search for: princpals

...ssh/TrustedUserCAKeys Match User www AuthorizedKeysFile /etc/ssh/empty AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals <snip> $ cat /etc/ssh/www_authorized_principals alice bob and alice and bob just have regular user certificates with 'alice' or 'bob' in the princpals

Single DC? If a single DC then there should not be any replication issues - that would only be between domain controllers and the event logs would indicate that.   I have 2 Windows DC's with a mix of Samba member servers. As far as I know, the domain member does not need client NTLM auth to be enabled to talk to the DC but I am not 100% sure.  You may want to try reenabling it and

This issue right here told me exactly what I needed to understand this authentication process:https://pagure.io/SSSD/sssd/issue/3228 - The client talks to the DC to try and get a cifs ticket for my samba server's princpal name;- In case the client can't get the ticket for any reason, it falls back to NTLM <- windows client decision, nothing can be done about it by Samba/SSSD; Once I

The domain controler is Windows. The file Server is Linux/Samba. The clients are Windows. I've tested the access on a dozen different windows machines. Three of them used NTLM and failed. All the others used kerberos and succeeded. They're all in the same network, same domain. Maybe it's the windows version? But they're all Window 8 or 10, not a great deal of a difference between

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

There are roughly 20 DC's, spread across multiple different physical locations. It is indeed a replication issue. All of them are windows and we can get authenticated by any of them, randomly. Don't ask me why... they're managed by the "windows' guys"... I've already tried all sorts of possible combinations for the various NTLM-related parameters and it always fail

How is your sssd settup (sssd.conf) configured? When someone connects via samba, the underlying linux/unix file system routines need to have some what of understanding the windows users and groups.   This isn't for authentication  but is instead to make sure that the file permissions can be managed and enforced. My experience - at least when I had classic domain Samba controllers-  was