similar to: Kerberos and Winbind both needed for Active Directory??

Hi List, I have reported this issue before but I did not get an answer, ill try one more time before I register it as a bug incase I am doing something wrong. I'm evaluating the use of samba/winbind to join our linuxhosts into active directory. My testsetup use win2k3 R2 with rfc2307 schema fields populated on the server side. For the most part the project is humming along nicely. However,

I'm trying to learn how to integrate Linux workstations and servers into a Windows 2000 Active Directory network. I've read and followed the Samba HOWTO, especially the parts about Winbind, and I got my Linux workstation authenticating using pam_krb5 and pam_winbind. klist would show I got a TGT after logging in. Domain users could login and pam_mkhomedir would properly setup a new home

Hey all, I'm running the latest and greatest CentOS4 here, along with Samba and Winbind coupled to an Active Directory server. It's all working smoothly, bar one little bit, the idmap gui and uid directives. It appears to be ignoring them completely. I've pasted the relevant directives below... winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users =

On 4/13/23 15:28, Daniel Lakeland via samba wrote: > I have a server that runs stand-alone with an LDAP directory and a KDC > . The linux machines have sssd to allow unified users etc. The clients > are mostly MacOS and Windows machines that aren't part of an AD. > > > This config has worked for 15 years, but after upgrading Debian and > bringing in Samba Version

Here's another client whose net ads join command "works" but doesn't really, with winbind.log entries of: libads/kerberos.c:ads_kinit_passwword(146) kerberos_kinit_password host/SAMBA-CLIENT@DOMAIN.LOCAL failed: Client not found in Kerberos database nsswitch/winbindd_ads.c: ads_cached_connection(81) ads_connect for domain DOMAIN failed: Client not found in Kerberos

On 4/14/23 02:47, Christian Naumer via samba wrote: > We are only talking about joining your server to your REALM not the > clients. > > It is possible to do this. See this example for FreeIPA: > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview > > > But as you can see it is more complicated that

On 4/13/23 14:15, Rowland Penny via samba wrote: > > > >> >> security = user is the config that used to work before the upgrade. > > The Samba daemon smbd before 4.8.0 could connect to AD (or in this > case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind > and has to be joined to the domain/kerberos realm. > > You appear to be running a

Ok after installing libpam-winbind etc I had someone try to connect from a MacOS and they got: [2023/04/13 15:50:50.002773,? 1] ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac) ? auth3_generate_session_info_pac: Unexpected PAC for [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE [2023/04/13 15:50:50.002891,? 3]

I have a server that runs stand-alone with an LDAP directory and a KDC . The linux machines have sssd to allow unified users etc. The clients are mostly MacOS and Windows machines that aren't part of an AD. This config has worked for 15 years, but after upgrading Debian and bringing in Samba Version 4.17.7-Debian it seems to be broken. I believe this is related to:

Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are

Hi, I have been working on Windows NT PDC to OpenLDAP+Samba migration project and all is going on well, thanks to idealx. Now, I want to now do migrate MS Windows 2000/2003 based Active Directory to Linux+Samba+OpenLDAP+Kerberos. Somehow, the impression that I am getting having gone through many docs, including those from samba.org is that its not possible till probably version Samba 4 is out. My

Hello everybody, Apologizes for my english, I'm french :-) I have set up several samba file servers in my company. Authentification using kerberos works well with the Windows 2000 Active Directory server. Everything is fine, windows clients use them and we are really happy with them. The point is I have a strange behaviour/phenomemon for which I am totally unable to find a rational

Hi All, I am new to the samba-technical list. I am currently adopting the way Samba does for mutual authentication using Kerberos to MS Active Directory 2003. Basically, I am using this "static ADS_STATUS ads_sasl_gssapi_bind (ADS_STRUCT *ads) " in my LDAP client implemented by Netscape Directory SDK. However, the code works fine with Windows 2000 but fails on 2003. By running the

The "Dns-backend bind" page on the wiki recommends that you set up DNS dynamic updates via Kerberos. My understanding is that if you select BIND9_DLZ that the DNS zone data is stored in the directory. I would assume that in this case the normal directly replication would take care of moving DNS changes to all AD DCs. If this is correct, it would seem that there would be no need for a

On 14/04/2023 17:48, Daniel Lakeland via samba wrote: > On 4/14/23 09:16, Rowland Penny via samba wrote: >> >> >> This intrigued me, so I went and tried this and you need three computers: >> >> A samba AD DC (perhaps a computer just running a KDC, but I didn't try >> this) >> A Samba Unix domain member running as a fileserver >> A Samba

I sent this the other day, but did not get any replies, can anyone help? Hi All, I have a sparc solaris 8 server running samba 2.2.11 (which i complied with winbind). The server has been running for years and has about 20 local users setup using local files for openssh and rexec logins, and samba shares. They each use samba to map to their home directory and a common shared folder. They also

I recently joined a samba 3.0.22 server to AD. When I did the kinit, the AD gave me a 24 hour ticket with a 1 week renewal. Setting -r and -l to 365d did not change anything, the ticket still came back the same. However, my question is in reguard to whether this is really even needed? First, I deleted the ticket, and everything seemed to continue to work perfectly. Now, I let the ticket expire

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

Am 14.04.23 um 18:02 schrieb Daniel Lakeland via samba: > Any help would be appreciated. I'm beginning to suspect this > functionality was lost. There where some people that posted here with the same Problem. I have never done this. So everything from here is just "having an educated guess". If you look at the link I posted, there is a smb.conf given. I would take that as

On 14/04/2023 18:37, Ralph Boehme via samba wrote: > On 4/14/23 19:20, Rowland Penny via samba wrote: >> >> >> On 14/04/2023 17:48, Daniel Lakeland via samba wrote: >>> On 4/14/23 09:16, Rowland Penny via samba wrote: >>>> >>>> >>>> This intrigued me, so I went and tried this and you need three >>>> computers: