similar to: winbind not resolving group membership changes

Dear All, We are having a very similar issue with dovecot 2.2.34 as ?kos. We want our users to authenticate via GSSAPI over Kerberos using their TGT. Our setup is two distinct locations with their own dovecot's with access to these being handled via LDAP auth mechanism with filters to check for their group memberships, i.e. users from location A are in group A and users from location B

Dear All, Is it possible to make any authorization (eg. checking of group membership) in case of GSSAPI authentication? Our dovecot authenticates the users against PAM and GSSAPI. In the PAM file I'm able to check if a user is a member of a selected (e.g mailreader) group. If the user is member, he can login otherwise not (see below). If the user has a valid Kerberos ticket and he

Thanks to Anthony Ciarochi at Centeris for this solution. I have a Centos (Red Hat-based) server that is now accessible to AD users AND local users via ssh. I can control which AD groups can login using the syntax below. Red Hat-based distros use "pam_stack" in pam.d which is quite different than Debian's "include" based pam.d, cat /etc/pam.d/sshd #

Hi, I want that users can log on (SSH and console) a Debian box can do it through Active Directory. I still want that root user can log on (SSH and console) so I created a wheel group for that. I can log on successfully with all AD and root users. However, I'd like to limit the AD users to the technology domain group. I've googled a lot:

Hi, Everybody, I have a couple of quick questions that I'm having a little of difficulty with. I'm guessing these will be pretty easy to answer. The first is; 1) Is it possible to deterministically set the domain name that will be used when the "winbind use default domain = Yes" option is configured in /etc/samba/smb.conf? I want to set a default domain, however I do not

Hello All, I am having a weird behavior and after 2 days of trying to fix it, I just decided to ask the experts in this group! I have a RHEL5 box running SAMBA 3.4.3-41.el5. Users authenticate via Winbind to a Windows 2008R2 Domain controller. Authentication is fine, users can log in but ... 1. When user type their login/username, it takes 3 seconds to get the password

Tried single quotes on Domain Admins in the pam.d file as well as a backslash on the space with no effect. I've found several references that just say "no spaces in group names." Is there really no way to do this? Also, most references I find to using these lines in pam.d say that "sufficient" should work, but I'm finding that users in the named group can then log in

Good Day, I am testing, in a lab environment, samba shares with ad authentication for access. My setup is as follows : * Windows 2008 RC2 * RHEL 5.9 * Windows 7 * Windows XP SP3 * Samba 3.0.33-3.39.el5_8 All machines, including the RHEL Server having been added to the Domain running on the Windows 2008 RC2 Server. As per the subject, when trying to connect, from XP or Win 7, to the shares I

Dear all, I have a linux server that uses redhat AS4.I want to make a samba file server.Because we have a windows 2003 domain,I must use "security = ADS".The samba version is samba-3.0.10-1.4E.9. The samba server joined windows 2003 domain successful.I can find samba server in the "network neighborhood".Client PC access samba server must confirms with PDC.The domain member

Environment is samba-3.0.10-1.4E.6 RedHat ES4, kernel 2.6.9-34.0.2.ELsmp AD domain Win2003 SP2 Native mode This system was initially setup in ads security mode, joined to a Win 2003 AD domain and configured to use winbind for both samba file shares and authz/authn for sshd and local logins. In this configuration the winbind idmap was the default local database. Everything worked fine. Users could

I've been playing with joining RHEL4 (CentOS) machines to a Win2k3 Active Directory. I've got everything pretty well squared away, except that the linux box never seems to see changes to users' group memberships. For example, I created a user, testuser, who initially just a member of Domain Users. I logged into the linux box with testuser successfully and both 'id' and

I am not a member of the samba listserv, but I wanted to contribute the following code to the samba effort. The following is clipped from some experimental changes I have made to my own copy of the samba source. I have not included all of the changes because I don't have the time to. But someone should be able to properly do the integration without too much effort. Summary, these

Hi, I have installed samba 3.5.4 on Centos 6 and have set it up to authenticate to a Windows 2008 Domain Controller. When I do a "su - some-domain-user", the home directory gets created. However, I want the home directory to be created when a user accesses the samba shares(no shell access). Following are the relevant configurations. What are the PAM changes I need to make? Help is much

We recently added a new LDAP/AD group to our domain, but have found that only some accounts on a Linux (Ubuntu 12.04.4, Samba 3.6.3) machine are getting the membership: "getent group <groupname>" shows them as being in the group, but "groups <username>" doesn't. I've tried restarting winbindd with the "-n" option to bypass caching, and deleting the

Hello, I?m trying to use winbind to allow my AD users to logon to our linux computers. I?m using FC6 and Samba 3.0.23c-2. I have several problems: 1. When I start linux machine and immediately ofter logging in I try to check trust secret by running wbinfo -t I receive this error: checking the trust secret via RPC calls failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

Short version: Why does my domain member server create a sambaDomainName entry in LDAP? Long Version: I have created a Domain Member Server for a "NT4 style" Samba domain with an LDAP backend. It is a print server, running Winbind (because it solved a group SID mapping problem and an 'invalid SID' error in syslog), and it works fine in all other respects, but this: After

I just released rssh version 2.2.3 to fix the problem detailed below. I haven't had time to update my website yet, and my Internet acess is quite limited these days (hence the terse announcement), so I probably won't get to that for a while. However, rssh 2.2.3 is available from the sourceforge.net site: http://sourceforge.net/projects/rssh All users of rssh should update to the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [This came over BUGTRAQ this morning. Note the call for volunteers vis-a-vis rssh.] - ----- Forwarded message from Jason Wies <jason at xc.net> ----- List-Id: <bugtraq.list-id.securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com> To: bugtraq at securityfocus.com Cc: rssh-discuss at

rssh is a small shell whose purpose is to restrict users to using scp or sftp, and also provides the facilities to place users in a chroot jail. It can also be used to lock users out of a system completely. William F. McCaw identified a minor security flaw in rssh when used with chroot jails. There is a bug in rssh 2.0 - 2.1.x which allows a user to gather information outside of a chrooted jail

PIZZACODE SECURITY ALERT program: rssh risk: low[*] problem: string format vulnerability in log.c details: rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. Additioanlly, running rsync, rdist, and cvs are