similar to: Configuring RHEL6 Samba4 DC for local accounts

On Thu, 14 Jun 2018, Patrick Begou wrote: > Hi, > > I'm facing a problem with setting up LDAP+TLS client authentication in a > kickstart script on CentOS7 for several days. > > Setting up manualy the config with system-config-authentication works but I > need to automate this in kickstart for deploying cluster nodes. > This show that the server side is running fine.

Ok, I've got most everything setup, but I'm not able to confirm pam_ldap and nss_ldap are working properly. (Actually given the examples in SBE, they still appear to be returning information from local files rather than the ldap info.) I wanted to go back and check my authconfig and reset the parameters. However now when I do a authconfig I get this: ---- authconfig --enablecache

Hi, I'm facing a problem with setting up LDAP+TLS client authentication in a kickstart script on CentOS7 for several days. Setting up manualy the config with system-config-authentication works but I need to automate this in kickstart for deploying cluster nodes. This show that the server side is running fine. At this time the message is #systemctl status sssd |....

Hi all, On a C6 box, when I want to enable LDAP authentication, I issue: # yum -y install nss-pam-ldapd pam_ldap nscd # authconfig --enableldap --enableldapauth --enablemkhomedir \ --ldapserver=ldap://ldap-blabla/ \ --ldapbasedn="blabla" \ --enablecache --disablefingerprint \ --kickstart --update All is working fine, the directory structure is fine and compliant.

Hello, I have a central repository of users/groups based on OpenLDAP which is working on a remote LAN (servers share users credentials and mount their home directories via NFS). They use non-encrypted ldap restricted to the local network. Now, I have a few servers in our local office and I would like them to authenticate from the remote LDAP server using encryption via ldaps://. (at this stage,

OK, further to my previous message I've configured BIND, but when I try to run samba_dnsupdate I get the following: Nov 18 16:19:23 sles-shire named[6112]: samba b9_putrr: unhandled record type 0 Nov 18 16:19:24 sles-shire named[6112]: samba_dlz: starting transaction on zone _msdcs.main.adlab.netdirect.ca Nov 18 16:19:24 sles-shire named[6112]: samba_dlz: disallowing update of

Is this a problem? Does this mean no replication links exist? michael at sles-bree:~> samba-tool drs showrepl -k yes Bree\SLES-BREE DSA Options: 0x00000025 DSA object GUID: 7ea641b0-d418-4c74-a4fa-c15b852467b8 DSA invocationId: 1017ff29-756c-4777-b395-b481f4b5387c ==== INBOUND NEIGHBORS ==== ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name:

I just checked the SOA records on my samba DCs and noticed a few oddities: michael at sles-bree:~> for i in ad{1..4} sles-bree sles-shire; do host -t soa main.adlab.netdirect.ca $i | grep SOA; done main.adlab.netdirect.ca has SOA record ad1.main.adlab.netdirect.ca. hostmaster.main.adlab.netdirect.ca. 177 900 600 86400 3600 main.adlab.netdirect.ca has SOA record ad2.main.adlab.netdirect.ca.

We've joined an RODC to the domain (Windows 2008R2 running a W2003 FFL/DFL AD) but are getting these errors on first startup. It was joined with: samba-tool domain join main.adlab.netdirect.ca RODC --realm=main.adlab.netdirect.ca --username=administrator at main.adlab.netdirect.ca --dns-backend=BIND9_DLZ but we get these errors right after startup: Nov 28 12:35:27 sles-bree samba[3939]:

OK! I'm getting farther and farther! :) I've managed to preload user and computer passwords onto a samba RODC: *sles-shire:/var/lib/samba/sysvol # samba-tool rodc preload 'win7-shire$' --server main.adlab.netdirect.ca** *Replicating DN CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca Exop on[CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca]

Hello, I'm trying to get samba4 up and running as a DC in a lab environment. I have a freshly installed AD environment (W2012R2 servers, W2008R2 functional level) and I'm trying to join samba4 to it as a domain controller. When I try, I get this: # samba-tool domain join ad.netdirect.ca DC -Uadministrator --realm=AD.NETDIRECT.CA -W AD Finding a writeable DC for domain

I'm testing out our samba 4 migration process and when the initial forest/domain was created, it was created without using --use-rfc2307: sudo samba-tool domain provision --domain netdirect --function-level=2008_R2 --realm=ad.netdirect.ca Now that it's in place and we have machines joined, what do I need to do to add the unix attribute and NIS maps to an existing samba4 domain so

I've set up a lab for testing Samba 4.1 as an RODC emulating a satellite office setup, using the sernet packages on SLES11SP2. ## Problem 1 samba_dnsupdate is failing: ==> /var/log/samba/log.samba <== [2013/11/18 13:22:37.416193, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/11/18

I would like to get samba4 working with AD and rfc2307 attributes, while allowing the nice remote management available via samba4. Using sernet-samba packages on 4.1.3-7.el6.x86_64 CentOS 6. I have samba4 configured as follows: krb5.conf: [libdefaults] default_realm = MAIN.ADLAB.NETDIRECT.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable =

We have a couple Samba4 AD domains we've implemented and I've noticed a difference between how users look when created via ADUC versus samba-tool. Created via ADUC, the following extra attributes are added: msSFU30Name: bilbo msSFU30NisDomain: netdirect unixHomeDirectory: /home/bilbo unixUserPassword: ABCD!efgh12345$67890 Created via samba-tool, the following extra attributes are added:

Hi All I have just published a module that synchronises users and groups from Active Directory into a Puppet manifest, which can then be rolled out to subscribed agents/workstations. The module maintains generated uids and gids in an SQLite database. It has only been tested on Puppet Enterprise 2.6.1 and RHEL 6.3 so far, at my end. The module is called lpep and you can view it at

I was hoping this would be simpler. I'd like to prepopulate an RODC with all users accounts that are permitted. But I can only pre-populate one at a time: samba-tool rodc preload (<SID>|<DN>|<accountname>) sles-shire:~ # samba-tool group listmembers 'Allowed RODC Password Replication Group - Shire' Allowed RODC Password Replication Group - Global WIN7-SHIRE$ bilbo

Oh Boy. User 'Administrator' in your existing directory has SID S-1-5-21-2070472328-935435760-1634736958-1000, expected it to be S-1-5-21-2070472328-935435760-1634736958-500 ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: User 'Administrator' in your existing directory does not have SID ending in -500 It's not all

Hello all: Happy New Year to everyone and thank you for all the knowledge this past year. I have a hopefully simple question about kickstart. In the authconfig section I can enable ldap, credential caching, etc.. Using the GUI tool there's an option to create the user home directories on first login. The docs don't show a similar option for authconfig in kickstart. For now I'm

I'm having trouble setting up ldap based authenication. I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine. However, I set up a virtual box running CentOS 6, and I can't get it to authenicate. I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure