similar to: ODP: Re: samba 4 ad member - idmap = ad for machine accounts

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked

I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off): Microsoft hyper-v console/HOST.FQDN Hyper-V Replication Servive/HOST.FQDN Microsoft Hyper-V Live Migration Service/HOST.FQDN. This fails because of the spaces, that is samba being on linux, not seeing escape characters, messes up the request it

I actually posted about this here on samba list about it last year, but nobody caught interest. I used to have logs from samba and wireshark, which very nicely showed what's wrong (kerberos request was for SPN  eg. "Hyper-V Replication Service/Servername.mydomain.com" and in samba log there was an error with something like "Hyper-V\ Replication \Service.. not found".

On Tue, 19 Sep 2017 12:29:37 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! k.wirski via samba > In chel di` si favelave... > > > I'm not sure what You mean about invalidating cache? > > 'nscd' is a generic Name Services Caching Daemon normally installed > automatically alongside winbind. > > In the past, when playing

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Thank everyone for input, It seems that using RID is the way to go. I just tried a few things: 1) - made group, assigned unix GID - added test PC to this group and set this group as "primary group" - added manually to test PC account "uidnumber" on server with samba getent passwd MYDOMAIN\\testpc$ returns nicely testpc$ with UID and GID numbers as set in

Normal PDC/BDC isn't possible now. It will be in Samba 3.0 (look in documentation). But you can create substitute solution. For example two idendicaly servers with autocopy of password database, but it isn't PDC/BDC relations. It is two identicaly domains. I have two servers with samba, with two indenticaly password databases and smb.conf. When I have problem with one, I can fastly change

On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote: > I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off): > Microsoft hyper-v console/HOST.FQDN > Hyper-V Replication Servive/HOST.FQDN > Microsoft Hyper-V Live Migration Service/HOST.FQDN. > > This fails because of

Mandi! k.wirski via samba In chel di` si favelave... > I'm not sure what You mean about invalidating cache? 'nscd' is a generic Name Services Caching Daemon normally installed automatically alongside winbind. In the past, when playing with winbind, i get confused by the cache, and confusion grow considering that: getent passwd user does not query the cache, so all seems to

Hi, thank you very much for testing everything out. Great work! One question: passchange - which application are working with passchange on radius ? In the moment every user with an expired password is NOT able to use services using radius for authentication (WLAN,VPN). Is there any documentation available ? Bye, Peer On 27.03.2018 22:40, Kacper Wirski via samba wrote: > Hello, > >

On Wed, 1 Nov 2017 19:49:32 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Wed, 1 Nov 2017 20:28:05 +0100 > Kacper Wirski <kacper.wirski at gmail.com> wrote: > > > I'm going to start with clean centos install, so I might as well use > > some additional guidelines, thank You. > > > > When You run kinit, does Your user have

On Mon, 15 Jan 2018 14:55:55 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > It is not the SYSTEM user (that is a local user to the > > > workstation, so clearly does not exist on the domain). > > Yes it does. Look at "Builtin\system" which is also "NT

I did loose a bit what the exact problem was here but i can to explain a bit here. Why do i use : acl_xattr:ignore system acls = yes >From : man vfs_acl_xattr The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs). This enables the full mapping of Windows ACLs on Samba servers. Now think in user SYSTEM ( and others with ID_BOTH ) and the problems

Hello, Wiki entry was based on my mail to this list, sorry if I was not clear enough. I'm glad You figured it out yourself, Regards, Kacper W dniu 09.10.2018 o 17:21, Marco Gaiarin via samba pisze: >> Someone have some hints? Thanks. > ...i reply to myself. > > Indeed the option 'ntlm auth = mschapv2-and-ntlmv2-only' (4.7+) or 'ntlm auth = > yes'

I'm going to start with clean centos install, so I might as well use some additional guidelines, thank You. When You run kinit, does Your user have ticket already? What I noticed is that when user has a ticket already, kinit works fine, uses as default principal the one from ticket. Can you do kdestroy - then kinit? Also, on Fedora, did You install samba from source or from repo's RPM?

On 03/06/2019 12:29, Kacper Wirski via samba wrote: > Hello, > > Since nobody picked this up I will try to answer myself (hopefully > correctly). > > I think I just misread documentation on wiki, but I would really > appreciate a clarification. In the wiki it states: > > "To enable other accounts than the domain administrator to set > permissions on Windows,

Mandi! Kacper Wirski via samba In chel di` si favelave... > I understand the OP, I was asking some time ago similar question, but it was > in relation to samba domain member. Thanks, Kacper. > I couldn't get backend: ad to work for > machine accounts, so i switched to idmap: rid and it solved everything. I > tried manually adding UID and GID to Domain Computer group and to

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

Hello, I've posted about this issue some time ago, but I maybe didn't explain myself enough and/or didn't supply enough information. My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. I noticed that some windows clients stopped doing secure dns dynamic updates because of insufficient rights error. Upon further digging I realized that all of the entries, that were

W dniu 21.11.2018 o 21:09, Rowland Penny via samba pisze: > On Wed, 21 Nov 2018 20:48:34 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> So in my case - is it safe to delete directly using ldbdel or using >> windows ADSI gui ldap editor? Or is there another way? What is the >> right way to do it? >> >> something like: >>