search for: revyakin

On 16/07/2020 22:13, Yakov Revyakin wrote: > Thank you! I have food for tomorrow. Now I only want to voice some of > my considerations. > > Imagine that a domain had no trusts. At this time a PC became a member > of this domain. > After some time DC made trust with another domain. In this case > existing membe...

On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message "krb5_kt_start_seq_get failed (Permission denied)" during any attempt of user authentication. In result a user is authenticated successfully. But what does this message mean? My krb5.keytab has permissions 600 by default. If I change its permissions to 644 the error message goes.

...he user homdirs it can validateon $HOME/.k5login Above fixed it for me. I only cant tell based on the config if this applies to you. Its a simple thing to try. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: donderdag 23 juli 2020 11:20 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] krb5_kt_start_seq_get failed > (Permission denied) > > Ubuntu 18.04 LTS > > root is owner > > In case of 644 > d at uc-sm18:~$ sudo ls -la /etc/k...

...id jake getent passwd jake Any improvement? > if you have set: APEX:backend = ad Yes, and did you assign an UID/GID after you changed RID to AD backend? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: vrijdag 17 juli 2020 20:38 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Authentication with trusted credentials > > So, > Point #1: > Samba DC before trust. Linux member joined domain. SSH > authentication works > for a domain...

...suitable server for domain APEX domain controller is not responding: NT_STATUS_UNSUCCESSFUL APEX couldn't get domain's sid On Tue, 21 Jul 2020 at 13:40, Rowland penny via samba <samba at lists.samba.org> wrote: > On 20/07/2020 12:09, Yakov Revyakin wrote: > > OK, trying to define the environment more clearly. > > > OK, I 'think' I know what is going on here, haven't got a fix though :-( > > Can you run this command on the Linux DC's and a Linux client: > > wbinfo --online-status > > On DC's...

...going trust works in the case of Windows clients? What is the actual status for outgoing trust support? PS: I sent the same questions to Stephan with hope to get answers On Tue, 21 Jul 2020 at 17:54, Rowland penny via samba <samba at lists.samba.org> wrote: > On 21/07/2020 15:38, Yakov Revyakin wrote: > > Hi Rowland, > > Thank you for effort > > > > My output as you requested: > > ## Samba DC > > d at us-smdc3:~$ wbinfo --online-status > > BUILTIN : active connection > > SVITLA3 : active connection > > APEX : active connection > &gt...

...ect-debug-info.sh > > Anonimize where needed. > Dont set the attachments to the list, that will be stripped off. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Yakov Revyakin via samba > > Verzonden: maandag 13 juli 2020 16:04 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Authentication with trusted credentials > > > > Hi friends, > > I have a one way outgoing trust between SAMBA trusting domain and AD > > trusted dom...

Louis, could you take a look on my case again? I am not sure that the problem is in incorrect groups. Only trusted credentials don't work. Have you any idea what the reason is? On Mon, 13 Jul 2020 at 19:50, Yakov Revyakin <yrevyakin at gmail.com> wrote: > Some more details. Below is what I have during joining Linux (Ubuntu > 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is > trusted. > SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and > *jake *u...

Hi friends, I have a one way outgoing trust between SAMBA trusting domain and AD trusted domain. SSH Authentication of a user belonging to the SAMBA domain works properly on a Linux computer which is a member of SAMBA domain. I would like to authenticate a trusted user from the AD domain on the same Linux computer with SSH. Currently it doesn't work. I am able to authenticate trusted accounts

Rowland, I only tried sssd looking for the cause of the problem. I use samba, winbind. On Fri, 17 Jul 2020 at 00:19, Rowland penny via samba <samba at lists.samba.org> wrote: > On 16/07/2020 22:13, Yakov Revyakin wrote: > > Thank you! I have food for tomorrow. Now I only want to voice some of > > my considerations. > > > > Imagine that a domain had no trusts. At this time a PC became a member > > of this domain. > > After some time DC made trust with another domain. In th...

On 20/07/2020 12:09, Yakov Revyakin wrote: > OK, trying to define the environment more clearly. > OK, I 'think' I know what is going on here, haven't got a fix though :-( Can you run this command on the Linux DC's and a Linux client: wbinfo --online-status On DC's, I get this: BUILTIN : active connection...

On 21/07/2020 15:38, Yakov Revyakin wrote: > Hi Rowland, > Thank you for effort > > My output as you requested: > ## Samba DC > d at us-smdc3:~$ wbinfo --online-status > BUILTIN : active connection > SVITLA3 : active connection > APEX : active connection > > ## Linux Client > d at uc-sm18:~$ wbinfo...

...db im not a kerberos expert, i leave that to one of the samba devs, but as far i know, if? you have any service that uses upn/spns we need /etc/krb5.keytab I hope explains it?a bit, of not, maybe Rowland knows more here, or we can ask it @Alexander if you want. Greetz, Louis ? Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] Verzonden: maandag 13 juli 2020 18:51 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Authentication with trusted credentials Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Sam...

...w.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed. Dont set the attachments to the list, that will be stripped off. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: maandag 13 juli 2020 16:04 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Authentication with trusted credentials > > Hi friends, > I have a one way outgoing trust between SAMBA trusting domain and AD > trusted domain. > SSH Authentication of a...

...use kerberos auth UseDNS yes reboot And done, i can login with putty, with kerberos SSO from a windows pc. (after setting putty correctly offcourse). See if above helps you, at least i think it will and i hope so. So far, Greetz, Louis ________________________________ Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] Verzonden: donderdag 16 juli 2020 15:51 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Authentication with trusted credentials In this configuration with a trusted domain I miss something important. Need your help to understand....

On 16/07/2020 16:11, L.P.H. van Belle via samba wrote: > First of all, why does the DOMAIN contains/shows a dot in it. > ( i think its a wrong setting in sssd, but i dont know sssd ) > I know this is one of your REALMs and not the domain. > > > Now your lines : > Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0

> > Hi friends, > I need your help. > > I implemented > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities > enabling smart card logon on a Windows Server 2016 as a domain member of > Samba DC. > > Currently I

Thank you! I have food for tomorrow. Now I only want to voice some of my considerations. Imagine that a domain had no trusts. At this time a PC became a member of this domain. After some time DC made trust with another domain. In this case existing members don't consider any extra configuration like adding knowledge about new realm, DNS, etc. Existing configuration already provides means of