similar to: Samba 4 AD member server authentication issues, domain vs. ads security

Thanks for the quick replies. One domain is at Windows Server 2008 functional level, and the other is Windows Server 2012 R2. The samba 4 servers are running 4.2.10 and the samba 3 servers are running 3.6.23, both from rpms available from either the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6). Here's the smb.conf used on the two samba 4 servers: [global] > workgroup

Ugh, I knew I forgot something. Here is smb.conf: --- [global] kerberos method = system keytab template homedir = /soe/%U workgroup = BSOE template shell = /bin/bash security = ads realm = AD.SOE.UCSC.EDU idmap config BSOE : schema_mode = rfc2307 idmap config BSOE : range = 100-999999 idmap config BSOE : backend = ad idmap config BSOE : unix_nss_info = yes idmap config BSOE : unix_primary_group

I am setting up a CentOS 7 system as a file server within an AD domain, following the following Red Hat documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers Here is some information that likely complicates things: - we have a number of users and groups with sub-1000 uid or gid numbers which can't

I agree that this sounds like, and indeed is, a recipe for disaster. I was going to explain some of the woes of our environment but I don't think it's actually relevant after looking at my problem a bit more. If I'm way off base I'm happy to be herded back, but please tolerate me as I share what I am seeing today because I really hope to solve the narrow issue of SMB file access

Hi Rowland, Currently Domain Users doesn't have a gidNumber because it didn't have a corresponding group in OpenLDAP, which is our master directory. The primary Unix group gidNumber for each user is replicated from their OpenLDAP records, but the AD groups have a suffix due to historical name collisions - a POSIX group called harry would be harry-group in AD, but with a matching

> > When I try to > > access even an already-mounted NFS directory to which I have permission, > > gssproxy complains: > > > > Jul 10 08:55:51 smb gssproxy: gssproxy[1469]: (OID: { 1 2 840 113554 1 2 > 2 > > }) Unspecified GSS failure. Minor code may provide more information, > > Client 'host/smb.soe.ucsc.edu at AD.SOE.UCSC.EDU' not found in

Hi Rowland, Thanks for the prompt reply. The gidNumber attribute is set to the appropriate primary UNIX group for each user already. Are there any ways to work around the ID issue, or at least to mitigate some of the consequences? We looked at updating uid/gid values across the board but there is so much data owned by existing users and groups that we haven't been able to proceed. On

I should add that the samba.log file was logging NT_STATUS_NO_LOGON_SERVERS errors when authentication attempts were failing. Workstations in the domains were still able to authenticate, however, and I verified that the DNS records were still correct. The SRV records were all in place and the domain controllers' host names were resolving. On Wed, Jun 22, 2016 at 9:44 AM, Eric Shell

On 22/06/16 17:11, Eric Shell wrote: > I have an environment with two separate AD instances which each have both a > samba 3 and samba 4 file server joined to them. Last week, we began to > experience authentication failures in both domains on the samba 4 file > servers. After a lot of experimenting, we found that changing the security > setting from domain to ads resolved the

On 09/07/2019 20:00, Eric Shell wrote: > Hi Rowland, > > Currently Domain Users doesn't have a gidNumber because it didn't have > a corresponding group in OpenLDAP, which is our master directory. Did you miss the bit where I said Domain Users MUST have a gidNumber ? > > The primary Unix group gidNumber for each user is replicated from > their OpenLDAP records, but

On 09/07/2019 18:38, Eric Shell via samba wrote: > I am setting up a CentOS 7 system as a file server within an AD domain, > following the following Red Hat documentation: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers > > Here is some information that likely complicates things: > > -

On 09/07/2019 19:02, Eric Shell via samba wrote: > Ugh, I knew I forgot something. Here is smb.conf: > > --- > > [global] > kerberos method = system keytab > template homedir = /soe/%U > workgroup = BSOE > template shell = /bin/bash > security = ads > realm = AD.SOE.UCSC.EDU > idmap config BSOE : schema_mode = rfc2307 > idmap config BSOE : range = 100-999999

I have been trying in vain to get ADS domain authentication working. I can't figure out what is wrong and have read the docs and looked through the mailing lists. I'm not sure why better documentation hasn't been written on the web site for the ADS feature since it's pretty spectacular to be able join a Samba server natively to an AD domain. I have successfully joined the samba

I'm working to setup Samba as a domain member to a Windows Server active directory, and I keep hitting road blocks. There's some real terminology hurdles in the wiki. In a nutshell, my problem is this: I setup a Windows 2012 Essentials ADS domain and I ended up with zartman.local for my "domain" in Windows. So, I've got a dns zone in windows server that is domain.local

Hello, I have two issues with Kerberos administration using Samba and this results from my lack of familiarity with it. I am hoping someone can point me in the right direction. The first issue is with automatically renewing the Kerberos tickets. The second issue deals with my having to authenticate each time I attempt to join an AD domain. The Samba documentation indicates that I should *not*

Hello, I'm setting up AD user logins for centos 7.4 box. I've almost managed to do everything the way I want and the way I think it should be, but I'm missing last piece:   For ssh access I read parts of the https://wiki.samba.org/index.php/OpenSSH_Single_sign-on Most docs recommend using setting in smb.conf: winbind use default domain = no that means that all domain users have

Hello, Thank You for fast response. I'm glad that it's a mistake somewhere on my side, it means it will work when I fix it :) Ok, first of all: Everything is on centos 7.4 All config files will be below, but to start off: behaviour is stranger than I thought, but there is a pattern: when doing [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using default cache: /tmp/krb5cc_101003

Am 2016-02-24 um 13:32 schrieb Rowland penny: > I would add a few extra lines: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > idmap config CUST:schema_mode = rfc2307 > > The first three should ensure the tickets never expire and the last one > defines the schema that idmap will use. I

I lose track here and I have to fix this as users get angry (we all know that ...) debian 8.3, samba 4.1.17 (substituted customer name by "CUST" below ...) [global] workgroup = CUST realm = MABC.CUST security = ADS map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum

Hi. I have installed samba 3.0.2 in my redhat 7.3, and Kerberos 1.2.4 I can make my Linux act as ADS Domain Membership whit out any problem, When I made this command: /usr/local/samba/bin/net ads join "Computers" -U<usuario>%<clave> I get this message that tell me that everything is ok. Using short domain name -- DOMAIN2003 Joined 'PROTON' to realm