Displaying 20 results from an estimated 2000 matches similar to: "ODP: Re: samba 4 ad member - idmap = ad for machine accounts"
2018 Mar 27
2
ODP: Re: freeradius + NTLM + samba AD 4.5.x
ok, tested it, and it works.
so to summarize:
on samba ad 4.7.x in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only"
fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it.
with those settings ntlmv1 is blocked
2018 Aug 02
2
ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V
I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off):
Microsoft hyper-v console/HOST.FQDN
Hyper-V Replication Servive/HOST.FQDN
Microsoft Hyper-V Live Migration Service/HOST.FQDN.
This fails because of the spaces, that is samba being on linux, not seeing escape characters, messes up the request it
2018 Aug 02
1
ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V
I actually posted about this here on samba list about it last year, but
nobody caught interest.
I used to have logs from samba and wireshark, which very nicely showed
what's wrong (kerberos request was for SPN eg. "Hyper-V Replication
Service/Servername.mydomain.com" and in samba log there was an error
with something like "Hyper-V\ Replication \Service.. not found".
2017 Sep 19
1
ODP: Re: samba 4 ad member - idmap = ad for machine accounts
On Tue, 19 Sep 2017 12:29:37 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! k.wirski via samba
> In chel di` si favelave...
>
> > I'm not sure what You mean about invalidating cache?
>
> 'nscd' is a generic Name Services Caching Daemon normally installed
> automatically alongside winbind.
>
> In the past, when playing
2018 Mar 27
5
ODP: Re: freeradius + NTLM + samba AD 4.5.x
Hello,
I can definately confirm that it's working.
My basic setup is:
1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight
from centos repo. // I tested also on freeradius 3.0.14 and samba 4.7.x
smb.conf on the DC is pretty basic, most important is obviously in
[globall]:
ntlm auth =
2017 Sep 18
7
samba 4 ad member - idmap = ad for machine accounts
Thank everyone for input,
It seems that using RID is the way to go. I just tried a few things:
1)
- made group, assigned unix GID
- added test PC to this group and set this group as "primary group"
- added manually to test PC account "uidnumber"
on server with samba
getent passwd MYDOMAIN\\testpc$
returns nicely testpc$ with UID and GID numbers as set in
2001 Nov 30
0
ODP: ODP: Joining BDC (Samba) to PDC (Samba)
Normal PDC/BDC isn't possible now. It will be in Samba 3.0 (look in
documentation). But you can create substitute solution. For example two
idendicaly
servers with autocopy of password database, but it isn't PDC/BDC relations.
It is two identicaly domains. I have two servers with samba, with two
indenticaly password databases and smb.conf. When I have problem with one, I
can fastly change
2018 Aug 02
0
ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V
On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote:
> I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off):
> Microsoft hyper-v console/HOST.FQDN
> Hyper-V Replication Servive/HOST.FQDN
> Microsoft Hyper-V Live Migration Service/HOST.FQDN.
>
> This fails because of
2017 Sep 19
0
ODP: Re: samba 4 ad member - idmap = ad for machine accounts
Mandi! k.wirski via samba
In chel di` si favelave...
> I'm not sure what You mean about invalidating cache?
'nscd' is a generic Name Services Caching Daemon normally installed
automatically alongside winbind.
In the past, when playing with winbind, i get confused by the cache,
and confusion grow considering that:
getent passwd user
does not query the cache, so all seems to
2018 Mar 28
0
ODP: Re: freeradius + NTLM + samba AD 4.5.x
Hi,
thank you very much for testing everything out. Great work!
One question: passchange - which application are working with passchange
on radius ?
In the moment every user with an expired password is NOT able to use
services using radius
for authentication (WLAN,VPN). Is there any documentation available ?
Bye, Peer
On 27.03.2018 22:40, Kacper Wirski via samba wrote:
> Hello,
>
>
2017 Nov 01
4
kerberos + winbind + AD authentication for samba 4 domain member
On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 1 Nov 2017 20:28:05 +0100
> Kacper Wirski <kacper.wirski at gmail.com> wrote:
>
> > I'm going to start with clean centos install, so I might as well use
> > some additional guidelines, thank You.
> >
> > When You run kinit, does Your user have
2018 Jan 15
5
Avoiding uid conflicts between rfc2307 user/groups and computers
On Mon, 15 Jan 2018 14:55:55 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > > It is not the SYSTEM user (that is a local user to the
> > > workstation, so clearly does not exist on the domain).
> > Yes it does. Look at "Builtin\system" which is also "NT
2017 Sep 19
0
samba 4 ad member - idmap = ad for machine accounts
I did loose a bit what the exact problem was here but i can to explain a bit here.
Why do i use : acl_xattr:ignore system acls = yes
>From : man vfs_acl_xattr
The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs).
This enables the full mapping of Windows ACLs on Samba servers.
Now think in user SYSTEM ( and others with ID_BOTH ) and the problems
2018 Oct 09
2
Samba and Freeradius...
Hello,
Wiki entry was based on my mail to this list, sorry if I was not clear
enough. I'm glad You figured it out yourself,
Regards,
Kacper
W dniu 09.10.2018 o 17:21, Marco Gaiarin via samba pisze:
>> Someone have some hints? Thanks.
> ...i reply to myself.
>
> Indeed the option 'ntlm auth = mschapv2-and-ntlmv2-only' (4.7+) or 'ntlm auth =
> yes'
2017 Nov 01
2
kerberos + winbind + AD authentication for samba 4 domain member
I'm going to start with clean centos install, so I might as well use some
additional guidelines, thank You.
When You run kinit, does Your user have ticket already? What I noticed is
that when user has a ticket already, kinit works fine, uses as default
principal the one from ticket.
Can you do kdestroy - then kinit?
Also, on Fedora, did You install samba from source or from repo's RPM?
2019 Jun 03
2
samba file server - sediskoperatorprivilege not being honored
On 03/06/2019 12:29, Kacper Wirski via samba wrote:
> Hello,
>
> Since nobody picked this up I will try to answer myself (hopefully
> correctly).
>
> I think I just misread documentation on wiki, but I would really
> appreciate a clarification. In the wiki it states:
>
> "To enable other accounts than the domain administrator to set
> permissions on Windows,
2018 Jan 16
3
Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Kacper Wirski via samba
In chel di` si favelave...
> I understand the OP, I was asking some time ago similar question, but it was
> in relation to samba domain member.
Thanks, Kacper.
> I couldn't get backend: ad to work for
> machine accounts, so i switched to idmap: rid and it solved everything. I
> tried manually adding UID and GID to Domain Computer group and to
2018 Mar 26
3
freeradius + NTLM + samba AD 4.5.x
Ok, I finally could try it out, and it seems to actually work, but You
need samba 4.7 on all machines, not only AD, but also server with
freeradius. I didn't get a chance to test it locally, that is samba AD +
freeradius on the same server.
Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work
(got simple "nt_status_wrong_password")
but: 4.7.6 AD and 4.7.1
2018 Nov 20
3
samba AD - bind - deleted DNS entries are not removed completely
Hello,
I've posted about this issue some time ago, but I maybe didn't explain
myself enough and/or didn't supply enough information.
My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend.
I noticed that some windows clients stopped doing secure dns dynamic
updates because of insufficient rights error.
Upon further digging I realized that all of the entries, that were
2018 Nov 21
1
samba AD - bind - deleted DNS entries are not removed completely
W dniu 21.11.2018 o 21:09, Rowland Penny via samba pisze:
> On Wed, 21 Nov 2018 20:48:34 +0100
> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>
>> So in my case - is it safe to delete directly using ldbdel or using
>> windows ADSI gui ldap editor? Or is there another way? What is the
>> right way to do it?
>>
>> something like:
>>