similar to: Kerberos and NTLMv2 authentication

Hello Rowland, Sorry for the workgroup and realm name, I put MYDOMAIN to anonymize, should be : realm = MYDOMAIN.LOCAL workgroup = MYDOMAIN About libpam-krb5 installed, I have on my system : yum list krb5-workstation pam_krb5 krb5-workstation.x86_64 1.15.1-37.el7_6 @updates pam_krb5.x86_64 2.4.8-6.el7 @base Is pam_krb5

Hi Edouard, > I set a samba share (4.8.1) on a linux (centos 7) as server member ; > authentication is done against a AD win 2012 R2 server through winbind. > > I thought authentication was using kerberos, but I checked log and found : > > Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin 2019 > 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK]

Hi, I updated our servers to 4.2.11, and I have a problem, but I'm not sure if the problem is related to the update. I am trying to use mount.cifs: > mount -t cifs -o username=username,password=super_secret,domain=WRKGRP //ip.of.our.samba/share /mnt > mount error(112): Host is down > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Host is up, i can use smbclient to

Hello, On my system, nssswitch is like this : passwd:???? files sss shadow:???? files sss group:????? files sss So I assumed that it works with SSSD, I do not notice any issue with Samba. My share is accessible, permissions acls are working. The only thing I noticed is maybe NTLMv2 is always used by default with Samba. /[2019/06/18 09:51:44.542476,? 3]

On 18/06/2019 19:49, Edouard Guign? via samba wrote: > ?gidNumber for 'Domain Users' is 513 > > not in range? '10000-14999' of uidNumber > > Is it a problem ? Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside the DOMAIN range you set in smb.conf, if they aren't, all your users WILL be ignored by Samba. Find the next available

The 2 commands works : # getent passwd MYDOMAIN\\usertest MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash # getent group MYDOMAIN\\"Utilisateurs du domaine" MYDOMAIN\utilisateurs du domaine:x:14513: I have to put "Utilisateurs du domaine" instead of Domain\ Users because the Windows AD is a french AD. Le 19/06/2019 ? 12:32, Rowland penny via samba a

Dear Samba Users, I set 2 samba shares : 1. with the name [groups] /pathtomyshare/groups 2. for each domain users [homes] /home In Windows, I can see with the windows explorer my shares : groups (\\myserver) (V:) mydomainuser (\\myserver\homes) (U:) Why for [groups] is only indicated \\myserver and for [homes] is indicated \\myserver\homes ? Is there a way to change it ? I would only show

Hello, May you answer me about my issue with kerberos ? About libpam-krb5 installed, I have on my system : yum list krb5-workstation pam_krb5 krb5-workstation.x86_64 1.15.1-37.el7_6 @updates pam_krb5.x86_64 2.4.8-6.el7 @base Is pam_krb5 equivalent to libpam-krb5 on centos 7 ? Thanks -------- Message transf?r? -------- Sujet?: Re: [Samba] Kerberos and NTLMv2 authentication Date?: Sat, 15 Jun

Hello, I performed a test in order to get access to my samba share with winbindd (and not sssd). For that, 1. I change the gid of domain users from 513 to 15513 (to match with the domain range 10000 - 14999) And verify my test user is part of 15513 2. Stop sssd and change nsswitch.conf like this : /passwd:???? files winbind// //shadow:???? files// //group:????? files //winbind// / 3.

Hello, My samba share is on a Linux Centos 7, samba version 4.8.3. Please find here is my smb.cnf : [global] ??? security = ads ??? realm = MYDOMAIN.MYDOMAIN.LOCAL ??? workgroup = MYDOMAIN ??? kerberos method = secrets and keytab ??? server signing = mandatory ??? client signing = mandatory ??? hosts allow = 127. 10.x.x. 10.x.x. ??? hosts deny = 10.x.x. 10.x.x. ??? log file =

On 18/06/2019 17:24, Edouard Guign? via samba wrote: > "winbind refresh tickets = yes" did not help for my case. > It always has for myself, I have never had to refresh any kerberos machine tickets manually Rowland

Hello Dale, Set inherit acls = yes locally to my share groups, and remove map acl inherit = yes from global parameters of smb.conf does not solve my issue. I still have acl "Domain Users" added to new folders/files. As i write in my previous email, the only way i found to disable acl "Domain Users" to be added was with : inherit owner = yes With some disavantages for users

On 18/06/2019 19:02, Edouard Guign? via samba wrote: > Hello, > > I mean that i added "winbind refresh tickets = yes" in smb.cnf, but > does not seem to be link with my problem (Kerberos and NTLMv2 > authentication). > > After several test, without changing content of smb.conf (except for > winbind refresh tickets = yes) : > > 0. nsswitch.conf >

Edouard, These are the 4 available parameters containing the word "inherit". inherit acls (S) inherit owner (S) inherit permissions (S) map acl inherit (S) Would "inherit acls" work for you? Dale On 12/10/18 10:56 AM, Edouard Guigné via samba wrote: > Hello, > > I add to my previous mail, the only way i found to disable acl

Hello, I set a share on a samba 4.7.1 as domain member with an Active Directory controler, this share is used by all domain users. All users from the AD domain have a primary group "Domain Users", and secondary groups to filter access on the folders of the share. I noticed that when a user create a sub-folder/file inside a "Top folder", the default permissions from the

On 17/06/2019 13:42, Edouard Guign? via samba wrote: > Hello, > > Please find here the content of my smb.cnf : > > [global] > ??????? security = ads > ??????? realm = MYDOMAIN.LOCAL > ??????? workgroup = MYDOMAIN > ??????? kerberos method = secrets and keytab > ??????? server signing = mandatory > ??????? client signing = mandatory > > ??????? hosts allow =

Is it possible to make start DOMAIN range from 500 instead of 10000 ? I realized that all my gid are in range 500 to 600 and not in range 10000 - 14999 I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users -------- Message transf?r? -------- Sujet?: Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication Date?: Tue, 18 Jun 2019 16:25:39 -0300 De?: Edouard Guign? via

On 18/06/2019 16:01, Goetz, Patrick G via samba wrote: > On 6/18/19 8:35 AM, Edouard Guign? via samba wrote: >> I do not want to annoy anymore with my problem of a mixed configuration >> SSSD / Winbindd ; but I would like to understand why this is working >> only with SSSD and not with winbindd. >> Maybe because I first join my linux station to the domain with SSSD ?

Hello, I have set up audit logging and I find many entries of this type : ./auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[MYWORKSTATION$] at [mar., 23 juil. 2019 07:49:43.486619 -03] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MYWORKSTATION] remote host [ipv4:10.x.x.x:49472] mapped to [MYDOMAIN]\[MYWORKSTATION$]. local host

On 17/06/2019 17:45, Edouard Guign? via samba wrote: > Hello, > > I do not know how should be nsswitch.conf configured. > What should I change in it according to "/you either do not have the > passwd, group and shadow lines or you have chosen not to show them/" ? > Something like this? added to nsswitch.conf ? > passwd : files > group : files > shadow : files