similar to: Samba winbind on redhat 7

My idea is to replace default "cifs_idmap_sss.so" plugin by "idmapwb.so" winbind plugin, in order to SSSD becomes a client of winbind. To avoid to change nsswitch.conf : passwd:???? files sss shadow:???? files sss group:????? files sss into passwd:???? files winbind shadow:???? files winbind group:????? files winbind because I need an other access in sftp, this is using

This way is so easier... Thank you Rowland Le 20/06/2019 ? 14:01, Rowland penny via samba a ?crit?: > On 20/06/2019 17:54, Edouard Guign? via samba wrote: >> My idea is to replace default "cifs_idmap_sss.so" plugin by >> "idmapwb.so" winbind plugin, in order to SSSD becomes a client of >> winbind. >> To avoid to change nsswitch.conf : >>

On 20/06/2019 17:54, Edouard Guign? via samba wrote: > My idea is to replace default "cifs_idmap_sss.so" plugin by > "idmapwb.so" winbind plugin, in order to SSSD becomes a client of > winbind. > To avoid to change nsswitch.conf : > passwd:???? files sss > shadow:???? files sss > group:????? files sss > > into > > passwd:???? files winbind

Hello, I am facing 2 issues now. The first one is the more critical for me... 1. When I switch from sssd to winbind with : # authconfig --enablekrb5 --enablewinbind --enablewinbindauth --enablemkhomedir --update My sftp access did not work. Does it change the way to pass the login ? I used to connect in sftp with userlogin / userpassword //var/log/secure :// / /Jun 21 11:08:31 [localhost]

On 18/06/2019 17:24, Edouard Guign? via samba wrote: > "winbind refresh tickets = yes" did not help for my case. > It always has for myself, I have never had to refresh any kerberos machine tickets manually Rowland

Hello, On my system, nssswitch is like this : passwd:???? files sss shadow:???? files sss group:????? files sss So I assumed that it works with SSSD, I do not notice any issue with Samba. My share is accessible, permissions acls are working. The only thing I noticed is maybe NTLMv2 is always used by default with Samba. /[2019/06/18 09:51:44.542476,? 3]

On 17/06/2019 17:45, Edouard Guign? via samba wrote: > Hello, > > I do not know how should be nsswitch.conf configured. > What should I change in it according to "/you either do not have the > passwd, group and shadow lines or you have chosen not to show them/" ? > Something like this? added to nsswitch.conf ? > passwd : files > group : files > shadow : files

On 18/06/2019 19:02, Edouard Guign? via samba wrote: > Hello, > > I mean that i added "winbind refresh tickets = yes" in smb.cnf, but > does not seem to be link with my problem (Kerberos and NTLMv2 > authentication). > > After several test, without changing content of smb.conf (except for > winbind refresh tickets = yes) : > > 0. nsswitch.conf >

On 17/06/2019 12:56, Edouard Guign? via samba wrote: > Hello, > > May you answer me about my issue with kerberos ? > > About libpam-krb5 installed, I have on my system : > yum list krb5-workstation pam_krb5 > krb5-workstation.x86_64 1.15.1-37.el7_6 @updates > pam_krb5.x86_64 2.4.8-6.el7 @base > > Is pam_krb5 equivalent to libpam-krb5 on centos 7 ? Sorry for the late

On 17/06/2019 13:42, Edouard Guign? via samba wrote: > Hello, > > Please find here the content of my smb.cnf : > > [global] > ??????? security = ads > ??????? realm = MYDOMAIN.LOCAL > ??????? workgroup = MYDOMAIN > ??????? kerberos method = secrets and keytab > ??????? server signing = mandatory > ??????? client signing = mandatory > > ??????? hosts allow =

Hello, I performed a test in order to get access to my samba share with winbindd (and not sssd). For that, 1. I change the gid of domain users from 513 to 15513 (to match with the domain range 10000 - 14999) And verify my test user is part of 15513 2. Stop sssd and change nsswitch.conf like this : /passwd:???? files winbind// //shadow:???? files// //group:????? files //winbind// / 3.

On 18/06/2019 16:01, Goetz, Patrick G via samba wrote: > On 6/18/19 8:35 AM, Edouard Guign? via samba wrote: >> I do not want to annoy anymore with my problem of a mixed configuration >> SSSD / Winbindd ; but I would like to understand why this is working >> only with SSSD and not with winbindd. >> Maybe because I first join my linux station to the domain with SSSD ?

On 21/06/2019 15:39, Edouard Guign? via samba wrote: > Hello, > > I am facing 2 issues now. > The first one is the more critical for me... > > 1. When I switch from sssd to winbind with : > # authconfig --enablekrb5 --enablewinbind --enablewinbindauth > --enablemkhomedir --update > > My sftp access did not work. Does it change the way to pass the login ? > I used

Is it possible to make start DOMAIN range from 500 instead of 10000 ? I realized that all my gid are in range 500 to 600 and not in range 10000 - 14999 I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users -------- Message transf?r? -------- Sujet?: Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication Date?: Tue, 18 Jun 2019 16:25:39 -0300 De?: Edouard Guign? via

The 2 commands works : # getent passwd MYDOMAIN\\usertest MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash # getent group MYDOMAIN\\"Utilisateurs du domaine" MYDOMAIN\utilisateurs du domaine:x:14513: I have to put "Utilisateurs du domaine" instead of Domain\ Users because the Windows AD is a french AD. Le 19/06/2019 ? 12:32, Rowland penny via samba a

I did not set max protocol to SMB2 in smb.cnf, I don't want to force SMB2 selection if SMB3 can be used by a client. The machine is a Windows 7, so is SMB2 compliant. Le 22/07/2019 ? 11:44, Gaiseric Vandal via samba a ?crit?: > I would guess that changing the min protocol does not affect existing > connections unless you were to restart samba. > > Is the max protocol set to at

On 6/17/19 12:37 PM, Edouard Guign? via samba wrote: > On my linux box (centos 7), I set Samba + Winbind against AD. > But I also set SSSD against AD for an other purpose (sftp access). > > I am wondering if there is no risk to disable sftpd/sssd if I add > winbind in /etc/nsswitch.conf > > Can Winbind and SSSD be installed on the same system if they are not > used for

On 18/06/2019 19:49, Edouard Guign? via samba wrote: > ?gidNumber for 'Domain Users' is 513 > > not in range? '10000-14999' of uidNumber > > Is it a problem ? Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside the DOMAIN range you set in smb.conf, if they aren't, all your users WILL be ignored by Samba. Find the next available

Hello, Thank you ! I add server min protocol = SMB2_02 to smb.cnf All clients are now using SMB2_10 as minimum protocol version May you indicate me the difference between "client min protocol" and "server min protocol" ? "server min protocol" is to use on a domain member "client min protocol" is to use in which case ? Should I also set client min

Hello, My samba share is on a Linux Centos 7, samba version 4.8.3. Please find here is my smb.cnf : [global] ??? security = ads ??? realm = MYDOMAIN.MYDOMAIN.LOCAL ??? workgroup = MYDOMAIN ??? kerberos method = secrets and keytab ??? server signing = mandatory ??? client signing = mandatory ??? hosts allow = 127. 10.x.x. 10.x.x. ??? hosts deny = 10.x.x. 10.x.x. ??? log file =