Displaying 20 results from an estimated 10000 matches similar to: "Restricting AD group logging on to Servers"
2017 Dec 01
2
Restricting AD group logging on to Servers
> -----Original Message-----
> From: Rowland Penny [mailto:rpenny at samba.org]
> Sent: 01 December 2017 17:40
> To: samba at lists.samba.org
> Cc: Roy Eastwood
> Subject: Re: [Samba] Restricting AD group logging on to Servers
>
> On Fri, 1 Dec 2017 17:06:42 -0000
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> > I have a
2017 Dec 02
4
Restricting AD group logging on to Servers
[snip]
> > > try adding the 'require_membership_of' line to the winbind auth line in
> > > PAM.
> > > Rowland
> > Thanks Rowland, that did the trick and is the simplest solution.
> >
> > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
> > DOMAIN\\linuxadmins.
2017 Dec 01
0
Restricting AD group logging on to Servers
On Fri, 2017-12-01 at 18:04 +0000, Roy Eastwood via samba wrote:
> > -----Original Message-----
> > From: Rowland Penny [mailto:rpenny at samba.org]
> > Sent: 01 December 2017 17:40
> > To: samba at lists.samba.org
> > Cc: Roy Eastwood
> > Subject: Re: [Samba] Restricting AD group logging on to Servers
> >
> > On Fri, 1 Dec 2017 17:06:42 -0000
>
2017 Dec 01
0
Restricting AD group logging on to Servers
On Fri, 1 Dec 2017 17:06:42 -0000
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> Hi,
> I have a Debian Stretch system running a self-compiled version 4.7.3
> of Samba. Having followed the Samba WiKi to allow AD users to log
> onto the servers using PAM authentication, I now want to restrict
> access to specified group(s). So I created a linuxadmins group and
2017 Dec 02
0
Restricting AD group logging on to Servers
On Sat, 2 Dec 2017 09:15:02 -0000
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> [snip]
> > > > try adding the 'require_membership_of' line to the winbind auth
> > > > line in PAM.
>
> > > > Rowland
> > > Thanks Rowland, that did the trick and is the simplest solution.
> > >
> > > Found that only one \
2011 Jun 17
2
Restricting logins using pam_winbind require_membership_of ?
Hi.
I have some shares on a server that are offered to specific Active Directory
user groups, but the business doesn't want those users to be able to login
to the server. If I were to add "require_membership_of" to pam_winbind to
limit logins and shut out the users I don't want, would it also have the
side effect of denying those users access to the shares as well?
Regards,
2009 Nov 12
2
Looking for AIX Users of Winbind -- Authorization and SSH Problems
Hi all,
I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with
Active Directory 2003. In fact, I'd say short of 2 very important services,
it's working almost perfectly. Unfortunately, these 2 services are quite
critical, and without them I'm afraid we'll have to resort to some sort of
proprietary identity solution like Novell, which I'm not crazy about.
2018 Jul 24
2
Failed to establish your Kerberos Ticket cache due time differences with the domain controller
I did re-read the whole thread again.
Im running out of options..
When i look at :
https://wiki.samba.org/index.php/PAM_Offline_Authentication
You can do these last checks.
Run the : Testing offline authentication as show on the wiki.
Debian normaly does not have /etc/security/pam_winbind.conf, check if its there if so backup it remove it.
Check if these packages are installed.
2018 Jul 21
2
Failed to establish your Kerberos Ticket cache due time differences with the domain controller
I have this warning message when I try to logon using a domain user to the DC
itself:
"Failed to establish your Kerberos Ticket cache due time differences
with the domain controller. Please verify the system time."
I have set up PAM using this file: /usr/share/pam-configs/winbind:
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
2018 Jul 23
3
Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Thanks Louis. Results below.
> Hai,
>
> I've reading this thread more closely.
>
> I suggest you try the followoing.
>
> Check the servers hardware clock in the bios first.
> Set these within 5 min, if they are not about the same.
>
There no RTC in the pi; the other DC is running in a VM with RTC set to UTC. I have disabled the guest from getting the time
2020 Jun 16
2
Samba as a domain member:
Yes:
# getent group GROUP
group:x:17573:
# getent group group2
group2:x:11010:
# getent group GROUP3
group3:x:21178:
# wbinfo --group-info GROUP
group:x:17573:
# wbinfo -n GROUP
S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)
2017 Nov 02
2
Domain users cannot log on locally to DC
Hi,
I have a samba 4.7.0 DC installed on a Debian Stretch machine. I
provisioned the domain with rfc2307 enabled and have set the Unix attributes
using Windows 7 RSAT/ADUC. I think I followed the WiKi pages correctly to
enable the pam_winbind module in PAM, and have allocated a gID to Domain
Users. After falling foul of the
https://bugzilla.samba.org/show_bug.cgi?id=13054 bug, entering net
2018 Jul 21
4
Failed to establish your Kerberos Ticket cache due time differences with the domain controller
On Sat, 21 Jul 2018 18:59:08 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Sat, 21 Jul 2018 18:30:48 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>
> > Thanks Rowland.
> >
> > > -----Original Message-----
> > > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> > > Rowland
2013 Jan 24
3
require_membership_of is ignored
I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user.
The problem is, I can log on as any AD user.
require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in.
I've put this option in both
2013 Nov 28
4
SSH - Winbind and Keybased Auth
Hi Team,
We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
However, if the user has a ssh key set up, they seem to bypass the group membership
2008 Aug 06
1
winbindd behaving oddly
Hello folks,
Been beating my head with an winbind and pam just behaving oddly. I have following
various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a
some of the issues:
- the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the logs. Here's
an exact snippet:
Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd):
2018 Aug 04
2
Fwd: Restrict local Storage use and Restrict web Access via any Browser via Group Policy on Windows Desktops
Hi ,
Need to see if it is possible to do
* Restrict local Storage use - Means how to restrict via group policy
so that logon user in Samba AD will not be able to save any files on
local storage of C: of D: drives . He can save on mapped Drive (
From Samba File Server ) .
* Restrict web Access via any Browser via Group Policy
We have used samba-4.8.3 and windows version is win
2007 Jan 15
1
Winbind caching group membership issue
Hi All,
I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine. The
ADS server is WS03 sp1 running in Windows Server 2003 interim mode. In
general thing are working well. However, when winbind caching is
enabled (default), group membership does not appear to update, i.e.
"wbinfo -r bob" and "groups bob" don't reflect changes in ADS group
membership.
2019 Aug 29
2
Online Backup Fails - list index out of range
> -----Original Message-----
> From: Tim Beale [mailto:timbeale at catalyst.net.nz]
> Sent: 29 August 2019 22:08
> To: Roy Eastwood; samba at lists.samba.org
> Subject: Re: [Samba] Online Backup Fails - list index out of range
>
> On 30/08/19 4:20 AM, Roy Eastwood via samba wrote:
> > INFO 2019-08-29 17:04:06,889 pid:13945 /usr/lib/python3/dist-packages/samba/join.py
2020 Jul 28
2
kerberos ticket on login problem
I'm experimenting with smb + winbind.
My host is joined to AD and I can login to my host fine using my AD
credentials via SSH.?? The only issue is that I don't get a Kerberos
ticket generated.
In /etc/security/pam_winbind.conf I have:
krb5_auth = yes
krb5_ccache_type = KEYRING
In /etc/krb5.conf, I also have:
default_ccache_name = KEYRING:persistent:%{uid}
Using wbinfo -K jas, then