[Samba] use spnego question - samba 47 to samba48 migration

Kontrol-Suporte suporte at kontrolsecurity.com.br
Sun Jun 24 23:32:20 UTC 2018 

Hi Rowland,
Thanks Much for the help, as usual!

About Kerberos: Yes, I have implemented Kerberos and NTLM. I need both working.
About winbindd_privileged:  Not sure what you mean with " I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago."
Shouldn't that folder be there anymore? Everytime I install Samba47 or 48 it creates the folder with the "pipe" inside of it. I just needed to change the permissions/ownership to the folder.
Isn't Ok to use that way anymore?

About Lanman2:  Hummm... now you got me confused. I could swear that option was to force ntlm v2 as minimum. The idea is to force NTLM v2 as minimum protocol.
Should I use option "smb2" instead?

Thanks a Lot,
Fabricio.



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Sunday, June 24, 2018 4:26 AM
To: samba at lists.samba.org
Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration

On Sat, 23 Jun 2018 17:04:39 -0300
Kontrol-Suporte via samba <samba at lists.samba.org> wrote:

> Hello Gentlemen.
> OK, Tests were made. I got some errors only when using Samba48
> (samba47 is still fine) IMPORTANT: I forgot to mention... This is 
> being used with SQUID Proxy for SSO authentication.
> 
> Got NTLMSSP neg_flags=0xa2088207
> Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24
> len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due 
> to [{Access Denied} A process has requested access to an object but 
> has not been granted those access rights.] GENSEC login failed:
> NT_STATUS_ACCESS_DENIED
> 
> I tried the new settings as suggested and also partial changes. Both 
> are presenting the same behaviour. Nothing was changed in the AD side. 
> I also re-checked the permissions/ownership on 
> "/var/db/samba4/winbindd_privileged"  folder which is used by SQUID.

I think you might want to check that again, the 'winbindd_privileged'
dir went away quite some time ago.

> 
> To Rowland:  You asked if I really need the "min protocol = LANMAN2"
> option. Well, the idea was to enforce a minimum security level.
> 

I actually thought that, but 'LANMAN2' ??? why not 'NT1' at least.

Have you considered using kerberos with squid ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list