search for: tc84

Hi all. I?m trying to understand a weird authentication failure: I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, with a bidirectional forest trust. The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is running a recent build from git master (f38077ea5ee). When I test authentication of users in each domain by running ntlm_auth on the samba server, it is...

...022$@TC83.LOCAL (etype 3) 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac) The client is a Windows box, and I'm running this command: net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator I see the same behavior when I use smbclient: smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com> wrote: > Hi, please run the command: > > klist -ek /etc/krb5.keytab and...

Show the servers there smb.conf that might help. And your using autorid.. https://wiki.samba.org/index.php/Idmap_config_autorid Drawbacks: User and group IDs are not equal across Samba domain members. TC84\administrator:*:1100500:1100513::/home/administrator at TC84 TC83\administrator:*:1200500:1200513::/home/administrator at TC83 1200500-1100500 = 100000 idmap config * : rangesize = 100000 The default value is 100000 ! So this looks normal.. But i never used autorid so, im sure if im wrong Some...

Your config looks ok, as far i can tell. This : "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" As it should spn/hostname.fqdn at REALM nothing wrong with that. But if i understand it right. Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL ( NTDOM:TC83 ) But you get TC84 back?. On the problem server run the following: dig a kvm7246-vm022.maas.local @IP_of_...

...behavior. In my lab tests, it seems like authentication works for users in all trusted forests, but only if NTLMSSP is used. When Kerberos ends up being used, authentication only seems to work for users in the local domain. Here's the test setup: - Two Active Directory forests, tc83.local and tc84.local, with a forest trust between them. - The Linux server is a member of domain tc83.local. - Samba built from git master this afternoon (commit 2669cecc51f) on Ubuntu 19.10. (I first reproduced this on CentOS 7, but wanted to test against latest code before asking this list.) ubuntu at kvm7246-...

...ation that is working correctly with samba 4.8 (in CentOS > 7.6). When I apply the same basic configuration to a system running samba > 4.9 (CentOS 7.7), I see a very strange behavior: The ID mapping for trusted > domains does not work right. > > Both systems are joined to the domain tc84.local (TC84), which has a > forest trust with TC83, and they have identical smb.conf files. Here's the > idmap related bit: > > # testparm 2>/dev/null </dev/null | grep idmap > idmap config * : range = 1000000-19999999 > idmap config * : backend = autorid...

...mplate homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = TC83 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid [test] path = /srv/test valid users = "@tc83.local\domain users" "@tc84.local\domain users" On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner < nathanielwyliet at gmail.com> wrote: > Here's the keytab info: > > ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > -...

I?m trying to understand a weird authentication failure: I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, with a bidirectional forest trust. The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is running a recent build from git master (f38077ea5ee). When I test authentication of users in each domain by running ntlm_auth on the samba server, it is...

...listinfo/samba>sharename" or something like that? bb. Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba < samba at lists.samba.org> ha scritto: > Hi all. I?m trying to understand a weird authentication failure: > > I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, > with a bidirectional forest trust. > The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is > running a recent build from git master (f38077ea5ee). > > When I test authentication of users in each domain by running ntlm_auth on...

...there smb.conf that might help. > > > > > > And your using autorid.. > > > https://wiki.samba.org/index.php/Idmap_config_autorid > > > > > > Drawbacks: User and group IDs are not equal across Samba > > domain members. > > > > > > TC84\administrator:*:1100500:1100513::/home/administrator at TC84 > > > TC83\administrator:*:1200500:1200513::/home/administrator at TC83 > > > > > > 1200500-1100500 = 100000 > > > > > > idmap config * : rangesize = 100000 > > > The default value i...

...t seems like > authentication works for users in all trusted forests, but only if NTLMSSP > is used. When Kerberos ends up being used, authentication only seems to > work for users in the local domain. > > Here's the test setup: > - Two Active Directory forests, tc83.local and tc84.local, with a forest > trust between them. > - The Linux server is a member of domain tc83.local. > - Samba built from git master this afternoon (commit 2669cecc51f) on Ubuntu > 19.10. (I first reproduced this on CentOS 7, but wanted to test against > latest code before asking this l...

...>> > > >> > > And your using autorid.. >> > > https://wiki.samba.org/index.php/Idmap_config_autorid >> > > >> > > Drawbacks: User and group IDs are not equal across Samba >> > domain members. >> > > >> > > TC84\administrator:*:1100500:1100513::/home/administrator at TC84 >> > > TC83\administrator:*:1200500:1200513::/home/administrator at TC83 >> > > >> > > 1200500-1100500 = 100000 >> > > >> > > idmap config * : rangesize = 100000 >> > &g...

...samba wrote: > > Show the servers there smb.conf that might help. > > > > And your using autorid.. > > https://wiki.samba.org/index.php/Idmap_config_autorid > > > > Drawbacks: User and group IDs are not equal across Samba > domain members. > > > > TC84\administrator:*:1100500:1100513::/home/administrator at TC84 > > TC83\administrator:*:1200500:1200513::/home/administrator at TC83 > > > > 1200500-1100500 = 100000 > > > > idmap config * : rangesize = 100000 > > The default value is 100000 ! > > > >...

Hi Louis, On Wed, Nov 20, 2019 at 3:27 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote: > Your config looks ok, as far i can tell. > > This : "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" > As it should spn/hostname.fqdn at REALM nothing wrong with that. > > But if i understand it right. > > Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL ( > NTDOM:TC83 ) > But you get TC84 back?. > > On the problem server run the following: &g...

...= ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = TC83 idmap config * : backend = autorid idmap config * : range = 1000000-19999999 [test] path = /srv/test valid users = "@tc83.local\domain users" "@tc84.local\domain users" > > Does anyone know whether winbind is expected to be able to handle > > authenticating users in other trusted forests, and if so, why it might > only > > be able to do so when ntlmssp is used (vs. gse_krb5)? > > > > > Trusted domains...

...te shell = /bin/bash > winbind offline logon = Yes > winbind refresh tickets = Yes > workgroup = TC83 > idmap config * : backend = autorid > idmap config * : range = 1000000-19999999 > > [test] > path = /srv/test > valid users = "@tc83.local\domain users" "@tc84.local\domain users" I wouldn't use 'valid users', I would set the permissions from Windows, but to do this you will need to add this to smb.conf: username map = /etc/samba/user.map And create '/etc/samba/user.map' with this content: !root = TC83\Administrator Finally...

I see. =) I probably should have set the backend to autorid for "*", but I didn't think the ID mapping really mattered for the specific test I was doing. The "realm list" output shows the client software as winbind (not sssd) and the logs show messages from winbindd as it handles the authentication (in the successful cases), so I think that indicates that winbind is in