similar to: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

On 18/06/2019 14:35, Edouard Guign? via samba wrote: > Hello, > > On my system, nssswitch is like this : > passwd:???? files sss > shadow:???? files sss > group:????? files sss > > So I assumed that it works with SSSD, I do not notice any issue with > Samba. > My share is accessible, permissions acls are working. > The only thing I noticed is maybe NTLMv2 is

The 2 commands works : # getent passwd MYDOMAIN\\usertest MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash # getent group MYDOMAIN\\"Utilisateurs du domaine" MYDOMAIN\utilisateurs du domaine:x:14513: I have to put "Utilisateurs du domaine" instead of Domain\ Users because the Windows AD is a french AD. Le 19/06/2019 ? 12:32, Rowland penny via samba a

This way is so easier... Thank you Rowland Le 20/06/2019 ? 14:01, Rowland penny via samba a ?crit?: > On 20/06/2019 17:54, Edouard Guign? via samba wrote: >> My idea is to replace default "cifs_idmap_sss.so" plugin by >> "idmapwb.so" winbind plugin, in order to SSSD becomes a client of >> winbind. >> To avoid to change nsswitch.conf : >>

So I re run the test with domain users gid 14513 Still not working (sssd stopped, nsswitch.cnf with? "files winbind" for passwd group, # net cache flush + restart winbindd smb) On the samba server : # wbinfo -i MYDOMAIN\usertest MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash In log, I have : myw7worstation.log /[2019/06/19 12:04:29.496822,? 1]

Hello, I performed a test in order to get access to my samba share with winbindd (and not sssd). For that, 1. I change the gid of domain users from 513 to 15513 (to match with the domain range 10000 - 14999) And verify my test user is part of 15513 2. Stop sssd and change nsswitch.conf like this : /passwd:???? files winbind// //shadow:???? files// //group:????? files //winbind// / 3.

On 21/06/2019 15:39, Edouard Guign? via samba wrote: > Hello, > > I am facing 2 issues now. > The first one is the more critical for me... > > 1. When I switch from sssd to winbind with : > # authconfig --enablekrb5 --enablewinbind --enablewinbindauth > --enablemkhomedir --update > > My sftp access did not work. Does it change the way to pass the login ? > I used

My idea is to replace default "cifs_idmap_sss.so" plugin by "idmapwb.so" winbind plugin, in order to SSSD becomes a client of winbind. To avoid to change nsswitch.conf : passwd:???? files sss shadow:???? files sss group:????? files sss into passwd:???? files winbind shadow:???? files winbind group:????? files winbind because I need an other access in sftp, this is using

On 18/06/2019 17:24, Edouard Guign? via samba wrote: > "winbind refresh tickets = yes" did not help for my case. > It always has for myself, I have never had to refresh any kerberos machine tickets manually Rowland

Hello, I am reading RHEL 7 docs concerning samba integration, and I found https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#winbind "4.2.4. Switching Between SSSD and Winbind for SMB Share Access This procedure describes how you can switch between SSSD and Winbind plug-ins that are used for accessing SMB shares from SSSD

> > There is no one supporting the use of sssd with Samba, not even Red Hat. > > Now that I know what to look for (thank you, Roland!), I found https://access.redhat.com/solutions/3802321 page explaining how to properly bridge between SSSD and winbind. In essence, the following configuration is in place (copy-pasting main parts of the document for the benefit of those who has no RHEL

On 6/17/19 12:37 PM, Edouard Guign? via samba wrote: > On my linux box (centos 7), I set Samba + Winbind against AD. > But I also set SSSD against AD for an other purpose (sftp access). > > I am wondering if there is no risk to disable sftpd/sssd if I add > winbind in /etc/nsswitch.conf > > Can Winbind and SSSD be installed on the same system if they are not > used for

Is it possible to make start DOMAIN range from 500 instead of 10000 ? I realized that all my gid are in range 500 to 600 and not in range 10000 - 14999 I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users -------- Message transf?r? -------- Sujet?: Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication Date?: Tue, 18 Jun 2019 16:25:39 -0300 De?: Edouard Guign? via

On 17/06/2019 17:45, Edouard Guign? via samba wrote: > Hello, > > I do not know how should be nsswitch.conf configured. > What should I change in it according to "/you either do not have the > passwd, group and shadow lines or you have chosen not to show them/" ? > Something like this? added to nsswitch.conf ? > passwd : files > group : files > shadow : files

> > No, you only thought it worked using sssd on 4.8.x & 4.9.x, but it > didn't work correctly. > Maybe, but it "worked". Can we speculate what change in 4.10.x prompted Samba to export "Unix user\username" type of ownership to Windows clients instead of SID? Is there any option to revert to previous "wrong" behavior as a temporary workaround?

Hello, I am facing 2 issues now. The first one is the more critical for me... 1. When I switch from sssd to winbind with : # authconfig --enablekrb5 --enablewinbind --enablewinbindauth --enablemkhomedir --update My sftp access did not work. Does it change the way to pass the login ? I used to connect in sftp with userlogin / userpassword //var/log/secure :// / /Jun 21 11:08:31 [localhost]

On 18/06/2019 19:02, Edouard Guign? via samba wrote: > Hello, > > I mean that i added "winbind refresh tickets = yes" in smb.cnf, but > does not seem to be link with my problem (Kerberos and NTLMv2 > authentication). > > After several test, without changing content of smb.conf (except for > winbind refresh tickets = yes) : > > 0. nsswitch.conf >

On 18/06/2019 16:01, Goetz, Patrick G via samba wrote: > On 6/18/19 8:35 AM, Edouard Guign? via samba wrote: >> I do not want to annoy anymore with my problem of a mixed configuration >> SSSD / Winbindd ; but I would like to understand why this is working >> only with SSSD and not with winbindd. >> Maybe because I first join my linux station to the domain with SSSD ?

On 17/06/2019 12:56, Edouard Guign? via samba wrote: > Hello, > > May you answer me about my issue with kerberos ? > > About libpam-krb5 installed, I have on my system : > yum list krb5-workstation pam_krb5 > krb5-workstation.x86_64 1.15.1-37.el7_6 @updates > pam_krb5.x86_64 2.4.8-6.el7 @base > > Is pam_krb5 equivalent to libpam-krb5 on centos 7 ? Sorry for the late

On 17/06/2019 13:42, Edouard Guign? via samba wrote: > Hello, > > Please find here the content of my smb.cnf : > > [global] > ??????? security = ads > ??????? realm = MYDOMAIN.LOCAL > ??????? workgroup = MYDOMAIN > ??????? kerberos method = secrets and keytab > ??????? server signing = mandatory > ??????? client signing = mandatory > > ??????? hosts allow =

On 4/18/23 4:44 AM, Rowland Penny via samba wrote: > I think what you are saying is this, using oddjob-gpupdate replaces > the 'apply group policies = yes' line in smb.conf > > Anderson compiled oddjob-gpupdate and it didn't work using sssd, but > the same basic setup on the OS using winbind did. > > As far as I can see, oddjob-gpupdate or 'apply group