similar to: Samba4 kinit issue with principal and keytab file

Hi All ! Using Samba Version 4.1.12, updated from source from 4.0beta1 I've created a user, let say kerbuser, for a web server to authenticate with kerberos and provide SSO to the end-users. In my example, my domain is MYDOMAIN.LOCAL, the apache server is webserver.mydomain.local and the AD user is kerbuser I've added a principal on the user and exported everything in a keytab so

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

Hi Rowland, Thanks for your help again. I understand the difference between the UPN (User Principal Name) and the SPN (Service Principal Name). But in your second exemple, you never mention the SPN, neither in the keytab export or in the kinit command. Does that means that there is no kinit possible using the SPN? So I am worried of what is the benefice of adding a SPN to a user instead of

On 16-05-2024 18:46, Rowland Penny via samba wrote: > On Thu, 16 May 2024 17:40:45 +0200 > Olivier BILHAUT <obilhaut at fondation-misericorde.fr> wrote: > >> Thanks Rowland for once again, an analysis that looks good. >> >> To you, >> is there a workaround at this stage ? > Not from myself,it has been years since I looked into this and only > really got

Hi Andrew, Thanks for your reply. We tried successfully the --full-sync option from first to second DC. Unfortunately, afterwards the second DC was still in a corrupted state. The "Deleted Objects" still contained the ugly groups with the missing attribute... So we achieved to get a successfull replication after editing the "deleted objects" with ldbedit. We have deleted

Hi samba4 mates ! We work with a Samba4 in production (10 users) from a few month now, and we wonder about the new specific policy templates that can be created by Microsoft in their recent (or future releases, but we are not rushed) releases. How could we add them to the AD to be able to apply them to the hosts? For example, with windows 7 there is a *new* policy in the Computer

I am hoping someone will tak up this chalenge (I am new to R) I have inheritied an R script but need to change it. The script currently includes hardcoded file locations on lines 12,166 and 167. I need to modify this script to allow the folder to be passed as a command line argument to Rscript.exe Can anybody help please? Regards, Ian http://www.nabble.com/file/p25924237/My_script.R

hello NG, my config: - SuSe 8.1 box with Samba (2.2.5 running as PDC) and a FTP server. - Windows XP and 2k clients with shared directories my problem: i want that the shares of the Windows- clients to get mounted automatically while booting to a mountpoint of the Linux- box (the FTP- directory) until now, i have tried to solve this problem like this: i have added the commands preexec and

Hi Rowland, and many thanks for fast reply, When using --noexpiry, the userAccountControl is set to 66048, which disable expiry for password as well (in MS console, "password never expires" is now checked). This means that the password expiry (let say, every 6 month) will never popup again to the user, which is in my sense a wrong behaviour. Is there a way to change ONLY

Hi Rowland and list, I allow myself to give a UP to my message in case someone has an idea. Thanks, --Oliver Le 2023-05-24 15:55, Olivier BILHAUT via samba a ?crit : > Hi Rowland, and many thanks for fast reply, > > When using --noexpiry, > the userAccountControl is set to 66048, which disable expiry for > password as well (in MS console, "password never

On 26/05/2023 14:44, Olivier BILHAUT wrote: > Thanks Rowland, > > I'll give a try to ldbmodify, even if I prefer to avoid modifying > directly ldb files. > > What do you think samba-tool does ? Using samba-tool to set expiry, ultimately does this: setexp = """ dn: %s changetype: modify replace: userAccountControl userAccountControl: %u

Hi Samba list, As you know, security is currently the buzzword for most critical organizations. Active Directory implementations are an important node of all the security chain. French security agency, called ANSSI release a tool to audit Active Directory implementations, called ORADAD : https://github.com/ANSSI-FR/ORADAD/releases This tool retrieves all configuration from your AD, and make

Hi list :) I am looking for the right command to achieve my goal. I would like to remove the account expiry date of an ACCOUNT with a samba-tool command (account never expires) Options of "samba-tool user setexpiry" are : --filter=FILTER LDAP Filter to set password on --days=DAYS Days to expiry --noexpiry Unfortunately, the "noexpiry" parameter just set another option

Hi Samba List, hope you're doing well all. We have realized a security audit of our Samba4 Active Directory. It returns that the security descriptors options of all our GPO objects are wrong. They should be : SE_DACL_AUTO_INHERITED SE_DACL_PRESENT instead of this, the options are by default : SE_DACL_PROTECTED SE_DACL_PRESENT We can change the options, but the "sysvolreset"

Hi friends. This morning waking up is painfull. We've got a great CUPS+Samba+Winbind print server sharing 30+ printers to our windows clients. Until this morning no issue, used on production for a couple of weeks. Today, the printer shares became unbrowsable from windows. We can see the printers names from samba share : "\printserver", but when we click on the "Show

Hi ! I bounce on the Mr Sloop's post ([Samba] DDNS / DHCPd && Internal DNS or BIND_DLZ) to ask what's the easiest way to allow Linux clients to update themself their DNS record in the Samba4 AD server (with BIND_DLZ Dns server). It works well with windows clients, but with Linux clients joined to the domain, with a valid Kerberos ticket, the client receive a error

Hi to Samba list, dev, contributors and all the community. We are samba users for a long time now, and S4 since the early alpha version. We run now 5 DC for 700 users in our hospital and are very enthusiastic. This is definitely a great project. But now, we face a new challenge. We look over a new authentication method rather than the old user/password. Because we have many users switching

>> what is in '/usr/bin/dhcpd-update-samba-dns.sh' ? # will receive addresses from this DHCP server. Instructions are found here: # https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_Domain_Controller#DHCP sleep 5 checkvalues() { [ -z "${2}" ] && echo "Error: argument '${1}' requires a parameter." && exit 1 case ${2} in -*) echo

Hello, there is an article in the wiki about DDNS: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 Dose anyone has a solution for doing the same with IPv4 AND IPv6? Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL:

Hi Samba List! We are using Samba Version 4.1.12 on two master DC. We've noticed that a corrupted group has been created, we tried to delete it, and since then, the replication fail between the two DC. The result of the command : "samba-tool drs showrepl" is the following : On the first DC, INBOUND NEIGHBORS : Last attempt @ Wed Feb 4 11:26:41 2015 CET failed, result 58