search for: windows_protocols

...c between a Windows 10 PC, that is currently unable to remount its mapped drives, and the samba server that is providing the shares. I see the following behaviour: - PC -> FS - encrypted and signed SMB3 packet with SMB2 TRANSFORM_HEADER <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d6ce2327-a4c9-4793-be66-7b5bad2175fa> showing a session ID of 0x000000005bb17760 - FS -> PC - plain text SMB2 packet with the same session ID as above, and an NT Status header that says STATUS_NETWORK_SESSION_EXPIRED (0xc000035c) - During the 17 seconds of the pack...

...tool forest directory_service dsheuristics > 0000000011001` > > Note that I also set fUserPwdSupport to 1, which I don't believe to > be needed (as I'm using `unicodePwd`, not `userPassword`), which > means TRUE according to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: > > "If this character is neither "0" nor "2", then the fUserPwdSupport > heuristic is TRUE. If this character is "2", then the fUserPwdSupport > heuristic is FALSE. If this character is "0", t...

...service dsheuristics >> 0000000011001` >> >> Note that I also set fUserPwdSupport to 1, which I don't believe to >> be needed (as I'm using `unicodePwd`, not `userPassword`), which >> means TRUE according to >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: >> >> "If this character is neither "0" nor "2", then the fUserPwdSupport >> heuristic is TRUE. If this character is "2", then the fUserPwdSupport >> heuristic is FALSE. If this character is &q...

...the payload). >>>>>> >>>> Did you enable password change via ldap? : >>>> >>>> samba-tool forest directory_service dsheuristics '000000001' >>> >>> According to >>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >>> a dSHeuristic is required only for changing passwords over >>> unencrypted LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). >> Above link talks about AD DS vs. AD LDS (where the latter refers to >> ldap, unc...

...>>> >>>>> Did you enable password change via ldap? : >>>>> >>>>> samba-tool forest directory_service dsheuristics '000000001' >>>> >>>> According to >>>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >>>> a dSHeuristic is required only for changing passwords over >>>> unencrypted LDAP >>>> (`fAllowPasswordOperationsOverNonSecureConnection`). >>> Above link talks about AD DS vs. AD LDS (where the latter...

Hi Rowland, > I hope someone has seen this before and knows what's going on. Given > > the time delay between the problem recurring, I'm guessing the issue > > lies with Kerberos, but I'm not sure how to verify that or how to > > resolve the issue. If you need more info, please let me know. > > > > Problem: > > Each morning, windows users are

...>>>> purposes (no need for a MITM to look at the payload). >>>> >> Did you enable password change via ldap? : >> >> samba-tool forest directory_service dsheuristics '000000001' > > According to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, > a dSHeuristic is required only for changing passwords over unencrypted > LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). Above link talks about AD DS vs. AD LDS (where the latter refers to ldap, unclear what the first is). At the sa...

...ve/samba-technical/2007-March/052448.html that Windows clients update those attributes via the NetrLogonGetDomainInfo() MS-RPC call. Since 2007 a lot has changed obviously and it looks like Microsoft made the docs for NetrLogonGetDomainInfo available: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/7c3ad0cc-ee05-4643-b773-4d84e1d431dc https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3ae9e9a9-a303-4fa5-8e11-823d9e7e1e61 /-> The NETLOGON_WORKSTATION_INFO structure defines information passed into the NetrLogonGetDomainInfo method, as specified in 3.5.4.4.9. It S...

...'s supplementalCredentials fields in /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ldb to migrate passwords? Provided that I could get the data structure right. (Documentations about supplementalCredentials should be here I think https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/84cefe3e-a688-4232-b997-ac5d9993f5eb) I have "ntlm auth = disabled" in smb.conf so I think not having NT hash is not a problem.

...S. I?m using LDAP for debugging >>> purposes (no need for a MITM to look at the payload). >>> > Did you enable password change via ldap? : > > samba-tool forest directory_service dsheuristics '000000001' According to https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, a dSHeuristic is required only for changing passwords over unencrypted LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). As mentioned, modifying `unicodePwd` does not work over LDAPS either in my specific case, so a heuristic should not be n...

...eed for a MITM to look at the payload). >>>>> >>> Did you enable password change via ldap? : >>> >>> samba-tool forest directory_service dsheuristics '000000001' >> >> According to >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >> a dSHeuristic is required only for changing passwords over unencrypted >> LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). > Above link talks about AD DS vs. AD LDS (where the latter refers to > ldap, unclear what the fi...

...n this does not happen in > samba when one is on a separate site, > who can I contact who is working on kcc? It seems to me that this is > the problem there, Rowland, what do you think? > The thing is, according to this Microsoft page here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/302391a9-f6e1-4c0c-a1b2-5604a42e982b the 'repsTo' attribute is optional and, as far as I can find, is used to replicate to another DC in the same site, so if you don't have another DC in the same site, it should be empty (aka not there). There are, as far as I can see, two typ...

...ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' > See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 following the link here the code: user_is_locked () { # We folow spec, if zero, is not locked. local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep &quo...

...> Object SID ends in 998, eGroupware will assume the UID is 998. The SID shouldn't end in '998', all normal AD users, groups etc start at '1000', it is the Windows 'system' users & groups that start at 500, see here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab Rowland

...> 0000000011001` > >> > >> Note that I also set fUserPwdSupport to 1, which I don't believe to > >> be needed (as I'm using `unicodePwd`, not `userPassword`), which > >> means TRUE according to > >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: > >> > >> "If this character is neither "0" nor "2", then the fUserPwdSupport > >> heuristic is TRUE. If this character is "2", then the > >> fUserPwdSupport heuristic is FALSE. If...

On 24/04/19 19:51, L.P.H. van Belle wrote: > Hai, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: woensdag 24 april 2019 12:13 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] User mapping/login issue >> >> On Wed, 24 Apr 2019 11:38:58 +0200

...will assume the UID is 998. >> The SID shouldn't end in '998', all normal AD users, groups etc start >> at '1000', it is the Windows 'system' users & groups that start at >> 500, see here: >> >> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab >> >> >> Rowland >> >> > The rationale is that not every Samba AD is RFC2307 Compliant. Whilst this is technically correct (you have to specify '--use-rfc2307' when provisioning), all the RFC2307 attributes are s...

I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3

...> The SID shouldn't end in '998', all normal AD users, groups etc start >>>> at '1000', it is the Windows 'system' users & groups that start at >>>> 500, see here: >>>> >>>> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab >>>> >>>> >>>> >>>> Rowland >>>> >>>> >>> The rationale is that not every Samba AD is RFC2307 Compliant. >> Whilst this is technically correct (you have to specify &gt...

On Thu, 2019-06-13 at 17:10 +0100, Rowland penny via samba wrote: > I do not really care what Microsoft calls them, to me a SID identifies a > domain, a RID identifies an object in a domain and a SID-RID is a > combination of the two and identifies an object in a particular domain. > > If you want to call a SID-RID a SID, be my guest, I will not stop you ;-) Rowland, it helps