[Samba] Samba as a domain member:

L.P.H. van Belle belle at bazuin.nl
Tue Jun 16 18:27:21 UTC 2020


In addition, i dont know if its needed, i dont use openvpn.

Simple to test.
You could try to add : ntlm auth = mschapv2-and-ntlmv2-only  on the DC's and needed member.


Greetz,
Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 16 juni 2020 15:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba as a domain member:
> 
> On 16/06/2020 13:55, Vieri Di Paola via samba wrote:
> > Yes:
> >
> > # getent group GROUP
> > group:x:17573:
> >
> > # getent group group2
> > group2:x:11010:
> >
> > # getent group GROUP3
> > group3:x:21178:
> >
> >   # wbinfo --group-info GROUP
> > group:x:17573:
> >
> > # wbinfo -n GROUP
> > S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)
> >
> OK, I am not an expert on OpenVPN, but from 'man pam_winbind':
> 
>         require_membership_of=[SID or NAME]
>             If this option is set, pam_winbind will only 
> succeed if the 
> user is a member of the given SID or NAME. A SID can be either a 
> group-SID, an alias-SID or even an user-SID. It
>             is also possible to give a NAME instead of the SID. That 
> name must have the form: MYDOMAIN\\mygroup or MYDOMAIN\\myuser. 
> pam_winbind will, in that case, lookup the SID
>             internally. Note that NAME may not contain any 
> spaces. It is 
> thus recommended to only use SIDs. You can verify the list of SIDs a 
> user is a member of with wbinfo
>             --user-sids=SID.
> 
>             This option must only be specified on a auth module 
> declaration, as it only operates in conjunction with password 
> authentication.
> 
> So, from that, you need to remove 
> 'require_membership_of=GROUP' from the 
> 'account' line in /etc/pam.d/openvpn-ivpn
> You also, it would seem, need to replace 
> 'require_membership_of=GROUP' 
> with 'require_membership_of=DOMAIN\\GROUP' or 
> 'require_membership_of=S-1-5-21-948789634-15155995-928725530-7573' on 
> the auth line in /etc/pam.d/openvpn-ivpn
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list