similar to: Suppressing the GSS-API SPNEGO negTokenInit message on Negotiate Protocol Response

Hi, I am running an Ubuntu 14.04 server with Samba configured to use Quest Authentication Services for user authentication with an Active Directory infrastructure. After an Samba upgrade from version 2:4.1.6+dfsg-1ubuntu2.14.04.13 to 2:4.3.8+dfsg-0ubuntu0.14.04.2, I am facing the problem that none of the configured Samba shares is accessible anymore. The log contains the following entry:

I think I've found out why MacOS 10.5.x (Leopard) clients are unable to connect to Samba shares when authenticating with Kerberos. Basically, the Leopard Macs insert a few extra bytes (Padding and reqFlags, according to wireshark) into the security blob within the Session Setup AndX Request packet, bytes whose start tag is 0xa1, in a spot where Samba's parser expects 0xa2. The critical

On 17/07/16 07:12, Mark Foley wrote: > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote: >> On 16/07/16 19:09, Mark Foley wrote: >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: >>> > [lots of extraneous stuff deleted] > >>>>> >>>> OK, just an update on the new wiki

I've gotten errors like this when it was actually a selinux denial. If you're running selinux, check those logs too. Bill On 1/16/2017 4:09 PM, Mark Foley wrote: > More info ... > > This is the only user having this permission problem. All other Thunderbird/dovecot users are > getting mail file. They all have the same permissions set on their Maildir folder. > > --Mark

On 16/07/16 19:09, Mark Foley wrote: > On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > >> On 15/07/16 08:17, Rowland penny wrote: >>> On 15/07/16 00:34, Andrew Bartlett wrote: >>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote: >>>>> On 14/07/16 21:52, Andrew Bartlett wrote: >>>>>>

Mike, excellent suggestion! I will definitely experiment with that nsswitch change. Rowland also mentioned adding RFC2307 to the AD settings for the user(s). If, as you say, my MTA will find the home directory with the nss windbind setting, that would be fantastic! I would definitely removed the AD users from /etc/passwd. I don't know if nsswitch.conf settings are now mentioned in the

Hi folks, I can use kerberos to create or delete user, eg: samba-tool user create test -k yes however, if I want to perform a backup it fails: samba-tool domain backup online --targetdir=/srv/backup --server=192.168.50.40 -k yes gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Thu, 26 Jan 2017 16:26:02 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote: > > > > > Have you tried checking in AD with ldbsearch or ldbedit for the > > > > > actual

Hello, maybe someone can help me to get this right.:) samba 4.1.3 on Debian the samba-tool manpage says: ... -k KERBEROS|--kerberos=KERBEROS Use Kerberos ... adding a dns record works as expected: root at samba:~# samba-tool dns add localhost example.com www CNAME web.example.com Password for [administrator at EXAMPLE.COM]: Record added successfully Now trying to use the -k

On 04/16/2015 12:53 AM, Mike wrote: > CentOS 7.1503 installed. > Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be > configured). > > The samba wiki Readme First page states, "Some distributions like . . . Red > Hat Enterprise Linux (and clones), ship BIND9 packages with disabled > GSS-SPNEGO option, which is required for signed DNS updates when

On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth <james.hogarth at gmail.com> wrote: > This was required for kerberos secured updates prior to el7.1 and el6.6 ... > > The problem in the underlying kerberos libraries was resolved so that > kerberos based updates worked with gss again and spnego doesn't need to be > compiled in. >

On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth <james.hogarth at gmail.com> wrote: > It wasn't the bind package directly but rather an issue with the libkrb5 > libraries. > > This is the specific bug that fixed the issue: > > https://bugzilla.redhat.com/show_bug.cgi?id=1087068 > > I'll get the samba wiki updated to make this clear. > Zoinks! I

On 17 Apr 2015 13:04, "Mike" <1100100 at gmail.com> wrote: > > On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth <james.hogarth at gmail.com> > wrote: > > > It wasn't the bind package directly but rather an issue with the libkrb5 > > libraries. > > > > This is the specific bug that fixed the issue: > > > >

I am trying to configure a dovecot2 IMAP server to inter-operate with a active directory to authenticate users. The users should be able to login without a password on a domain-joined client(Outlook). Is it possible to do this only with kerberos? I don't want to put a crappy winbind on my mailserver... I already configured my server to authenticate via kerberos(GSSAPI), but Outlook does not

Hai, ? Im know this might not be the place to ask, but im doing it anyway..? ;-) ? Im testing an debian Jessie server with squid3 ( 3.4.8 ) Its running Debian Samba 4.1.13 with winbind. ? Im having troubles, to get the squid auth working. So my question is is someone here using kerberos authentication on squid. ( 3.4.x ) Or someone who is using the gss-spnego helper protocol. ? Im using this

On 17 Apr 2015 00:42, "Mike" <1100100 at gmail.com> wrote: > > On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth <james.hogarth at gmail.com> > wrote: > > > This was required for kerberos secured updates prior to el7.1 and el6.6 ... > > > > The problem in the underlying kerberos libraries was resolved so that > > kerberos based updates worked

On 04/16/2015 06:33 AM, Mike wrote: > Hi Johnny, > > Thank you for your response. I thought to choose the sernet package > because of the following stated in Samba Readme: > > Samba packages shipped in some distributions like e. g. Fedora, RHEL may > not be able to be used as Samba AD DC, because the distribution relies on > MIT Kerberos which isn't supported by

More experimentation ... I stopped Samaba, ldbedit'ed the /var/lib/samba/private/idmap.ldb and changed the line xidNumber: 3000026 to xidNumber: 10001 killed the cache and restarted Samba. As I hoped, the wbinfo now showed $ wbinfo -i mark HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash which was NOT the case in my message below after killing the cache. In that previous

On 16 Apr 2015 14:29, "Johnny Hughes" <johnny at centos.org> wrote: > > On 04/16/2015 06:33 AM, Mike wrote: > > Hi Johnny, > > > > Thank you for your response. I thought to choose the sernet package > > because of the following stated in Samba Readme: > > > > Samba packages shipped in some distributions like e. g. Fedora, RHEL may >

CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured). The samba wiki Readme First page states, "Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires