similar to: See if authenticated user is in group XYZ

> > If by "key" you meant keytab then you were right. A keytab is a file > dedicated to contains credentials (https://kb.iu.edu/d/aumh or > http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/keytab_def.html). > > Keytab are used when you want to automate actions which need > authentication. When some automated action requires credentials you > have to provide

hi, my scenario is this: i have a cgi (on host1) that executes ssh (as userxyz) to a remote server (host2), executes a command to retrieve some data and outputs them to the local browser. on host1: #!/usr/bin/perl -w ... $output = `/usr/local/bin/ssh -l userxyz -x host2 ls -l` ... but i get "Host Key Verification failed" on my apache's error_log. i can do it on the command line,

Mathias, thanks again! This sounds like a very reasonable approach. I know that with remote ssh and public key authentication you can set the limit to a single possible command. is this also possible with AD users? Unfortunately, I don't have 'multiuser' support in my current cifs-utils version 4.8. So I would end up with your designated user being the owner of all the files and

Am 04.11.2015 um 14:49 schrieb mathias dufresne: > 2015-11-04 13:58 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Mathias, thanks again! This sounds like a very reasonable approach. I know >> that with remote ssh and public key authentication you can set the limit to >> a single possible command. is this also possible with AD users? >> > I'm

So finally here is the solution that works for me. If you have any questions, just ask. I use pam_mount with the following volume definition in the "/etc/security/pam_mount.conf.xml": <volume fstype="cifs" server="server" path="home/%(USER)" mountpoint="/home/%(USER)" sgrp="domain users"

hello our AD domain is hosted by two samba AD domain controllers version 4.12.6 - replication between controllers is fine, no problems. - no schema errors. - no database errors, all fine. - no CPU utilizations - wthout noticeable bandwidth utilization Recently we have deployed Azure AD connector on dedicated windows system (system is domain member server). since this deployment we are observing

samba version is 3.0.28a-1ubuntu4.7 -- I created users on both samba and the linux system, and created 3 groups on the system. Each of these groups own a specific directory, the directory on the filesystem belongs to root.groupfoo. On my smb.conf I gave each of these groups write access to its directory (@groupfoo to the share /groupfoo). So now every linux user belonging to groupfoo can write

First please note the following is not really linked to your NFS question, it's more related to automation, credentials everywhere and how to secure them a little bit. The point dealing with keytab or credentials in general when used for automation, as these credentials can potentially used by some attacker, is to create dedicated user which can perform only what it is supposed to perform.

I'm seeing very long delays the first time winbind accesses the network. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496569 I've tried lots of things, down to stripping the config to a bare minimum for ADS security and even killing ipv6 support on the box. Nothing has resolved this. Does anyone see anything obviously wrong with this configuration that might cause a very long

2015-11-04 13:58 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > Mathias, thanks again! This sounds like a very reasonable approach. I know > that with remote ssh and public key authentication you can set the limit to > a single possible command. is this also possible with AD users? > I'm interested by the restriction to only one command for users. The only I see that

Very interesting thread! Thank you all for sharing your thoughts and knowledge. Regards Davor -- Skickat från mobilusken! -- ----- Ursprungligt meddelande ----- Från: "Ole Traupe" <ole.traupe at tu-berlin.de> Skickat: ‎2015-‎11-‎04 15:29 Till: "samba at lists.samba.org" <samba at lists.samba.org> Ämne: Re: [Samba] Pam_mount not working with "sec=krb5"

Running Samba 3.2.3 on Debian Lenny, amd64. I'm joined to an AD realm, authentication works fine for Windows clients. I'm able to see that the clients are using Kerberos, not NTLM to authenticate to the shares. However when I look at the keytab, my entries have the short names like "service/shortname@REALM" instead of "service/fqdn@REALM". Looking at Windows servers on

>> I mean, putting the key in the keytab looks like a security risk to me. > In what way does it appear any more of a risk than having the keys > which you have there already? Even if someone steals the keytab, > they're gonna be hard pressed to crack the key in the few hours before > the tgt expires. Do you have very sensitive data maybe? Ok. And maybe I misunderstood

Hi Michal, Seems we are doing similar things at the moment: getting samba to work with azure AD. We also see the high CPU usage on the DC that the Azure AD Connect server connected to. Between 70 - 100 percent in our case. We are not seeing any replication issues after azure AD Connect, and I have a script that automatically checks replication every few minutes. I was the one reporting the

> However, I have two objections at first glance: > a) if you remove AD access for an AD user, this user can't mount samba > shares, because he won't get authenticated correctly (on the Samba file > server sharing the homes), no? Looks correct to me what your saying, But how are you removing ad access from an AD user? > b) if you use NFS, and I tried that, and a user

Hello, I have a big Problem here: samba 3.5.6, LDAP, 200+ Users. Some users can't logon to a share anymore, where they still could login last week. net rpc user info userxyz gives the groups group1 ... group8 but not the group group9 but net rpc group members group9 gives me ....... domain\userxyz ....... So, the user is a member of the group9, but his membership is not listet in net

On 04/11/15 18:30, Ole Traupe wrote: > So finally here is the solution that works for me. If you have any > questions, just ask. > > I use pam_mount with the following volume definition in the > "/etc/security/pam_mount.conf.xml": > <volume fstype="cifs" server="server" path="home/%(USER)" > mountpoint="/home/%(USER)"

Dear All, I have succesfully managed to have my kerberos configured n working without error when i say kinit Administrator and after entering password i get the # prompt so its works fine my krb5.conf -------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BALADIA.LOCAL

Environment: Sun Solaris 9 sparc Software: Samba-3.3.3, KRB5-1.6.3, OpenLDAP-2.4.11 Problem: Am trying to create shares with Samba so that users can map to folders on this server using Active Directory. I am successful in creating a Kerberos ticket; I can join the domain; and wbinfo -u and -g give me users in the AD. However, getent passwd only gives me a list of users on the server and not in the

I have Postfix/Dovecot/postfixadmin/MySQL with several virtual mailbox domains one of the domains is like aname.com.au, the user also now has aname.com, and, would like to 'mirror' most of the addresses to be user at aname.com, THOUGH, some are to remain as user2 at aname.com.au so, both user at aname.com as well as user at aname.com.au should be one user the users retrive emails as