[Samba] use spnego question - samba 47 to samba48 migration
Kontrol-Suporte
suporte at kontrolsecurity.com.br
Sun Jun 24 23:32:20 UTC 2018
Hi Rowland,
Thanks Much for the help, as usual!
About Kerberos: Yes, I have implemented Kerberos and NTLM. I need both working.
About winbindd_privileged: Not sure what you mean with " I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago."
Shouldn't that folder be there anymore? Everytime I install Samba47 or 48 it creates the folder with the "pipe" inside of it. I just needed to change the permissions/ownership to the folder.
Isn't Ok to use that way anymore?
About Lanman2: Hummm... now you got me confused. I could swear that option was to force ntlm v2 as minimum. The idea is to force NTLM v2 as minimum protocol.
Should I use option "smb2" instead?
Thanks a Lot,
Fabricio.
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Sunday, June 24, 2018 4:26 AM
To: samba at lists.samba.org
Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration
On Sat, 23 Jun 2018 17:04:39 -0300
Kontrol-Suporte via samba <samba at lists.samba.org> wrote:
> Hello Gentlemen.
> OK, Tests were made. I got some errors only when using Samba48
> (samba47 is still fine) IMPORTANT: I forgot to mention... This is
> being used with SQUID Proxy for SSO authentication.
>
> Got NTLMSSP neg_flags=0xa2088207
> Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24
> len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due
> to [{Access Denied} A process has requested access to an object but
> has not been granted those access rights.] GENSEC login failed:
> NT_STATUS_ACCESS_DENIED
>
> I tried the new settings as suggested and also partial changes. Both
> are presenting the same behaviour. Nothing was changed in the AD side.
> I also re-checked the permissions/ownership on
> "/var/db/samba4/winbindd_privileged" folder which is used by SQUID.
I think you might want to check that again, the 'winbindd_privileged'
dir went away quite some time ago.
>
> To Rowland: You asked if I really need the "min protocol = LANMAN2"
> option. Well, the idea was to enforce a minimum security level.
>
I actually thought that, but 'LANMAN2' ??? why not 'NT1' at least.
Have you considered using kerberos with squid ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list