similar to: ODP: Re: samba 4 ad member - idmap = ad for machine accounts

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked

I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off): Microsoft hyper-v console/HOST.FQDN Hyper-V Replication Servive/HOST.FQDN Microsoft Hyper-V Live Migration Service/HOST.FQDN. This fails because of the spaces, that is samba being on linux, not seeing escape characters, messes up the request it

I actually posted about this here on samba list about it last year, but nobody caught interest. I used to have logs from samba and wireshark, which very nicely showed what's wrong (kerberos request was for SPN  eg. "Hyper-V Replication Service/Servername.mydomain.com" and in samba log there was an error with something like "Hyper-V\ Replication \Service.. not found".

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Normal PDC/BDC isn't possible now. It will be in Samba 3.0 (look in documentation). But you can create substitute solution. For example two idendicaly servers with autocopy of password database, but it isn't PDC/BDC relations. It is two identicaly domains. I have two servers with samba, with two indenticaly password databases and smb.conf. When I have problem with one, I can fastly change

On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote: > I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off): > Microsoft hyper-v console/HOST.FQDN > Hyper-V Replication Servive/HOST.FQDN > Microsoft Hyper-V Live Migration Service/HOST.FQDN. > > This fails because of

On Tue, 19 Sep 2017 12:29:37 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! k.wirski via samba > In chel di` si favelave... > > > I'm not sure what You mean about invalidating cache? > > 'nscd' is a generic Name Services Caching Daemon normally installed > automatically alongside winbind. > > In the past, when playing

Hi, thank you very much for testing everything out. Great work! One question: passchange - which application are working with passchange on radius ? In the moment every user with an expired password is NOT able to use services using radius for authentication (WLAN,VPN). Is there any documentation available ? Bye, Peer On 27.03.2018 22:40, Kacper Wirski via samba wrote: > Hello, > >

Thank everyone for input, It seems that using RID is the way to go. I just tried a few things: 1) - made group, assigned unix GID - added test PC to this group and set this group as "primary group" - added manually to test PC account "uidnumber" on server with samba getent passwd MYDOMAIN\\testpc$ returns nicely testpc$ with UID and GID numbers as set in

On Wed, 1 Nov 2017 19:49:32 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Wed, 1 Nov 2017 20:28:05 +0100 > Kacper Wirski <kacper.wirski at gmail.com> wrote: > > > I'm going to start with clean centos install, so I might as well use > > some additional guidelines, thank You. > > > > When You run kinit, does Your user have

I'm going to start with clean centos install, so I might as well use some additional guidelines, thank You. When You run kinit, does Your user have ticket already? What I noticed is that when user has a ticket already, kinit works fine, uses as default principal the one from ticket. Can you do kdestroy - then kinit? Also, on Fedora, did You install samba from source or from repo's RPM?

On 03/06/2019 12:29, Kacper Wirski via samba wrote: > Hello, > > Since nobody picked this up I will try to answer myself (hopefully > correctly). > > I think I just misread documentation on wiki, but I would really > appreciate a clarification. In the wiki it states: > > "To enable other accounts than the domain administrator to set > permissions on Windows,

Mandi! k.wirski via samba In chel di` si favelave... > I'm not sure what You mean about invalidating cache? 'nscd' is a generic Name Services Caching Daemon normally installed automatically alongside winbind. In the past, when playing with winbind, i get confused by the cache, and confusion grow considering that: getent passwd user does not query the cache, so all seems to

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

Hello, I've posted about this issue some time ago, but I maybe didn't explain myself enough and/or didn't supply enough information. My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. I noticed that some windows clients stopped doing secure dns dynamic updates because of insufficient rights error. Upon further digging I realized that all of the entries, that were

W dniu 21.11.2018 o 21:09, Rowland Penny via samba pisze: > On Wed, 21 Nov 2018 20:48:34 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> So in my case - is it safe to delete directly using ldbdel or using >> windows ADSI gui ldap editor? Or is there another way? What is the >> right way to do it? >> >> something like: >>

I've noticed myself similiar issue. Windows 10 (v 1803) - window with security tab open crashes on certain files (yes, just the window, not whole OS). Just before crash i see unresolved SID which looks like nothing I know (doesn't look like domain SID - maybe local user SID from samba member server?). All files that cause this issue are from any of the samba servers. Same files I can

Hello, I stumbled upon weird error/bug. My setup: 4.8.3 AD on centos 7.5 (compiled from source). BIND as dns running on AD DC with secure dns updates setup and working. Most of the DNS updates are dynamic, some added manually using windows DNS manager. One of the PTR entries in reverse lookup zone went missing. It's not visible in the windows DNS manager, it's nowhere to be found

So in my case - is it safe to delete directly using ldbdel or using windows ADSI gui ldap editor? Or is there another way? What is the right way to do it? something like: ldbdel -H /usr/local/samba/private/sam.ldb -b"DC=DomainDnsZones,DC=mydomain,DC=com '(dNSTombstoned: TRUE)' ? I read in samba 4.9 new features release notes about scavenging but I'm not sure if it's the

To answer my own question: Yes, it's seems like a feature. I ran basic ldbsearch query: ldbsearch -H /usr/local/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: dNSTombstoned: TRUE Overall there are a couple hundred entries with as such. So now my question is: How can I safely remove them, any tips/guideliness? I thought that