similar to: pam_winbind keytab permissions question

Hi! I found this old message (see below) in the Samba mailing list archives. I understand why it is not a good idea for the krb5.keytab file to be world readable (machine credentials should not be world readable), but I would appreciate if someone could explain why it needs to *group* readable? Thanks, J. ________________________________ Question: Should the system keytab need to be world

Hi list ! I've been trying to get a fileserver with kerberised NFS4 and Samba going on a RHEL 6.3 box, with a 2k8r2 AD backend, using the rpm's provided by Redhat. (3.5.10-125) I also tried the rpms from sernet (both 3.6 and 3.5) with no success... The Join to the domain works: # net ads join createcomputer="Servers/LINUX systems"

Has anyone had any success using net ads join to create a new service principal and join Active Directory using samba 3.5.8. This works fine in 3.0.35 but I'm not able to get a working create/join with 3.5.8 In samba 3.0.35 (on a host which is already allowing kerberised loginsvia AD), the following works: net ads join createupn='CIFS/host.domain.com' \

Hi, I'm seeing this error on 3.0.24, 3.0.28, 3.0.32 and 3.2.6: Failed to join domain: failed to set machine spn: Constraint violation [Sanitised] First Run: net ads join createupn=HOST/FQDN@DOM.REALM.DOMAIN.COM createcomputer="OU/OU/OU/Services" -U username -d1 Enter username's password: [2008/12/11 17:02:32, 1] libnet/libnet_join.c:libnet_Join(1770) libnet_Join:

Hello, I noticed within last Centos7 samba (4.10) issues with joining computers to AD. Which was no problem in previous versions (and is working with samba present in Ubuntu 16.04 - 4.3) I'm joining my clients to Active directory for example domain.org, with DNS subdomain base.domain.org The issue is that the client is joined and keytab generated for FQDN: client.domain.org instead of

On 04/06/2020 08:48, Markus Lindberg wrote: >>>> If you do not want to authenticate users and groups, why are you joining >>>> the computers to AD ? >>>> >>>> The whole idea behind AD is the centralisation of users and groups. If >>>> you are using users and groups created locally on the computer (i.e. >>>> they are not in

Hi all, I'm trying to get pam_winbind to create ticket cache on login if the AD is available. Please note that this is an Ubuntu Lucid system. When trace this with wireshark it receives a TGT ticket for the user. The current solution is to use pam_krb5 before attempting winbind. That gives me a ticket cache. The main problem is that if the user enters the wrong password it does two login

Hi, I have a samba 4.7.9 DC that I am trying to remove a windows SBS dc from. In doing this I have run across several problems. For whatever reason when I try to dcpromo the windows DC it fails because it says it cannot contact the samba4 DC. I have checked replication as per https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses All of the tests pass. Since we are going

And why do I want to get rid of id mapping? Because starting my tests this morning, checking id of the same user on 3 DC I get 3 different UIDs for the same user. That's why we would prefer to rely on uidNumber. 2016-04-21 12:40 GMT+02:00 mathias dufresne <infractory at gmail.com>: > All DC are running same Samba version : 4.4.2. All DC are hosted on same > Centos 7. > >

Dear list members, I am running a small active directory domain for my home network. Everything is working as expected, except for the authentication of active directory users on my machines running debian wheezy. Here is my setup: 1) Active Directory Domain Controller is running on a raspberrypi (raspbian) with samba compiled from source (v4-1-stable from git repository) 2) WIndows 7 machines

All DC are running same Samba version : 4.4.2. All DC are hosted on same Centos 7. On broken server(s): wbinfo -i mdufresne failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user mdufresne On working servers: wbinfo -i mdufresne AD.DOMAIN\mdufresne:*:12104:100:Mathias Dufresne (TEMP):/home/AD.DGFIP/mdufresne:/bin/false The smb.conf is:

Hi, I have a couple of old samba 3.0.30 installations. I enabled the "use kerberos keytab" option in the smb.conf file to aquire a tgt automatically when a user logs in. This works fine on 3.0.30 installs. On newer samba versions I recognized that the option has been phased out and replaced by a newer option called "kerberos method" the man page is not really clear about what

Hi People! I use pam_winbind for authentication in my computer workstation using Debian Lenny 5.0, Stable Version. I configure my user with this option "sambaPwdMustChange: 0", and I logon in GDM without asking to change password. Who knows what can be? I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only pam_winbind for tests... Client versions: ii

Hi, I am having problems using pam_winbind to log in as a user in a trusted domain. The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE. getent passwd/group correctly enumerates users and groups from DOMLOCAL. If I try getent passwd for the DOMREMOTE account no result is returned. pam_winbind has a requirement that the user is a member of

Hello! I've configured samba with winbind and pam_winbind module to authenticate users that connect to my linux box against MS AD. Works like a charm. If a user exists both in AD and locally, login should assume local users. Again, it works pretty well (It seems at least with my current config). If my AD server goes down for any reason, local users should be able to login. For example, root

Hello, We are using samba-3.0.25a and we want to join our system onto the Active Directory server in a specific location. The argument 'createcomputer' is exactly what we want and it works perfectly when we do a 'net ads join' but fails when we do a 'net rpc join'. The computer object always gets created in the 'Computers' folder. Looking at the code it appears

Hi guys, I have installed samba with AD authentication. Ntlm_auth is working without any issue with the domain. But if I connect using my windows pc, to the samba share, it gives following error. Wbinfo -u / wbinfo -g giving the correct output. And ntlm_auth also working without any issue. If I try to connect from my windows PC to the samba share it gives following error. [2010/12/01

This is the second attempt at sending this. Apologies for any duplicates. I've got Winbind up and running to authenticate our users against our AD and to save kerberos tickets. I have used the "winbind refresh tickets = yes" setting expecting this to renew these kerberos tickets before they expire. This does not appear to work. Gnome will pop up a dialog box saying that the

Hey list, I'm wondering if there is any advantage to be gained by using kerberos with pam_winbind. I've configured pam_winbind and enabled krb5_auth though apart from being granted a ticket, I'm unsure as to any advantage that would be gained by enabling Kerberos. Thanks, Matt Delves -- --------------------------------------------- Matthew Delves System Administrator Information

Hi folks, I've ran into an interesting issue when I was trying to set up Winbind client to use smart card for authentication. >From what I was able to gather, Winbind doesn't support smart card auth. To my surprise, I was able to authenticate without pam_pkcs11 or pam_krb5 in my PAM stack, using only pam_winbind, after I've added config like this into /etc/krb5.conf: ```