similar to: How to configure samba domain member to use LDAPS instead of LDAP

My customer complain that in the AD DC they see the following insecure communication coming from the Samba server (DC member): "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection." So Samba does an insecure LDAP bind and

The DC is a Windows AD DC. Could you please clarify why i should change setting in the Windows DC instead of the Samba server, which is the one that does the insecure ldap bind? Regards Andrea Cucciarre' On 11/9/2020 3:13 PM, Rowland penny via samba wrote: > On 09/11/2020 13:28, Andrea Cucciarre' wrote: >> My customer complain that in the AD DC they see the following

Am 09.11.20 um 15:42 schrieb cn--- via samba: > What version of Samba is this and do you have "server schannel = no" set > in its smb.conf? It might also be some thing like this option "client ldap sasl wrapping". So it would really help to see the entire smb.conf Regards Christian > > > Regards > > Christian > > Am 09.11.20 um 15:31 schrieb

I will provide the whole smb.conf, but I can anticipate that I don't have any setting for server schannel, while client ldap sasl wrapping = plain Regards Andrea Cucciarre' On 11/9/2020 3:48 PM, cn--- via samba wrote: > Am 09.11.20 um 15:42 schrieb cn--- via samba: >> What version of Samba is this and do you have "server schannel = no" >> set in its

What version of Samba is this and do you have "server schannel = no" set in its smb.conf? Regards Christian Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba: > The DC is a Windows AD DC. > Could you please clarify why i should change setting in the Windows DC > instead of the Samba server, which is the one that does the insecure > ldap bind? > >

Hi, after a successfully migrating my NT4 with OpenLDAP to a Samba4 AD...I got a problem. Like in the sambawiki tutorial (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC) I tried to configure LDAPS. I used the auto-configured certs. They are located in "/var/lib/samba/private/tls". My smb.conf: # Global parameters [global] netbios name = PDC

Sorry my bad, thanks for spotting it. Should that explains also the failure to grab the mutex? Andrea Il 3/12/2019 12:14 PM, Rowland Penny via samba ha scritto: > On Tue, 12 Mar 2019 12:01:08 +0100 > Andrea Cucciarre' <acucciarre at cloudian.com> wrote: > >> The OS is OmniOS, the DC is Windows Server (not sure about the >> release), and below the smb.conf.

Hello, Still fighting on this issue, now sometimes I get the following (may be) relevant errors: [2019/03/18 14:46:03.329505, 10, pid=582, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:509(idmap_find_domain)   idmap_find_domain called for domain 'BITINTRA' [2019/03/18 14:46:03.329577, 10, pid=582, effective(0, 0), real(0, 0), class=winbind]

The OS is OmniOS, the DC is Windows Server (not sure about the release), and below the smb.conf. I have also noted that they have more trusted domains, but since they configured ad idmap only for one domain, then all the other domains use tdb idmap [global] client ldap sasl wrapping = plain dedicated keytab file = /etc/krb5.keytab disable spoolss = yes host msdfs = no idmap config * : backend

Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. I would now like to enable LDAPS so my users can authenticate in other non Samba services using Active Directory. From reading the documentation here: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC I understand that for the most

Also: -H ldap://10.100.0.4 should probably be ldaps://URI You can potentially this in smb.conf, but that is definitely not recommended. https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC Kris Lou klou at themusiclink.net On Wed, Sep 5, 2018 at 2:10 AM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Wed, 05 Sep 2018 15:46:04 +0700

I'm not sure I have understood, I'm mounting the share as "urca" user, which is not a known user. Although I'm setting smb.conf so that for guest user it uses the privileges of the known user "andrea" Could you please advice on what I should set for "guest account" in smb.conf? Thanks Andrea Il 1/23/2019 5:15 PM, Rowland Penny via samba ha scritto:

Hi All, This Samba release changelog (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS_File_Permissions) specifically mentions a security issue and that that the multiple *.pem files needed for LDAP via TLS all need "special permissions" - and mentions to delete old files without the required permissions to force file renewal. Yet in the official Samba documentation

Hello, I just configured a three-site DCs setup with Samba 4.6.0, and replication worked great. But then I added a custom cert to one of the DCs to authenticate various apps against it. I used this wiki https://wiki.samba.org/index. php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC Now I can authenticate my apps over LDAPS against my DC, but broke replication. How do I need to configure

Hi. Following this document: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC I have a Centos 7.x with samba4.4.4 with openldap 2.4.40. If I run the command: smbd -b | grep "ENABLE_GNUTLS" I don't get any answer, this mean that samba doesn't have ssl support? Thanks for your time. -- LIving the dream...

On Sat, 2017-03-11 at 13:39 +1300, Andrew Bartlett via samba wrote: > On Fri, 2017-03-10 at 16:17 -0600, Mircea Husz via samba wrote: > > > > Hello, > > > > I just configured a three-site DCs setup with Samba 4.6.0, and > > replication worked great. > > But then I added a custom cert to one of the DCs to authenticate > > various apps against it. I

On 20/04/2020 17:49, Andrea Cucciarre' via samba wrote: > Does the "password server" setting in the smb.conf achieve it? No, you shouldn't use this, you should allow Samba to choose the best DC to use. > > On 4/20/2020 6:40 PM, Andrea Cucciarre' wrote: >> Hello, >> >> Is there a way to provide a list of DC that Samba should try to join? >> I

Hello, Is there a way to provide a list of DC that Samba should try to join? I know that in command "net ads join" I can use "-S" to select with DC to use, but it seems it doesn't accept list, only one single server. Regards Andrea

I have OpenSSL forgenrate the CA root file in my server and work fine. My question is, ?howto i say to Samba (configuration) for work with CA certificates? . I dont find information about this. Thanks. Saludos. --- Miguel El mar., 10 nov. 2020 a las 15:22, S?rgio Basto (<sergio at serjux.com>) escribi?: > On Tue, 2020-11-10 at 14:48 -0300, Miguel Angel Coa M. via samba wrote: >

If I were guessing, based on some experience with certificate usage in other apps, concatenate your certificate and intermediate certificates into a single file which is then your "tls certfile" then point "tls cafile" to your issuers proper CA or just to your distro's CA bundle, e.g /etc/pki/tls/certs/ca-bundle.crt. Nick On 06/08/2020 16:36, MAS Jean-Louis via samba