient0 package is a dependency of cifs-utils and anything winbind related. They also include a package called libwbclient-ssd; the difference seems to most in the location of the library? root at kraken:~# dpkg -L libwbclient0 .. /usr/lib/x86_64-linux-gnu/libwbclient.so.0.14 /usr/lib/x86_64-linux-gnu/samba

On 6/18/19 11:59 AM, Rowland penny via samba wrote: > On 18/06/2019 17:24, Edouard Guign? via samba wrote: >> "winbind refresh tickets = yes" did not help for my case. >> > It always has for myself, I have never had to refresh any kerberos > machine tickets manually > Are you only ever authenticating against a Samba AD domain controller, though? Windows AD in

On 6/25/19 12:57 PM, Gregory Sloop via samba wrote: > Hmmm... > > Use the netbios name, instead of a FQDN, perhaps? > i.e.: \\cns-bio-krak1\emtifs > [I'm assuming the NB name. If I'm wrong, correct it.] > > I know I've done this with Windows DC shares, and I'm 99% certain I've done it with FreeNAS acting as a domain member. [Samba domain member.] > I