search for: windowsdomain

...ads join. Most important configuration to make mschapv2 only with ntlmv1 overall disabled (except for mschapv2) is setting in freeradius in /mods-available/mschap: mschap { ..... ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" OR (if your Freeradius supports it) winbind_username = "%{%{mschap:User-Name}:-00}" winbind_domain = "WINDOWSDOMAIN" The former works just fine, the latter requires freeradius to be buil...

...o make mschapv2 only with ntlmv1 overall > disabled (except for mschapv2) is setting in freeradius in > /mods-available/mschap: > > mschap { > > ..... > > ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key > --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}" > > OR (if your Freeradius supports it) > > winbind_username = "%{%{mschap:User-Name}:-00}" > winbind_domain = "WINDOWSDOMAIN" > > The former works just fine,...

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked

.../etc/dovecot/dovecot-ldap-userdb.conf3.ext # Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u } #ldap conf --------------- hosts = myDChost base = dc=company,dc=testdomain,dc=dom ldap_version = 3 auth_bind = yes auth_bind_userdn = windowsdomain\%u user_filter = (&(objectclass=person)(|(mail=%u)(sAMAccountName=%n))) user_attrs = =uid=vmail,=gid=vmail,=home=/users/vmail/maildomain.com/%n,=mail_location=maildir:/users/vmail/maildomain.com/%n/Maildir tls = yes tls_require_cert = never dovecot -n --------------- # 2.2.10: /etc/dovecot/do...

...og file = /usr/local/samba/var/log.smb lpq cache time = 5 message command = /bin/mail -s 'SMB_Msg from %f@%m' root < %s; rm -f %s netbios name = SAMBASERVER password server = NTSERVER preserve case = yes security = user smbrun = /usr/local/samba/bin/smbrun syslog = 0 workgroup = WINDOWSDOMAIN -- Best regards. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Alexey V. Abashkin AKA alx@star.ssu.runnet.ru

...rity #hosts allow = 127.0.0.1 192.168.?.? security = user logon home=\\%L\%U\.profiles logon drive = H: logon path = \\%L\profiles\%U [netlogon] path = /home/samba/netlogon browsable = no Now when I try to add the machine, where the samba server is running to the windows domain: #net rpc join -w windowsdomain -U Administrator%passwd I get the error: Could not connect to the server The username or password was not correct or the command is false? Can somebody plz tell me, what I am doing wrong. Cheers Alam ________________________________________________________________ Verschicken Sie romantische, c...

First, I dont know if this issue is related to Samba or to Windows, but since all of our clients logon to a samba-served windowsdomain I suspect this problem at least is related to samba. Background We have 80 clients serving around 1000 users (this is a computerroom for students). Clients are running a Windows XP SP1 fully pathed installation. All users log on to a samba domain (samba 3.0.13 running on a fully pathed Solari...

...docs it actually still uses ntlm_auth, but for whatever reason this works, and "traditional" ntlm_auth doesn't. So in your freeradius mods-enabled/mschap instead of ntlm_auth...... put something like this: winbind_username = "%{mschap:User-Name}" winbind_domain = "*WINDOWSDOMAIN*" (not sure about external links in the mailing list, but here is the link to the freeradius doc explaining in detail: https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind What I can't test right now, if it will work with mchapv2 password change (if required), since free...

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

On 03/06/15 23:54, ivenhov wrote: > I've made all changes to 3 files you mentioned, also removed everything > except localhost in hosts file. > SO I have minimal smb.conf and minimal krb5 file > > Unfortunately error is still the same. > > If I try to join with full OU path I get kerberos_kinit_password > testuser at MYNAT.MYCO.BCU failed: Cannot contact any KDC for

...ox. > It's just this particular site (with large AD infrastructure) where it's > failing. I never got it to work with the quation marks, so I used "net ads join createcomputer=My/Ou/For/Servers -U testuser", where 'testuser' only have got the "add computer to Windowsdomain privileges" on named OU. Samba version 4.1.12. > I don't quite understand is why it complains about KDC why in fact I can > ping it and get ticket via kinit. > What would be next step to diagnose it? I'm out of ideas at this point. > I had a similar error as you first pr...