similar to: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

On 18/06/2019 14:35, Edouard Guign? via samba wrote: > Hello, > > On my system, nssswitch is like this : > passwd:???? files sss > shadow:???? files sss > group:????? files sss > > So I assumed that it works with SSSD, I do not notice any issue with > Samba. > My share is accessible, permissions acls are working. > The only thing I noticed is maybe NTLMv2 is

The 2 commands works : # getent passwd MYDOMAIN\\usertest MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash # getent group MYDOMAIN\\"Utilisateurs du domaine" MYDOMAIN\utilisateurs du domaine:x:14513: I have to put "Utilisateurs du domaine" instead of Domain\ Users because the Windows AD is a french AD. Le 19/06/2019 ? 12:32, Rowland penny via samba a

This way is so easier... Thank you Rowland Le 20/06/2019 ? 14:01, Rowland penny via samba a ?crit?: > On 20/06/2019 17:54, Edouard Guign? via samba wrote: >> My idea is to replace default "cifs_idmap_sss.so" plugin by >> "idmapwb.so" winbind plugin, in order to SSSD becomes a client of >> winbind. >> To avoid to change nsswitch.conf : >>

> > There is no one supporting the use of sssd with Samba, not even Red Hat. > > Now that I know what to look for (thank you, Roland!), I found https://access.redhat.com/solutions/3802321 page explaining how to properly bridge between SSSD and winbind. In essence, the following configuration is in place (copy-pasting main parts of the document for the benefit of those who has no RHEL

My idea is to replace default "cifs_idmap_sss.so" plugin by "idmapwb.so" winbind plugin, in order to SSSD becomes a client of winbind. To avoid to change nsswitch.conf : passwd:???? files sss shadow:???? files sss group:????? files sss into passwd:???? files winbind shadow:???? files winbind group:????? files winbind because I need an other access in sftp, this is using

> > No, you only thought it worked using sssd on 4.8.x & 4.9.x, but it > didn't work correctly. > Maybe, but it "worked". Can we speculate what change in 4.10.x prompted Samba to export "Unix user\username" type of ownership to Windows clients instead of SID? Is there any option to revert to previous "wrong" behavior as a temporary workaround?

Hello, I am reading RHEL 7 docs concerning samba integration, and I found https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#winbind "4.2.4. Switching Between SSSD and Winbind for SMB Share Access This procedure describes how you can switch between SSSD and Winbind plug-ins that are used for accessing SMB shares from SSSD

On 18/06/2019 17:24, Edouard Guign? via samba wrote: > "winbind refresh tickets = yes" did not help for my case. > It always has for myself, I have never had to refresh any kerberos machine tickets manually Rowland

Hello, I performed a test in order to get access to my samba share with winbindd (and not sssd). For that, 1. I change the gid of domain users from 513 to 15513 (to match with the domain range 10000 - 14999) And verify my test user is part of 15513 2. Stop sssd and change nsswitch.conf like this : /passwd:???? files winbind// //shadow:???? files// //group:????? files //winbind// / 3.

So I re run the test with domain users gid 14513 Still not working (sssd stopped, nsswitch.cnf with? "files winbind" for passwd group, # net cache flush + restart winbindd smb) On the samba server : # wbinfo -i MYDOMAIN\usertest MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash In log, I have : myw7worstation.log /[2019/06/19 12:04:29.496822,? 1]

On 6/17/19 12:37 PM, Edouard Guign? via samba wrote: > On my linux box (centos 7), I set Samba + Winbind against AD. > But I also set SSSD against AD for an other purpose (sftp access). > > I am wondering if there is no risk to disable sftpd/sssd if I add > winbind in /etc/nsswitch.conf > > Can Winbind and SSSD be installed on the same system if they are not > used for

On 17/06/2019 17:45, Edouard Guign? via samba wrote: > Hello, > > I do not know how should be nsswitch.conf configured. > What should I change in it according to "/you either do not have the > passwd, group and shadow lines or you have chosen not to show them/" ? > Something like this? added to nsswitch.conf ? > passwd : files > group : files > shadow : files

On 21/06/2019 15:39, Edouard Guign? via samba wrote: > Hello, > > I am facing 2 issues now. > The first one is the more critical for me... > > 1. When I switch from sssd to winbind with : > # authconfig --enablekrb5 --enablewinbind --enablewinbindauth > --enablemkhomedir --update > > My sftp access did not work. Does it change the way to pass the login ? > I used

On 08/06/2019 21:32, Rowland penny via samba wrote: > On 08/06/2019 16:24, Uwe Laverenz via samba wrote: >> Hi all, >> >> when you join a linux server to an active directory with "realm" it >> uses "sssd" as default. This works well as long as you just want to >> be a simple domain member. >> >> As soon as you want a real member

Hello, I am facing 2 issues now. The first one is the more critical for me... 1. When I switch from sssd to winbind with : # authconfig --enablekrb5 --enablewinbind --enablewinbindauth --enablemkhomedir --update My sftp access did not work. Does it change the way to pass the login ? I used to connect in sftp with userlogin / userpassword //var/log/secure :// / /Jun 21 11:08:31 [localhost]

Is it possible to make start DOMAIN range from 500 instead of 10000 ? I realized that all my gid are in range 500 to 600 and not in range 10000 - 14999 I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users -------- Message transf?r? -------- Sujet?: Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication Date?: Tue, 18 Jun 2019 16:25:39 -0300 De?: Edouard Guign? via

Like so many others, I'm having NT_STATUS_LOGON_FAILURE issues. I've tried all the fixes I could find to no avail. My environment: Cent 7 (Linux 4.19.72-v7l.1.el7) with Samba 4.9.1, bound to AD via Realmd. SSSD for ACL's, winbind for user map. Installed packages: nano, ntpdate, ntp, realmd, sssd, sssd-tools, sssd-winbind-idmap, samba-winbind, adcli, oddjob, oddjob-mkhomedir,

On 10/06/2019 16:04, vincent at cojot.name wrote: > > There is probably some amount of redtape on this but AFAIK it works > fine for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs > through use of realm '(and thus sssd): > > Here's a RHEL7.6 client: > # realm list > ad.lasthome.solace.krynn > ? type: kerberos > ? realm-name:

On 18/06/2019 16:01, Goetz, Patrick G via samba wrote: > On 6/18/19 8:35 AM, Edouard Guign? via samba wrote: >> I do not want to annoy anymore with my problem of a mixed configuration >> SSSD / Winbindd ; but I would like to understand why this is working >> only with SSSD and not with winbindd. >> Maybe because I first join my linux station to the domain with SSSD ?

On 18/06/2019 19:02, Edouard Guign? via samba wrote: > Hello, > > I mean that i added "winbind refresh tickets = yes" in smb.cnf, but > does not seem to be link with my problem (Kerberos and NTLMv2 > authentication). > > After several test, without changing content of smb.conf (except for > winbind refresh tickets = yes) : > > 0. nsswitch.conf >